[Openid-specs-ab] Defining a Hardened (Mix-up and Cut-and-Paste Proof) OpenID Connect Profile

Brian Campbell bcampbell at pingidentity.com
Sat Apr 23 12:03:31 UTC 2016


Just noticed a typo in my previous message. I meant to write "omission"
rather than "commission" there. Should have said:

My view is still that the attack is enabled by an *omission* in OAuth of
the AS identifying itself in the authorization response. I think the fix
should be at that layer too. Progress in the OAuth WG isn't exactly
promising though...

On Sat, Apr 23, 2016 at 5:36 AM, Torsten Lodderstedt <
torsten at lodderstedt.net> wrote:

> Am 15.04.2016 um 19:05 schrieb Brian Campbell:
>
>> My view is still that the attack is enabled by an commission in OAuth of
>> the AS identifying itself in the authorization response. I think the fix
>> should be at that layer too. Progress in the OAuth WG isn't exactly
>> promising though...
>>
> Why don`t we bring this discussion to the OAuth WG? It`s nearly the same
> group of people as on this list.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160423/7349bb23/attachment.html>


More information about the Openid-specs-ab mailing list