Hi all, today we discussed the OAuth Authorization Server Mixup draft. We were wondering what types of threats the document should find solutions for.
We discussed various document handling approaches including * OAuth Mix-Up and Cut-and-Paste attacks documented in separate solution documents * combined solution document covering the OAuth Mix-Up and the Cut-and-Paste attacks. Barry pointed out that these documents could update the OAuth base specification. As a more radical change it was also suggested to revise RFC 6749 "OAuth 2.0 Authorization Framework" and RFC 6819 "OAuth 2.0 Threat Model and Security Considerations". Opening up the OAuth base specification obviously raises various other questions about cleaning up parts that go far beyond the AS mix-up and the cut-and-paste attacks. Other specifications, such as the Open Redirector, could be folded into such a new specification. Derek and I would appreciate your input on this topic before we make a decision since it has significant impact on our work. Ciao Hannes & Derek
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
