<div dir="ltr"><div>Tom, <br></div><div><br></div><div>Given you raised the concern in the first place - is there a specific document - section of FAPI 2.0 spec you are referring to? This article seem rather broad. Its up to the organization to do their own risk assessment - preferably based on recognized frameworks NIST/ISO etc. Given many of us have experience with this type of analysis - what are you comparing it too? <br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Apr 21, 2020 at 2:01 PM Tom Jones <<a href="mailto:thomasclinganjones@gmail.com">thomasclinganjones@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">not in this forum - it is not appropriate.<br clear="all"><div><div dir="ltr"><div dir="ltr"><div>Peace ..tom</div></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Apr 21, 2020 at 10:51 AM Daniel Fett <<a href="mailto:fett@danielfett.de" target="_blank">fett@danielfett.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<div><a href="https://cacm.acm.org/magazines/2020/4/243625-why-is-cybersecurity-not-a-human-scale-problem-anymore/fulltext" target="_blank">https://cacm.acm.org/magazines/2020/4/243625-why-is-cybersecurity-not-a-human-scale-problem-anymore/fulltext</a></div>
<div><br>
</div>
<div>Could you please elaborate in which way
this article critizes the attacker model used in formal protocol
security analyses? This critique must then apply equally for the
way in which TLS 1.3 was designed and evaluated (see, e.g., <a href="https://tools.ietf.org/html/rfc8446#appendix-E" target="_blank">https://tools.ietf.org/html/rfc8446#appendix-E</a><a href="https://tools.ietf.org/html/rfc8446" target="_blank"></a>). <br>
</div>
<div><br>
</div>
<div>-Daniel<br>
</div>
<div><br>
</div>
<div>Am 21.04.20 um 19:41 schrieb Tom Jones:<br>
</div>
<blockquote type="cite">
<div dir="ltr">DOI:10.1145/3347144. CACM 63 no 4 p 30ff<br clear="all">
<div>
<div dir="ltr">
<div dir="ltr">
<div>Peace ..tom</div>
</div>
</div>
</div>
<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Apr 21, 2020 at 10:38
AM Daniel Fett <<a href="mailto:fett@danielfett.de" target="_blank">fett@danielfett.de</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<div>Am 21.04.20 um 18:30 schrieb Tom Jones:<br>
</div>
<blockquote type="cite">
<div dir="auto">Well, I am a member of the FAPI wg and do
not like their current direction. Specifically I
strongly disagree with Fett's attack model which has
come under increasing attack in, for example the current
issue of the CACM.<br>
</div>
</blockquote>
<p>Which article?<br>
</p>
</div>
_______________________________________________<br>
Openid-specs-heart mailing list<br>
<a href="mailto:Openid-specs-heart@lists.openid.net" target="_blank">Openid-specs-heart@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><br>
</blockquote>
</div>
</blockquote>
<p><br>
</p>
</div>
</blockquote></div>
_______________________________________________<br>
Openid-specs-heart mailing list<br>
<a href="mailto:Openid-specs-heart@lists.openid.net" target="_blank">Openid-specs-heart@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><br>
</blockquote></div>