Am 23.04.2016 um 13:47 schrieb Torsten Lodderstedt: > I'm very much interested to find a solution within the OAuth realm as > I'm not interested to either implement two solutions (for OpenId Connect > and OAuth) or adopt a OpenId-specific solution to OAuth (use id! tokens > in the front channel). I therefore would like to see progress and > propose to continue the discussion regarding mitigations for both threats. > > https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-00 > proposes reasonable mitigations for both attacks. There are alternatives > as well: > - mix up: > -- AS specific redirect uris > -- Meta data/turi > (https://tools.ietf.org/html/draft-sakimura-oauth-meta-07#section-5) > - CnP: > -- use of the nonce parameter (as a distinct mitigation beside state for > counter XSRF)
>From our formal analysis of OAuth we are pretty confident that the mitigation proposed in draft-ietf-oauth-mix-up-mitigation-00 should be sufficient against the Mix-Up attack. Cheers, Daniel -- Informationssicherheit und Kryptografie Universität Trier - Tel. 0651 201 2847 - H436 _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
