[Openid-specs-fapi] Issue #504: Attacker Model - Browsers and Endpoints (openid/fapi)
dgtonge
issues-reply at bitbucket.org
Tue Jun 28 07:40:27 UTC 2022
New issue 504: Attacker Model - Browsers and Endpoints
https://bitbucket.org/openid/fapi/issues/504/attacker-model-browsers-and-endpoints
Dave Tonge:
>From an email from Nat:
Currently, the attacker model states:
* **Browsers and Endpoints:** Devices and browsers used by resource owners are considered not compromised. Other endpoints not controlled by an attacker behave according to the protocol.
This kind of deviates from the assumption for FAPI 1.0. We wanted to sign the requests and responses because the TLS breaks in the browser and can be tampered with. Is this captured elsewhere in the attacker model?
More information about the Openid-specs-fapi
mailing list