Hi Aaron et al, I re-read the latest version of the web app BCP. For me it has become increasingly hard to follow, and so I’m concerned that it’s even harder for the target audience this document is intended for.
It seems that over time more and more content got accumulated which IMO jumps straight to conclusions without giving a good pro/con breakdown. I worry that it will be hard for someone with less experience to make the right choices (or easy to do the wrong ones). Given we both (and others here on that list) attended Philippe de Rycks presentations at the OSW, I wonder if it wouldn’t make sense to start this document with the browser attacker model. This would make it very clear what an attacker is potentially able to do in the browser. >From there this would lead to various risks/attacks like • Session hijacking • Access token exfiltration • Refresh token exfiltration • … ..and based on that there are different implementation/architecture choices to make. Each implementation style helps in mitigating one or more of the above attacks. None of them will solve them all of course. I think this approach would make this document more useful and maybe you can consider such a re-design. Thanks Dominick
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
