On 12/30/2011 10:14 PM, Amos Jeffries wrote:
....
Reading section 2.3, it appears this method of transferring the
credentials is open to replay attacks when caching TLS middleware is
present. I believe this spec should mandate cache controls on
responses using that method. Otherwise a lot of HTTP compliant
middleware will feel free to store and supply the protected response
to later replay attacks.
Amos,
I believe that the draft addresses the replay matters by specifying the
validity time field. Do you see a problem with that?
(I did not understand what "HTTP-compliant middleware" meant, but if it
is something at the proxies, I think this is further addressed by making
TLS a must--which will make the token simply invisible.)
With best wishes for the New Year to you and all OAuthers,
Igor
Igor
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
