I would really like to see a comprehensive solution not this piece work, so we know what we are solving and what we are not.
-----Original Message----- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hans Zandbelt Sent: Monday, March 14, 2016 3:26 PM To: Phil Hunt (IDM) <phil.h...@oracle.com>; John Bradley <ve7...@ve7jtb.com> Cc: oauth <oauth@ietf.org> Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-bound-config-00.txt On 3/14/16 10:17 PM, Phil Hunt (IDM) wrote: <snip> > On Mar 14, 2016, at 14:13, John Bradley <ve7...@ve7jtb.com > <mailto:ve7...@ve7jtb.com>> wrote: >> Any client that has the resource and issuer hard coded probably >> doesn't need discovery. > We agree Yet any client that has hard coded a resource and 2 issuers doesn't need discovery either but is vulnerable to the IDP mixup attack. I'd really like to see the two being addressed independently of each other, regardless of the fact that a Discovery solution *could* solve the IDP mixup attack as well. Hans. -- Hans Zandbelt | Sr. Technical Architect hzandb...@pingidentity.com | Ping Identity _______________________________________________ OAuth mailing list OAuth@ietf.org https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7c8cd9a8b2e020444382a708d34c57a6b4%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=1dsstJfhduQ3mZERUx6%2fO3OE241RK7ataalg6RY6JmA%3d _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth