On 4/28/09 8:41 AM, Hubert Le Van Gong wrote: > I also saw 2 additional ideas that might help > (and are not necessarily exclusive with the 2 proposals): > > (3) Make Request tokens one-time only > (4) Request that the user logs in at the Consumer before the request > token request
Requiring the user authenticate to the Consumer doesn't prevent the attack, as the attacker is a legitimate user of Consumer in the attack scenario. What I keep proposing is that the user must authenticate at the _Provider_ before the request token request. This would completely eliminate the attack in the scenario. And yes, making request tokens one-time only is a MUST, IMHO. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
