If it has a "clear" security impact then I don't think it should be discarded as implementation detail. People on the list seemed to agree this was a must have so, if not in security consideration, it's probably important enough to make it to a Security Best Practices section or something akin to that.
Hubert On Tue, May 12, 2009 at 4:26 PM, Eran Hammer-Lahav <[email protected]> wrote: > > That is an implementation detail. I am not sure how helpful it would be to > have a security consideration section about limiting the number of allowed > token exchange requests for a single request token. > > EHL > >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On Behalf >> Of Hubert Le Van Gong >> Sent: Tuesday, May 12, 2009 3:26 AM >> To: [email protected] >> Subject: [oauth] Re: Request for new Security Considerations text >> >> >> If I remember correctly, we also talked of recommending or mandating >> one-time request tokens. >> >> Hubert >> >> >> On Wed, May 6, 2009 at 10:43 PM, Eran Hammer-Lahav >> <[email protected]> wrote: >> > >> > We have identified a few new attack vectors since the spec was >> originally written and would like to address them in the Security >> Consideration section. Please reply with proposals for such texts. >> Ideally we can reach some consensus on these by Fri, but if not, we can >> add it a bit later since it doesn't affect the protocol directly. >> > >> > EHL >> > >> > > >> > >> >> > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
