An important point, which I think should be captured in the security
consideration section.
Igor
Torsten Lodderstedt wrote:
what about guessing/brute force attacks on the code? Supposed an
authorization server issuing tokens for a client w/o secret. Then the
number of attempts needed to obtain a token issued to that client only
depends on the length and randomness of the code. Should the spec
state something about that?
regards,
Torsten.
We're trying to design around transport security with short expiration
and single use tokens. SSL solves the problem
-----Original Message-----
From: Brian Eaton [mailto:bea...@google.com]
Sent: Wednesday, July 14, 2010 1:35 PM
To: William Mills
Cc: Eran Hammer-Lahav; OAuth WG
Subject: Re: [OAUTH-WG] single use authorization codes
On Wed, Jul 14, 2010 at 11:58 AM, William Mills
<wmi...@yahoo-inc.com> wrote:
If I can see things go by on the fly I can submit the token
late and
mess with the user by revoking their session.
Meh.
If the best the attacker can do in those circumstances is
DOS, we're in good shape.
Bear in mind that if we do nothing, the attacker can probably
get the user's data.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
