Hi John,
Le jeu. 21 janv. 2016 15:42, John Bradley <ve7...@ve7jtb.com> a écrit : > We merged the state verification in with this rather than forcing people > to also look at the JWT encoded State draft. > https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state. > > While JWT encoded state is how I would do state in a client and at-least > one client I know of uses it, it is not the only way to manage state, > And not how I'd do it (unless you convince me that jwt is really better and the advantages outweigh the network bloat) and I am hesitant that developers might be scared away by thinking they > need to encode state as a JWT. > > I decided that cross referencing them is better. This made sending much > simpler to describe. > Wouldn't linking to RFC 6819 be enough? I also removed the hashing from state. That cut the text by about 2/3 by > not having to describe character set normalization so that both the client > and the AS could calculate the same hash. > That also achieved the goal of not requiring a simple OAuth client doing > the code flow to add a crypto library to support SHA256. > > Once we make a algorithm mandatory, we need to defend why we don’t have > crypto agility eg support for SHA3 etc. We would be forced by the IESG to > add another parameter to the request to specify the hash alg if we went > that direction. > > Given that we assume state to be public info in the request that an > attacker can see, hashing state provides not much value for a lot of > complexity that people may get wrong or not implement. > > I appreciate why from a theory point of view hashing it would have been > better. > > If people really want it I can add it back. > > John B. > > On Jan 21, 2016, at 3:28 AM, Mike Jones <michael.jo...@microsoft.com> > wrote: > > John Bradley and I collaborated to create the second OAuth 2.0 Mix-Up > Mitigation draft. Changes were: > · Simplified by no longer specifying the signed JWT method for > returning the mitigation information. > · Simplified by no longer depending upon publication of a discovery > metadata document. > · Added the “state” token request parameter. > · Added examples. > · Added John Bradley as an editor. > > The specification is available at: > · http://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-01 > > An HTML-formatted version is also available at: > · > http://self-issued.info/docs/draft-jones-oauth-mix-up-mitigation-01.html > > -- Mike > > P.S. This note was also posted at http://self-issued.info/?p=1526 and as > @selfissued <https://twitter.com/selfissued>. > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth