[Openid-specs-fapi] Security goals in FAPI_2_0_Attacker_Model.md
Nat Sakimura
nat at nat.consulting
Thu Nov 25 13:41:02 UTC 2021
Hi.
This is mainly to Daniel, but after re-reading the Attacker Model document,
I started to wonder if the "resource" stated in the security goal actually
includes the messages.
For example, if it is a payment, if the payment confirmation message was
tampered with, it would cause serious security issues. This was clearly one
of the goals for FAPI 1.0 and I believe that it needs to be covered. I am
guessing this aspect is indirectly covered by the Authorization goal, but I
was not sure. Let me know what you think.
Best,
--
Nat Sakimura
NAT.Consulting LLC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20211125/becf6883/attachment.html>
More information about the Openid-specs-fapi
mailing list