[Openid-specs-fapi] [Bitbucket] Issue #123: Is it okay for request object URNs to be predictable? (openid/fapi)
issues-reply at bitbucket.org
Wed Sep 13 15:34:35 UTC 2017
Joseph Heenan created issue #123:
Is it okay for request object URNs to be predictable?<https://bitbucket.org/openid/fapi/issues/123/is-it-okay-for-request-object-urns-to-be>
FAPI part 2 7.1 currently says:
Note that `request_uri` can be either URL or URN.
If it is a URL, it shall be based on a cryptographic random value so that it is difficult to predict for an attacker.
This would seem to imply that if a URN is used it is okay for the URN to be predictable.
I am not 100% certain that is the case (perhaps an attacker could cause a DoS by attempting to use other people's URNs, as the URNs are meant to be one-time use? Though this probably requires at least a partial compromise of the client credentials too).
Component: Part 2: RW Security
View this issue<https://bitbucket.org/openid/fapi/issues/123/is-it-okay-for-request-object-urns-to-be> or add a comment by replying to this email.
Unsubscribe from issue emails<https://bitbucket.org/api/1.0/repositories/openid/fapi/issue/123/unsubscribe/openid/df2bfe7836723d6e685249a416e7c899130d4b87/> for this repository. [Bitbucket] <https://bitbucket.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-fapi