[OpenID-specs-EAP] EAP Working Group Call Sep 15, 2016
Brian Campbell
bcampbell at pingidentity.com
Thu Sep 15 16:51:01 UTC 2016
EAP Working Group Call Sep 15, 2016
Brian Campbell
John Bradley
Some discussion on OpenID Connect Token Bound Authentication 1.0
<http://openid.net/specs/openid-connect-token-bound-authentication-1_0.html>-
draft 00
While the document talks about downgrade attacks, there isn't currently
sufficient information available to detect a downgrade. Knowing whether the
other participants support token binding isn't enough - you'd need to know
which key parameters types are supported by each participant. The
rp_id_token_token_binding_supported and op_id_token_token_binding_supported
metadata values are only true/false and negotiation with the user agent
only indicates the one agreed upon key parameters type not the set of key
parameters that the user agent can support.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-eap/attachments/20160915/2b8373ef/attachment.html>
More information about the Openid-specs-eap
mailing list