<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Tom<div class=""><br class=""></div><div class="">Perhaps ‘mitigation’ is not the best word to use here - the intent is to see if there’s something that provides equivalent session integrity protection as PKCE that we would recommend for this particular case where PKCE can’t be used. I think that intent should be fairly uncontentious.</div><div class=""><br class=""></div><div class="">Thanks</div><div class=""><br class=""></div><div class="">Joseph</div><div class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 13 Dec 2022, at 05:14, Tom Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" class="">openid-specs-ab@lists.openid.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">There are 2000 new vulnerabilities posed by CISA every month. About 15% of those are severe.<div class=""> How is it that you think odif can be in the business of posting mitigations?</div><div class=""><div class=""><a href="https://www.cvedetails.com/vulnerabilities-by-types.php" class="">https://www.cvedetails.com/vulnerabilities-by-types.php</a></div><div class="">This is why I opposed the addition of attack models to the fapi docs. Now you are going down the same rathole?</div><div class="">These mitigations will be obsolete before the std is approved.</div><div class=""><br clear="all" class=""><div class=""><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr" class=""><div class=""><span style="background-color: rgb(242, 242, 242); font-family: -apple-system, system-ui, system-ui, "Segoe UI", Roboto, "Helvetica Neue", "Fira Sans", Ubuntu, Oxygen, "Oxygen Sans", Cantarell, "Droid Sans", "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Lucida Grande", Helvetica, Arial, sans-serif; font-size: 14px; white-space: pre-wrap;" class=""> </span>..tom</div></div></div></div><br class=""></div></div></div><br class=""><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Dec 7, 2022 at 9:39 PM Kristina Yasuda via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" class="">openid-specs-ab@lists.openid.net</a>> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">New issue 1750: PKCE and pre-auth code flow in VCI<br class="">
<a href="https://bitbucket.org/openid/connect/issues/1750/pkce-and-pre-auth-code-flow-in-vci" rel="noreferrer" target="_blank" class="">https://bitbucket.org/openid/connect/issues/1750/pkce-and-pre-auth-code-flow-in-vci</a><br class="">
<br class="">
Kristina Yasuda:<br class="">
<br class="">
\(following[ Joseph’s comment](<a href="https://bitbucket.org/openid/connect/pull-requests/372#comment-351680555" rel="noreferrer" target="_blank" class="">https://bitbucket.org/openid/connect/pull-requests/372#comment-351680555</a>)\) “I don’t think PKCE can be used with the pre-authorised code flow, we should probably explicitly state that \(and perhaps mention alternative mitigations\).”<br class="">
<br class="">
_______________________________________________<br class="">
Openid-specs-ab mailing list<br class="">
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" class="">Openid-specs-ab@lists.openid.net</a><br class="">
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank" class="">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br class="">
</blockquote></div>
_______________________________________________<br class="">Openid-specs-ab mailing list<br class=""><a href="mailto:Openid-specs-ab@lists.openid.net" class="">Openid-specs-ab@lists.openid.net</a><br class="">https://lists.openid.net/mailman/listinfo/openid-specs-ab<br class=""></div></blockquote></div><br class=""></div></body></html>