On Apr 28, 1:25 pm, Josh Roesslein <jroessl...@gmail.com> wrote:
> On Tue, Apr 28, 2009 at 1:12 PM, Brian Eaton <bea...@google.com> wrote:
>
> > For apps that can't receive callback URLs, you need a PIN.
>
> Yes we will need to manually pass the callback secrete to the application
> (aka the pin).
>
> I think the solution of signed callbacks w/ a callback secrete adequately
> closes the security hole
> while not drastically changing the protocol or the user experience. In fact
> the user won't even be aware of any of these changes
> unless the application required the transfer of the pin (the callback
> secrete). Before all they had to do is notify the application.
>
> This solution is quick to implement and can be deployed in a timely matter
> to close this session fixation flaw.
> We can continue working on a future spec that can change the flow some more
> or add additional security, but for now we should focus on the current
> security threat.
> Tackle one issue at a time.
I'd agree on all of this -- it fixes the session fixation flaw and it
can be implemented more easily than other solutions. My advocating
possible of a PIN or other human-enabled-state mechanism can be worked
on as a later spec or an extension to this one if there is sufficient
interest. It needn't hold up this process if folks do not want to go
that route.
--peter
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to oauth@googlegroups.com
To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
