Hi all, the security discussion started with mix up and cut and paste, but we had a much broader discussion including further issues, such as open redirector. I suggested to merge all threats we are currently discussing into a single document in order to come up with a consolidated view on "enhanced OAuth security". This would at least include: - mix up - copy and paste - changed behavior of browsers regarding URL fragments - open redirector (AS and client) - (potentially) XSRF and advice on how to mitigate it using state
I think that would help the working group to get an overview on ALL issues (including e.g. fragments) and _systematically_ improve OAuth. We did the same when we originally published the core spec - and it worked. I felt some consensous around the topic that in the end, there must be normative chances to the core protocol and the respective security considerations. Barry gave his advice regarding updates in this context. best regards, Torsten. > Am 06.04.2016 um 19:43 schrieb Hannes Tschofenig <hannes.tschofe...@gmx.net>: > > Leif was so nice to take meeting notes during the OAuth meeting today > and they have been uploaded to: > https://www.ietf.org/proceedings/95/minutes/minutes-95-oauth > > Please take a look at them and let me know if they are incorrect or need > to be extended. > > Ciao > Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
