On Tue, Apr 28, 2009 at 9:32 AM, Dossy Shiobara <[email protected]> wrote: > > On 4/28/09 8:41 AM, Hubert Le Van Gong wrote: >> I also saw 2 additional ideas that might help >> (and are not necessarily exclusive with the 2 proposals): >> >> (3) Make Request tokens one-time only >> (4) Request that the user logs in at the Consumer before the request >> token request > > Requiring the user authenticate to the Consumer doesn't prevent the > attack, as the attacker is a legitimate user of Consumer in the attack > scenario. > > What I keep proposing is that the user must authenticate at the > _Provider_ before the request token request. This would completely > eliminate the attack in the scenario. >
Hi Dossy- But the consumer will still need to communicate back to the SP that it has some unique knowledge that it could only have been offered at the SP authentication point. Most proposals do this with the "verification token" -- my reasoning leads me to believe that needs to be passed "out-of-band." I'm not sure that moving the authentication before request token necessarilly guarantees that. --peter > And yes, making request tokens one-time only is a MUST, IMHO. > > -- > Dossy Shiobara | [email protected] | http://dossy.org/ > Panoptic Computer Network | http://panoptic.com/ > "He realized the fastest way to change is to laugh at your own > folly -- then you can let go and quickly move on." (p. 70) > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
