[Openid-specs-fapi] A question on the attacker model.
Nat Sakimura
nat at nat.consulting
Fri Jun 3 22:50:49 UTC 2022
Currently, the attacker model states:
-
*Browsers and Endpoints:* Devices and browsers used by resource owners
are considered not compromised. Other endpoints not controlled by an
attacker behave according to the protocol.
This kind of deviates from the assumption for FAPI 1.0. We wanted to sign
the requests and responses because the TLS breaks in the browser and can be
tampered with. Is this captured elsewhere in the attacker model?
Best,
--
Nat Sakimura
NAT.Consulting LLC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20220604/85d1a975/attachment.html>
More information about the Openid-specs-fapi
mailing list