On Sun, Apr 26, 2009 at 7:48 AM, Eran Hammer-Lahav <[email protected]> wrote:
> 2. Given the simplicity of the Signed Callback URLs *specification change*, I > would like to instead of asking people which solution they prefer, to ask > people if they have a strong objection to using the Signed Callback URLs > solution, and if so, to explain why? > This is not exactly an objection, but i would add suggestions (if not requirements to the spec) on ways to reduce the evens of the attacker succeeding with a brute force timing attack. With the signed callback solution the only way an attacker could succeed is if it tried to bruteforce the verifier (repetitively calling the consumer callback with a different verifier). The notes say that the verifier code "is short" but it could help the implementers to say something on how to choose its length, and what brute force countermeasures to use (e.g. limiting the callback usage before invalidating the whole transaction & c.). P.S. the "Signed Callback" proposal makes a lot easier to identify misbehavior and act accordingly. Luca --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
