[Openid-specs-fapi] Issue #51: Message source authentication failure - (openid/fapi)
Nat Sakimura
nat at sakimura.org
Thu Dec 8 14:08:21 UTC 2016
Agreed that wording can be improved. As to the correctness is concerned,
it is. Even if we do TLS mutual authentication, it only applies to the
Token Request and the Authorization Request is not source authenticated
as it goes through the browser redirect. Late binding of authentication
does not work here as it does not protect against injection attacks etc.
---
Nat Sakimura
Chairman, OpenID Foundation
On 2016-12-08 22:38, Dave Tonge via Openid-specs-fapi wrote:
> New issue 51: Message source authentication failure -
> https://bitbucket.org/openid/fapi/issues/51/message-source-authentication-failure
>
> Dave Tonge:
>
> https://bitbucket.org/openid/fapi/annotate/d4edc14c0b76155c97623edb521bfdc56afd64b7/Financial_API_WD_001.md?at=master&fileviewer=file-view-default#Financial_API_WD_001.md-297
>
> I think the wording of this paragraph could be improved. Also is this
> strictly correct? We recommend TLS mutual authentication which would
> allow authentication of part of the authorization flow?
>
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
More information about the Openid-specs-fapi
mailing list