Yeah, as I recall, there was at least some support around the idea of an "enhanced OAuth security" document.
On Sun, Apr 17, 2016 at 2:46 AM, Torsten Lodderstedt < tors...@lodderstedt.net> wrote: > Hi all, > > the security discussion started with mix up and cut and paste, but we had > a much broader discussion including further issues, such as open > redirector. I suggested to merge all threats we are currently discussing > into a single document in order to come up with a consolidated view on > "enhanced OAuth security". This would at least include: > - mix up > - copy and paste > - changed behavior of browsers regarding URL fragments > - open redirector (AS and client) > - (potentially) XSRF and advice on how to mitigate it using state > > I think that would help the working group to get an overview on ALL issues > (including e.g. fragments) and _systematically_ improve OAuth. We did the > same when we originally published the core spec - and it worked. > > I felt some consensous around the topic that in the end, there must be > normative chances to the core protocol and the respective security > considerations. > > Barry gave his advice regarding updates in this context. > > best regards, > Torsten. > > > Am 06.04.2016 um 19:43 schrieb Hannes Tschofenig < > hannes.tschofe...@gmx.net>: > > > > Leif was so nice to take meeting notes during the OAuth meeting today > > and they have been uploaded to: > > https://www.ietf.org/proceedings/95/minutes/minutes-95-oauth > > > > Please take a look at them and let me know if they are incorrect or need > > to be extended. > > > > Ciao > > Hannes > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
