Some people agreed. It is very much an implementation detail, and either way, it is outside the scope of this specific security exploit (as is, we knew about it when we wrote the original spec). The spec includes the following language:
"The Request Token has never been exchanged for an Access Token." I believe it is enough. It is common sense to expect servers to take security measures when requests fail. EHL > -----Original Message----- > From: oauth@googlegroups.com [mailto:oa...@googlegroups.com] On Behalf > Of Hubert Le Van Gong > Sent: Tuesday, May 12, 2009 8:02 AM > To: oauth@googlegroups.com > Subject: [oauth] Re: Request for new Security Considerations text > > > If it has a "clear" security impact then I don't think it should be > discarded as implementation detail. > People on the list seemed to agree this was a must have so, if not in > security consideration, it's probably important enough to make it to a > Security Best Practices section or something akin to that. > > Hubert > > On Tue, May 12, 2009 at 4:26 PM, Eran Hammer-Lahav > <e...@hueniverse.com> wrote: > > > > That is an implementation detail. I am not sure how helpful it would > be to have a security consideration section about limiting the number > of allowed token exchange requests for a single request token. > > > > EHL > > > >> -----Original Message----- > >> From: oauth@googlegroups.com [mailto:oa...@googlegroups.com] On > Behalf > >> Of Hubert Le Van Gong > >> Sent: Tuesday, May 12, 2009 3:26 AM > >> To: oauth@googlegroups.com > >> Subject: [oauth] Re: Request for new Security Considerations text > >> > >> > >> If I remember correctly, we also talked of recommending or mandating > >> one-time request tokens. > >> > >> Hubert > >> > >> > >> On Wed, May 6, 2009 at 10:43 PM, Eran Hammer-Lahav > >> <e...@hueniverse.com> wrote: > >> > > >> > We have identified a few new attack vectors since the spec was > >> originally written and would like to address them in the Security > >> Consideration section. Please reply with proposals for such texts. > >> Ideally we can reach some consensus on these by Fri, but if not, we > can > >> add it a bit later since it doesn't affect the protocol directly. > >> > > >> > EHL > >> > > >> > > > >> > > >> > >> > > > > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
