Re: [OAUTH-WG] Authorization code security considerations

2011-07-08 Thread Justin Richer
I'm not sure normative language even fits here. We need something like 
"Authorization codes should be treated as sensitive and the client needs 
to try to make sure it doesn't leak the authorization code." But more 
formal and less garden pathy than I'm able to pen at the moment.

  -- Justin

On 7/8/2011 2:39 PM, Eran Hammer-Lahav wrote:

"Authorization codes MUST be kept confidential"

How exactly? They are not confidential by nature, being received via 
redirection in the URI query. I know what this sentence is trying to accomplish 
but not sure how to do that with normative language. SHOULD doesn't really work 
here either.

Suggestions?

EHL
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


Re: [OAUTH-WG] Authorization code security considerations

2011-07-08 Thread Eran Hammer-Lahav
Can you provide this in a form suitable for pasting into the current text? 
Browser same origin policy is enforced by the user-agent, and is beyond the 
scope of this protocol.

EHL

> -Original Message-
> From: Brian Eaton [mailto:bea...@google.com]
> Sent: Friday, July 08, 2011 11:52 AM
> To: Eran Hammer-Lahav
> Cc: OAuth WG
> Subject: Re: [OAUTH-WG] Authorization code security considerations
> 
> On Fri, Jul 8, 2011 at 11:39 AM, Eran Hammer-Lahav 
> wrote:
> > How exactly? They are not confidential by nature, being received via
> redirection in the URI query. I know what this sentence is trying to
> accomplish but not sure how to do that with normative language. SHOULD
> doesn't really work here either.
> 
> The browser same origin policy does apply to URI queries.  They MUST be
> kept confidential, i.e. only sent to authorized entities.  That
> covers:
> 
> - the client web site
> - the browser
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


Re: [OAUTH-WG] Authorization code security considerations

2011-07-08 Thread Brian Eaton
On Fri, Jul 8, 2011 at 11:39 AM, Eran Hammer-Lahav  wrote:
> How exactly? They are not confidential by nature, being received via 
> redirection in the URI query. I know what this sentence is trying to 
> accomplish but not sure how to do that with normative language. SHOULD 
> doesn't really work here either.

The browser same origin policy does apply to URI queries.  They MUST
be kept confidential, i.e. only sent to authorized entities.  That
covers:

- the client web site
- the browser
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth