Apologies if this is the wrong forum for my comment (and please direct me to the appropriate place in that case), but I have two questions about the propose mitigation (and the thinking behind it) that I think the write-up could address:
1. Could the writeup clarify whether/how the primary "mixup" threat differs from what RFC6819 identifies as in section 4.6.4? 2. Has the workgroup considered a mitigation that puts more responsibility on the authorization server, and less on the client? For example, if would be helpful for the writeup to clarify why having the client send an "audience field" (in the terminology of RFC6819) to the authorization endpoint would not mitigate the threat. (In that scenario, the authorization server can recognize that the audience does not correspond to a resource server it knows, rather than asking clients to make this check). I assume this approach has been considered and rejected as an incomplete mitigation, but I don't have visibility into where/how that discussion went. Thanks, Josh Hi all, this is the call for adoption of OAuth 2.0 Mix-Up Mitigation, see https://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-00 Please let us know by Feb 9th whether you accept / object to the adoption of this document as a starting point for work in the OAuth working group. Note: This call is related to the announcement made on the list earlier this month, see http://www.ietf.org/mail-archive/web/oauth/current/msg15336.html. More time for analysis is provided due to the complexity of the topic. Ciao Hannes & Derek _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth