We don't plan to support s256
Basically, I don't see a need to. Plain already mitigates the threat, spop/tcse
had been designed to mitigate - an app intercepting the code response of a
public client.
Am 18. Februar 2015 18:33:17 MEZ, schrieb Hannes Tschofenig
<hannes.tschofe...@gmx.net>:
>Thanks Brian for pointing me to Section 4.4.1 and to the MTI for
>"S256".
>While this is good from a security point of view I am wondering whether
>anyone is actually compliant to the specification. Neither PingIdentity
>nor DT implements the S256 transform, if I understood that correctly.
>Are you guys going planning to update your implementations?
>
>Ciao
>Hannes
>
>On 02/18/2015 05:45 PM, Brian Campbell wrote:
>> There's a bit of MTI talk tucked into
>> https://tools.ietf.org/html/draft-ietf-oauth-spop-10#section-4.4.1
>that
>> perhaps needs to be expanded and/or placed somewhere else.
>>
>> On Wed, Feb 18, 2015 at 8:33 AM, Hannes Tschofenig
>> <hannes.tschofe...@gmx.net <mailto:hannes.tschofe...@gmx.net>> wrote:
>>
>> Thanks for the info, Torsten.
>>
>> Your feedback raises an interesting question, namely what
>functionality
>> the parties have to implement to claim conformance to the
>specification.
>>
>> Quickly scanning through the specification didn't tell me whether
>it is
>> OK to just implement the plain mode or whether both modes are
>> mandatory-to-implement. We have to say something about this.
>>
>> Ciao
>> Hannes
>>
>>
>> On 02/18/2015 02:16 PM, tors...@lodderstedt.net
>> <mailto:tors...@lodderstedt.net> wrote:
>> > Hi Hannes,
>> >
>> > our implementation supports the "plain" mode only. We just
>verified
>> > compliance of our implementation with the current spec. As the
>only
>> > deviation, we do not enforce the minimum length of 43
>characters
>> of the
>> > code verifier.
>> >
>> > kind regards,
>> > Torsten.
>> >
>> > Am 17.02.2015 17:48, schrieb Hannes Tschofenig:
>> >> Hi Torsten,
>> >>
>> >> does this mean that your implementation is not compliant with
>the
>> >> current version anymore or that you haven't had time to verify
>> whether
>> >> there are differences to the earlier version?
>> >>
>> >> Ciao
>> >> Hannes
>> >>
>> >>
>> >> On 01/31/2015 05:34 PM, Torsten Lodderstedt wrote:
>> >>> Deutsche Telekom also implemented an early version of the
>draft last
>> >>> year.
>> >>>
>> >>>
>> >>>
>> >>> Am 30.01.2015 um 18:50 schrieb Brian Campbell
>> >>> <bcampb...@pingidentity.com
><mailto:bcampb...@pingidentity.com>
>> <mailto:bcampb...@pingidentity.com
>> <mailto:bcampb...@pingidentity.com>>>:
>> >>>
>> >>>>
>> >>>> On Tue, Jan 27, 2015 at 9:24 AM, Hannes Tschofenig
>> >>>> <hannes.tschofe...@gmx.net
><mailto:hannes.tschofe...@gmx.net>
>> <mailto:hannes.tschofe...@gmx.net
>> <mailto:hannes.tschofe...@gmx.net>>> wrote:
>> >>>>
>> >>>>
>> >>>> 1) What implementations of the spec are you aware of?
>> >>>>
>> >>>>
>> >>>> We have an AS side implementation of an earlier draft that
>was
>> >>>> released in June of last year:
>> >>>>
>>
>http://documentation.pingidentity.com/pages/viewpage.action?pageId=26706844
>> >>>>
>> >>>> _______________________________________________
>> >>>> OAuth mailing list
>> >>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
><mailto:OAuth@ietf.org
>> <mailto:OAuth@ietf.org>>
>> >>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
--
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
