Hi Timothée, This document is the product of the SIPCore WG, not the OAuth WG. I suggest that you send this feedback to the SIPCore mailing list.
Regards, Rifaat On Tue, Oct 15, 2024 at 8:21 AM Timothée Jaussoin <[email protected]> wrote: > Hi, > > I'm currently implementing the RFC 8898 and I have a question regarding > this specific paragraph (in > https://www.rfc-editor.org/rfc/rfc8898#name-security-considerations): > > *The UAC MUST check the AS URL received in the 401/407 response against a > list of trusted ASs configured on the UAC in order to prevent several > classes of possible vulnerabilities when a client blindly attempts to use > any provided AS.* > > Is it possible to have some precision on the kind of vulnerabilities that > not checking the returned AS URL in the UAC could cause? This actually > change the purpose of this RFC as it doesn't allow anymore to discover some > new AS but more to guide the UAC to a specific AS based on its own list. > > Regards, > > Timothée Jaussoin > > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
