STATE can be anything, it does not have to be a NONCE so changing this would cause issues at this time for existing deployments
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Nat Sakimura Sent: Monday, May 9, 2016 7:34 PM To: Guido Schmitz <g.schm...@gtrs.de>; oauth@ietf.org Subject: Re: [OAUTH-WG] Multi-AS State Re-Use As far as I am aware of, state was meant to be nonce. Replay possibility etc. were known. It is probably a bad documentation that every reviewers missed because they were assuming it. Best, Nat On Mon, May 9, 2016 at 20:14 Guido Schmitz <g.schm...@gtrs.de<mailto:g.schm...@gtrs.de>> wrote: Hi all, can anybody confirm that this is a new / undocumented attack? Cheers, Guido, Daniel, and Ralf On 22.04.2016 16:23, Daniel Fett wrote: > Hi all, > > Besides the state leakage attack we found that another important fact > regarding state is underspecified: Each state value should only be > used for one run of the protocol, in particular, each AS should see a > different state in multi-AS settings. Clients might be tempted to > generate state once and then re-use each time a user wants to > authorize. > > If state is re-used, given a setup where one Client allows users to > authorize using two AS, a potentially malicious AS learns the state > value that is valid for authorization at an honest AS. I.e., each AS > can mount a CSRF attack on the user using the other AS. > > Just as the attack in the other mail, this is not a big deal in > practice, but should be discussed somewhere. > > Cheers, > Daniel, Guido, and Ralf > _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7c2ee021209f2e4f77411908d3787b846f%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=wLXM0gBBBuftxTsgW0nKOdYPce7WqbOxJKWf77FaJYw%3d> -- Nat Sakimura Chairman of the Board, OpenID Foundation Trustee, Kantara Initiative
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
