[Openid-specs-fapi] Issue #542: A7 Attacker Clarification (openid/fapi)
dgtonge
issues-reply at bitbucket.org
Wed Sep 21 16:27:05 UTC 2022
New issue 542: A7 Attacker Clarification
https://bitbucket.org/openid/fapi/issues/542/a7-attacker-clarification
Dave Tonge:
From Tim
> One additional note: It should be clarified when/where the requests/responses leak. Following the section heading, I’d assume that they leak _at the RS_, e.g., a resource request leaks only _after_ the “honest” request arrived at the RS. This distinction is important when considering DPoP Proof Replay: If the attacker has a chance to use a leaked DPoP proof _before_ the honest request using that proof arrives at the RS, the RS cannot detect/prevent the attack \(e.g., using DPoP nonces or the jti claim\).
Responsible: Daniel Fett
More information about the Openid-specs-fapi
mailing list