[Openid-specs-fapi] Issue #506: Explict security target (openid/fapi)
Nat
issues-reply at bitbucket.org
Tue Jun 28 09:31:30 UTC 2022
New issue 506: Explict security target
https://bitbucket.org/openid/fapi/issues/506/explict-security-target
Nat Sakimura:
When writing security and privacy considerations, explicit security and privacy assumptions and target would definitely help. Right now, we have attacker models but we do not have these.
We probably should have it earlier. It would have made the formal verification easier. Now that security researchers are working on the formal model, perhaps we can just have a rough text on it and later replace it with what security researchers come up with.
One of the deficiencies of FAPI 1.0 is that we actually do not have spelt out the security assumptions and target. We should make sure that we do it in FAPI 2.0.
More information about the Openid-specs-fapi
mailing list