Hi Nat, Hi John, I have been trying to do a detailed review of the OAuth SPOP document http://datatracker.ietf.org/doc/draft-ietf-oauth-spop/ and I ran into a few questions regarding the capabilities of the attacker.
Is it correct that you assume that the attacker is only able to intercept the Authorization Response message but not the Authorization Request message? The security consideration section of the document is a bit fuzzy about this issue and says: " the client MUST make sure that the request channel is adequately protected " It is, however, not clear what request channel you are talking about and what you mean by adequately protected. Ciao Hannes
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
