Hi Daniel,
Yes indeed. For another attack, please see my email sent to the list on
01/05/2020 at 10:47 (Paris time).
The subject was: DPoP draft-ietf-oauth-dpop-0 Client collaborative attacks.
When the JWT does not contain a sufficient number of attributes that
would allow to identify the user,
the collaborative user can transmit it to anybody else, without the risk
to be detected by the RS. E.g. it
only contains the age of the user and a membership to a large group of
people.
When the JWT contains attributes that uniquely allow to identify the
collaborative user, then the other client
will be in a position to impersonate the collaborative user. Some users
may not accept to be impersonated
by anybody and thus will only be collaborative with some trusted friends.
This collaborative attack would be much simpler to accomplish than the
four types of attacks that have been described.
As soon as a software solution would be available to perform this
collaborative attack, everybody would be able to use it.
Denis
Hi all,
as mentioned in the WG interim meeting, there are several ideas
floating around of what DPoP actually does.
In an attempt to clarify this, if have unfolded the use cases that I
see and written them down in the form of attacks that DPoP defends
against:
https://danielfett.github.io/notes/oauth/DPoP%20Attacker%20Model.html
Can you come up with other attacks? Are the attacks shown relevant?
Cheers,
Daniel
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
