gt;____
> From: "Tschofenig, Hannes (NSN - FI/Espoo)"
>To: Francisco Corella ; ietf@ietf.org
>Sent: Wednesday, February 1, 2012 4:33 AM
>Subject: RE: REVISED Last Call: (The OAuth
>2.0Authorization Protocol: Bearer Tokens) to Proposed Standard
>
The bearer token protocol described in the document referenced in the
subject line is vulnerable to the following attack by a malicious
resource server.
There are two resource servers S1 and S2, S1 hosting a resource R1,
and S2 hosting a resource R2. Servers are not entitled to access
resources t
This document has the following issues:
1. Section 10.11, in connection with phishing attacks, notes that
"wide deployment of this and similar protocols may cause end-users to
become inured to the practice of being redirected to websites where
they are asked to enter their passwords". That begs t