Hi Daniel, May I ask again why separate redirect uri would not work for mix-up? (I know, it does not work for cut-n-paste.)
Thanks, Nat 2016年5月5日(木) 23:28 Daniel Fett <[email protected]>: > Am 23.04.2016 um 13:47 schrieb Torsten Lodderstedt: > > I'm very much interested to find a solution within the OAuth realm as > > I'm not interested to either implement two solutions (for OpenId Connect > > and OAuth) or adopt a OpenId-specific solution to OAuth (use id! tokens > > in the front channel). I therefore would like to see progress and > > propose to continue the discussion regarding mitigations for both > threats. > > > > https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-00 > > proposes reasonable mitigations for both attacks. There are alternatives > > as well: > > - mix up: > > -- AS specific redirect uris > > -- Meta data/turi > > (https://tools.ietf.org/html/draft-sakimura-oauth-meta-07#section-5) > > - CnP: > > -- use of the nonce parameter (as a distinct mitigation beside state for > > counter XSRF) > > >From our formal analysis of OAuth we are pretty confident that the > mitigation proposed in draft-ietf-oauth-mix-up-mitigation-00 should be > sufficient against the Mix-Up attack. > > Cheers, > Daniel > > > -- > Informationssicherheit und Kryptografie > Universität Trier - Tel. 0651 201 2847 - H436 > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > -- Nat Sakimura Chairman of the Board, OpenID Foundation Trustee, Kantara Initiative
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
