[Openid-specs-fapi] Issue #678: (ed) Privacy considerations is a top level clause while Security considerations is a second level subclause (openid/fapi)

Nat issues-reply at bitbucket.org
Wed Mar 13 09:51:33 UTC 2024 

New issue 678: (ed) Privacy considerations is a top level clause while Security considerations is a second level subclause
https://bitbucket.org/openid/fapi/issues/678/ed-privacy-considerations-is-a-top-level

Nat Sakimura:

Currently, they are: 

* [5.7](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-5.7).  [Security considerations](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#name-security-considerations)

* [6](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-6).  [Privacy considerations](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#name-privacy-considerations)

They probably should be 

* 6.  [Security considerations](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#name-security-considerations)

    * [5.7.1](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-5.7.1).  [Access token lifetimes](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#name-access-token-lifetimes)
    * [5.7.2](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-5.7.2).  [DPoP proof replay](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#name-dpop-proof-replay)
    * [5.7.3](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-5.7.3).  [JWKS URIs](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#name-jwks-uris)
    * [5.7.4](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-5.7.4).  [Duplicate key identifiers](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#name-duplicate-key-identifiers)
    * [5.7.5](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-5.7.5).  [Injection of stolen access tokens](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#name-injection-of-stolen-access-)
    * [5.7.6](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-5.7.6).  [Authorization request leaks lead to CSRF](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#name-authorization-request-leaks)
    * [5.7.7](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-5.7.7).  [Browser-swapping attacks](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#name-browser-swapping-attacks)
    * [5.7.8](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-5.7.8).  [Incomplete or incorrect implementations of the specifications](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#name-incomplete-or-incorrect-imp)
    

* 7.  [Privacy considerations](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#name-privacy-considerations)

‌

More information about the Openid-specs-fapi mailing list