Thanks, Skylar. Eran's and your comments do alleviate my concerns somewhat.
In reviewing the security considerations text, which I hadn't seen this
morning when writing my earlier email, I feel *much* better. My favorite
part is this:
Authorization servers MUST NOT automatically process (withou
Just as a response to Andrew, the concern is valid, and providers should be
educated to warn users about the possibility of a forged identity. This risk
for forgery is actually possible for clients with and without secrets. Anyone
can spoof either type if the client ID is known, thus showing
Hopefully by the end of the week. My farm took all my free time this weekend.
EHL
From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net]
Sent: Tuesday, April 12, 2011 8:54 AM
To: Eran Hammer-Lahav
Cc: Andrew Arnott; OAuth WG (oauth@ietf.org)
Subject: Re: [OAUTH-WG] client authentication for i
The proposed text already does
(http://tools.ietf.org/html/draft-lodderstedt-oauth-securityconsiderations-02).
When will you post the new revision of the core draft that includes the
proposed text?
regards,
Torsten.
Am 12.04.2011 17:50, schrieb Eran Hammer-Lahav:
It should include a sectio
It should include a section on phishing-like attacks.
EHL
From: Andrew Arnott [mailto:andrewarn...@gmail.com]
Sent: Tuesday, April 12, 2011 8:30 AM
To: Eran Hammer-Lahav
Cc: OAuth WG (oauth@ietf.org)
Subject: Re: [OAUTH-WG] client authentication for implicit grant type
Thanks, Eran. Will the se
Thanks, Eran. Will the security considerations section discuss this and
recommend that auth servers warn the users of the potential phishing attack?
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
We're hiring!
I don't think there is much we can do either way to prevent these phishing-like
attacks with or without the client identifier. The key to security here is the
ability of the end-user to keep track of how it got there, and based on that
decide if they want to grant access to whoever sent them to
I brought this concern up about a year ago. Now reviewing the latest
drafts, I still have a concern with it. It is regarding the use of
client_id without a password. I agree with section 3, as included below:
Section 3. Client Authentication
The client identifier is not a secret, it is exposed