Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner Impersonation)

Sorry for the late response. > -Original Message- > From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net] > Sent: Sunday, August 21, 2011 10:59 AM > To: Eran Hammer-Lahav > Cc: Niv Steingarten; oauth@ietf.org > Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner > Imper

Re: [OAUTH-WG] redirect uri validation

That's not complete. A valid redirection URI is not enough to verify client identity at the time it is presented, but it is enough in many cases to prevent leaking credentials later on. How about a slight change: A valid redirection URI is not sufficient to verify the client's identi

Re: [OAUTH-WG] treatment of client_id for authentication and identification

New tweak: The security ramifications of allowing unauthenticated access by public clients to the token endpoint, as well as the issuance of refresh tokens to public clients MUST be taken into consideration. EHL > -Original Message- > From: Richer, J

Re: [OAUTH-WG] Auth Code Swap Attack

This is my proposed text for -21 (based on Bill's text as a starting point): 10.12. Cross-Site Request Forgery Cross-site request forgery (CSRF) is an exploit in which an attacker causes the user-agent of a victim end-user to follow a malicious URI (e.g. provided to the user-agent as a

Re: [OAUTH-WG] Security area review

Where is this feedback? > -Original Message- > From: Hannes Tschofenig [mailto:hannes.tschofe...@gmx.net] > Sent: Monday, August 29, 2011 1:16 AM > To: Eran Hammer-Lahav > Cc: Hannes Tschofenig; OAuth WG > Subject: Re: [OAUTH-WG] Security area review > > Hi Eran, > > I gave presentations

Re: [OAUTH-WG] Auth Code Swap Attack

The corresponding 'state' parameter definition: RECOMMENDED. An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The

[OAUTH-WG] Request for open issues resolution

#19 - no text proposed, consider current text sufficient. Close. #20 - reference to DOM variable removed. Close. #21 - resolved by new text, no comments received. Close. #24 - pending comments. Close if agreed to by Torsten. #25 - no comments received to proposed text which has been applied. Close.

[OAUTH-WG] I-D Action: draft-ietf-oauth-v2-21.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : The OAuth 2.0 Authorization Protocol Author(s) : Eran Hammer-Lahav

[OAUTH-WG] Draft -21 next steps

I'd like to ask the chairs to declare a 2 weeks review period limited to changes made since -20 after which we will either declare -21 as the final WG draft or publish a quick -22 with all changes agreed prior on the list and no additional WG review period. Of course, the chairs can change all t