It was Google that wanted S256 to be mandatory for the AS to support. That makes it easier for the client.
S256 is relatively new so not being supported yet is not surprising. Sent from my iPhone > On Feb 18, 2015, at 12:15 PM, Torsten Lodderstedt <tors...@lodderstedt.net> > wrote: > > We don't plan to support s256 > > Basically, I don't see a need to. Plain already mitigates the threat, > spop/tcse had been designed to mitigate - an app intercepting the code > response of a public client. > > Am 18. Februar 2015 18:33:17 MEZ, schrieb Hannes Tschofenig > <hannes.tschofe...@gmx.net>: >> >> Thanks Brian for pointing me to Section 4.4.1 and to the MTI for "S256". >> While this is good from a security point of view I am wondering whether >> anyone is actually compliant to the specification. Neither PingIdentity >> nor DT implements the S256 transform, if I understood that correctly. >> Are you guys going planning to update your implementations? >> >> Ciao >> Hannes >> >>> On 02/18/2015 05:45 PM, Brian Campbell wrote: >>> There's a bit of MTI talk tucked into >>> https://tools.ietf.org/html/draft-ietf-oauth-spop-10#section-4.4.1 that >>> perhaps needs to be expanded and/or placed somewhere else. >>> >>> On Wed, Feb 18, 2015 at 8:33 AM, Hannes Tschofenig >>> <hannes.tschofe...@gmx.net >>> <mailto:hannes.tschofe...@gmx.net>> wrote: >>> >>> Thanks for the info, Torsten. >>> >>> Your feedback raises an interesting question, namely what functionality >>> the parties have to implement to claim conformance to the >>> specification. >>> >>> Quickly scanning through the specification didn't tell me whether it is >>> OK to just implement the plain mode or whether both modes are >>> mandatory-to-implement. We have to say something about this. >>> >>> Ciao >>> Hannes >>> >>> >>> On 02/18/2015 02:16 PM, tors...@lodderstedt.net >>> <mailto:tors...@lodderstedt.net> wrote: >>>> Hi Hannes, >>>> >>>> our implementation supports the "plain" mode only. We just verified >>>> compliance of our implementation with the current spec. As the only >>>> deviation, we do not enforce the >>>> minimum length of 43 characters >>> of the >>>> code verifier. >>>> >>>> kind regards, >>>> Torsten. >>>> >>>> Am 17.02.2015 17:48, schrieb Hannes Tschofenig: >>>>> Hi Torsten, >>>>> >>>>> does this mean that your implementation is not compliant with the >>>>> current version anymore or that you haven't had time to verify >>> whether >>>>> there are differences to the earlier version? >>>>> >>>>> Ciao >>>>> Hannes >>>>> >>>>> >>>>> On 01/31/2015 05:34 PM, Torsten >>>>> Lodderstedt wrote: >>>>>> Deutsche Telekom also implemented an early version of the draft last >>>>>> year. >>>>>> >>>>>> >>>>>> >>>>>> Am 30.01.2015 um 18:50 schrieb Brian Campbell >>>>>> <bcampb...@pingidentity.com <mailto:bcampb...@pingidentity.com> >>> <mailto:bcampb...@pingidentity.com >>> <mailto:bcampb...@pingidentity.com>>>: >>>>>> >>>>>>> >>>>>>> On Tue, Jan 27, 2015 at 9:24 AM, Hannes Tschofenig >>>>>>> <hannes.tschofe...@gmx.net <mailto:hannes.tschofe...@gmx.net> >>> <mailto:hannes.tschofe...@gmx.net >>> <mailto:hannes.tschofe...@gmx.net>>> wrote: >>>>>>> >>>>>>> >>>>>>> 1) What implementations of the spec are you aware of? >>>>>>> >>>>>>> >>>>>>> We have an AS side implementation of an earlier draft that was >>>>>>> released in June of last year: >>> >>> http://documentation.pingidentity.com/pages/viewpage.action?pageId=26706844 >>>>>>> >>>>>>> >>>>>>> OAuth mailing list >>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org >>> <mailto:OAuth@ietf.org>> >>>>>>> https://www.ietf.org/mailman/listinfo/oauth > > -- > Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet. > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
