On Mon, Apr 4, 2011 at 9:52 AM, Phil Hunt <phil.h...@oracle.com> wrote:
> As Prateek clarified in the previous message to Francisco, SAML also uses > SHOULD, but artifact security is achieved by an additional > counter-measure... > > The identity provider MUST ensure that only the service provider to whom > the <Response> message has > been issued is given the message as the result of an <ArtifactResolve> > request. > > The problem with the SAML comparison is that SAML does not attempt to address the problems of installed applications. That was all deferred to WS-Trust. OAuth2 does solve both the web app and installed app problems. I think it's really important that we recognize that installed applications have a very different set of security problems than web sites. For example, for web sites we need to deal with the risk of RP compromise and all of the refresh tokens being stolen. That's not an issue for installed apps, because there is no central database of refresh tokens to compromise. For installed apps, on the other hand, there is no good system for reliably identifying a client. For web apps we've got two separate good systems (same-origin policy and client secret) for identifying RPs. One other interesting aspect of client applications is that it's very easy for client apps to use a protected channel to receive the callback URL. There is lively debate about which protected channel to use, but almost everyone agrees there is at least one good option. If you redo your analysis from the perspective that client applications have different security risks than web applications, do you reach happier conclusions? Cheers, Brian
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth