Francisco, you made a good point. However, the question is if this belongs into the OAuth scope since this a general attack on a web app's session management.
I will incorporate the threat you described and the advice to use TLS into the OAuth security document. regards, Torsten. Gesendet mit BlackBerry® Webmail von Telekom Deutschland -----Original Message----- From: Francisco Corella <fcore...@pomcor.com> Sender: oauth-boun...@ietf.org Date: Mon, 3 Jan 2011 22:11:05 To: <oauth@ietf.org> Reply-To: fcore...@pomcor.com Cc: Karen P. Lewison<kplewi...@pomcor.com> Subject: [OAUTH-WG] TLS is needed for redirecting back to the client _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
