On 28/08/13 17:51, John Bradley wrote:
We probably don't want this secret that is used as confirmation of the code to
be confused with a client secret that is bound to a client.
They are verified by different levels of the stack. One client_id may have
many instances all using different values of the code proof of possession
simultaneously.
So I prefer to eliminate the term client secret entirely.
OK
thanks, Sergey
On 2013-08-28, at 12:12 PM, Sergey Beryozkin <sberyoz...@gmail.com> wrote:
Hi,
can you consider replacing "tcs" and "tcsh" with "temp_client_secret" and "temp_client_secret_hash" ? in OAuth2 we have
"client_id", "client_secret" (ex, in dyn reg), and having a temp variant of "client_secret" called as "tcs" seems a bit
cryptic to me :-), not a bit issue though
Sergey
On 30/07/13 16:36, Nat Sakimura wrote:
Hi.
I had to fix a few issues with the previous draft text.
No normative changes, but just removed some extra text.
Nat
---------- Forwarded message ----------
From: **<internet-dra...@ietf.org <mailto:internet-dra...@ietf.org>>
Date: 2013/7/31
Subject: New Version Notification for draft-sakimura-oauth-tcse-01.txt
To: Nat Sakimura <sakim...@gmail.com <mailto:sakim...@gmail.com>>, John
Bradley <jbrad...@pingidentity.com <mailto:jbrad...@pingidentity.com>>,
Naveen Agarwal <n...@google.com <mailto:n...@google.com>>
A new version of I-D, draft-sakimura-oauth-tcse-01.txt
has been successfully submitted by Nat Sakimura and posted to the
IETF repository.
Filename: draft-sakimura-oauth-tcse
Revision: 01
Title: OAuth Transient Client Secret Extension for Public Clients
Creation date: 2013-07-30
Group: Individual Submission
Number of pages: 7
URL: http://www.ietf.org/internet-drafts/draft-sakimura-oauth-tcse-01.txt
Status: http://datatracker.ietf.org/doc/draft-sakimura-oauth-tcse
Htmlized: http://tools.ietf.org/html/draft-sakimura-oauth-tcse-01
Diff: http://www.ietf.org/rfcdiff?url2=draft-sakimura-oauth-tcse-01
Abstract:
The OAuth 2.0 public client utilizing authorization code grant is
susceptible to the code interception attack. This specification
describe a mechanism that acts as a control against this threat.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org
<http://tools.ietf.org/>.
The IETF Secretariat
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
2013/7/30 Nat Sakimura <sakim...@gmail.com <mailto:sakim...@gmail.com>>
As some of you know, passing the authorization code securely to a
native app on iOS platform is next to impossible. Malicious
application may register the same custom scheme as the victim
application and hope to obtain the code, whose success rate is
rather high.
We have discussed about it during the OpenID Conenct Meeting at IETF
87 on Sunday, and over a lengthy thread on the OpenID AB/Connect
work group list. I have captured the discussion in the form of I-D.
It is pretty short and hopefully easy to read.
IMHO, although it came up as an issue in OpenID Connect, this is a
quite useful extension to OAuth 2.0 in general.
Best,
Nat Sakimura
---------- Forwarded message ----------
From: ** <internet-dra...@ietf.org <mailto:internet-dra...@ietf.org>>
Date: 2013/7/30
Subject: New Version Notification for draft-sakimura-oauth-tcse-00.txt
To: Nat Sakimura <sakim...@gmail.com <mailto:sakim...@gmail.com>>,
John Bradley <jbrad...@pingidentity.com
<mailto:jbrad...@pingidentity.com>>, Naveen Agarwal <n...@google.com
<mailto:n...@google.com>>
A new version of I-D, draft-sakimura-oauth-tcse-00.txt
has been successfully submitted by Nat Sakimura and posted to the
IETF repository.
Filename: draft-sakimura-oauth-tcse
Revision: 00
Title: OAuth Transient Client Secret Extension for Public
Clients
Creation date: 2013-07-29
Group: Individual Submission
Number of pages: 7
URL:
http://www.ietf.org/internet-drafts/draft-sakimura-oauth-tcse-00.txt
Status: http://datatracker.ietf.org/doc/draft-sakimura-oauth-tcse
Htmlized: http://tools.ietf.org/html/draft-sakimura-oauth-tcse-00
Abstract:
The OAuth 2.0 public client utilizing code flow is susceptible
to the
code interception attack. This specification describe a mechanism
that acts as a control against this threat.
Please note that it may take a couple of minutes from the time of
submission
until the htmlized version and diff are available at tools.ietf.org
<http://tools.ietf.org>.
The IETF Secretariat
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
