On 2010-03-08, at 1:09 PM, John Kemp wrote: > > On Mar 8, 2010, at 3:35 PM, Dick Hardt wrote: >> >> >> 2) Client signed tokens are no more secure in MITM attacks than bearer >> tokens for on-the-fly attacks. If the attacker can disrupt the channel, the >> attacker can take the signed token and use it to make a valid call just as >> if it was a bearer token. Imagine the attacker disrupting every other >> request, and using the valid token to make an API call. > > I think that what you mean here is that the MITM steals (at least the signed > portion of) the request as well as the token.
yes > > If the MITM has to sign a request it created itself, even with a stolen > token, it will (or should) not have access to the secret key assigned to a > properly-provisioned client, and thus cannot authenticate correctly to the > recipient. correct _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
