>> Q. Should an OAuth client app list the authorization server in the Origin
>> header of requests to resource servers?
> Was there any conclusion?
My conclusion is that the Origin request header is the right place to list the
OAuth authorization server to combat login CSRF attacks against
Any of #1-#3 are fine with me.
On Sat, Mar 26, 2011 at 4:36 PM, Eran Hammer-Lahav wrote:
> The security consideration section pending, this is the last open issue I
> have to close as editor before the document is ready to leave the working
> group. While this is silly business for many, it is v
Well, the IESG won't approve a document that doesn't include a Security
Considerations section. :)
I'll talk with Hannes about this in person here in Prague (he's sitting
next to me at the moment, but we're in a meeting so we can't chat).
On 3/27/11 10:19 AM, Eran Hammer-Lahav wrote:
> I guess yo
On 3/27/11 12:36 AM, Eran Hammer-Lahav wrote:
> The security consideration section pending, this is the last open issue
> I have to close as editor before the document is ready to leave the
> working group. While this is silly business for many, it is very
> important to others, so bear with me.
I guess you can sort it out at the meeting. I thought the plan was to distill
the security document into a shorter (but not insignificant) security
consideration section (I was expecting something in the range of 10-20 pages),
and also publish the model document with added details.
EHL
> -
Hannes Tschofenig schrieb:
That's what I thought was the plan. (Assuming the working group agrees to work
on a separate document. I would support it.) On Mar 27, 2011, at 10:03 AM, Eran
Hammer-Lahav wrote: > So the new plan is for you to provide the text for the
security section and just pub
That's what I thought was the plan.
(Assuming the working group agrees to work on a separate document. I would
support it.)
On Mar 27, 2011, at 10:03 AM, Eran Hammer-Lahav wrote:
> So the new plan is for you to provide the text for the security section and
> just publish their work as a separ
So the new plan is for you to provide the text for the security section and
just publish their work as a separate RFC as the same time?
EHL
> -Original Message-
> From: Hannes Tschofenig [mailto:hannes.tschofe...@gmx.net]
> Sent: Sunday, March 27, 2011 12:58 AM
> To: Eran Hammer-Lahav
>
On the security aspect: I will write a short text for the OAuth draft because
the longer writeup by Torsten/Mar/Phil is targeting a different scope. So, you
cannot just copy it.
On Mar 27, 2011, at 12:36 AM, Eran Hammer-Lahav wrote:
> The security consideration section pending, this is the las
