>> Am 15.10.21 um 11:04 schrieb Pieter Kasselman:
>>
>> SHOULD is more likely to cause the right conversations to take place for
>> implementors as they weigh the risks. Reducing it to MAY risks diluting it
>> too much.
>>
>>
>>
>> *From:* OAuth *On
se the right conversations to take place for
> implementors as they weigh the risks. Reducing it to MAY risks diluting it
> too much.
>
>
>
> *From:* OAuth *On
> Behalf Of *Warren Parad
> *Sent:* Friday 15 October 2021 09:25
> *To:* Pieter Kasselman
>
> *Cc:* IETF oau
lementors as they weigh the risks. Reducing it to MAY risks
> diluting it too much.
>
>
>
> *From:*OAuth *On Behalf Of *Warren Parad
> *Sent:* Friday 15 October 2021 09:25
> *To:* Pieter Kasselman
> *Cc:* IETF oauth WG
> *Subject:* Re: [OAUTH-WG] [EXTERNAL] Re: Authorization co
o:oauth-boun...@ietf.org>> On Behalf
Of Ash Narayanan
Sent: Friday 15 October 2021 01:51
To: Aaron Parecki mailto:aa...@parecki.com>>
Cc: IETF oauth WG mailto:oauth@ietf.org>>
Subject: Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code reuse and OAuth 2.1
You don't often get email f
Behalf Of *Ash Narayanan
> *Sent:* Friday 15 October 2021 01:51
> *To:* Aaron Parecki
> *Cc:* IETF oauth WG
> *Subject:* Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code reuse and
> OAuth 2.1
>
>
>
> You don't often get email from ashvinnaraya...@gmai
n Parecki mailto:aa...@parecki.com>>
Cc: IETF oauth WG mailto:oauth@ietf.org>>
Subject: Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code reuse and OAuth 2.1
Ok, if the goal is to avoid unnecessary requirements I am suggesting to point
out why MUST was changed to SHOULD. Otherwi
erspective is a good practice, so why
>> not give implementors options (and guidance) to add additional layers of
>> defence to match their risk profiles?
>>
>>
>>
>>
>>
>> *From:* OAuth *On Behalf Of *Sascha Preibisch
>> *Sent:* Wednesday
tober 2021 22:06
> *To:* Aaron Parecki
> *Cc:* IETF oauth WG
> *Subject:* Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code reuse and
> OAuth 2.1
>
>
>
> Ok, if the goal is to avoid unnecessary requirements I am suggesting to
> point out why MUST was changed to SHOULD.
Sent: Wednesday 13 October 2021 22:06
To: Aaron Parecki
Cc: IETF oauth WG
Subject: Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code reuse and OAuth 2.1
Ok, if the goal is to avoid unnecessary requirements I am suggesting to point
out why MUST was changed to SHOULD. Otherwise developers will start
gt;>>
>>>>>> Aaron, I was curious what prevents an attacker from presenting an
>>>>>> Authorization Code and a PKCE Code Verifier for a second time if the one
>>>>>> time use requirement is removed. Is there another countermeasure in PKCE
>
at prevents an attacker from presenting an
>>>>> Authorization Code and a PKCE Code Verifier for a second time if the one
>>>>> time use requirement is removed. Is there another countermeasure in PKCE
>>>>> that would prevent it? For example, an attacker
>>>>> Aaron, I was curious what prevents an attacker from presenting an
>>>>> Authorization Code and a PKCE Code Verifier for a second time if the one
>>>>> time use requirement is removed. Is there another countermeasure in PKC
rization Code and the Code Verifier from a log and replay it.
>>>>
>>>>
>>>>
>>>> Cheers
>>>>
>>>>
>>>>
>>>> Pieter
>>>>
>>>>
>>>>
>>>> *From:* OAuth *On Behalf Of
>> Authorization Code and the Code Verifier from a log and replay it.
>>>
>>>
>>>
>>> Cheers
>>>
>>>
>>>
>>> Pieter
>>>
>>>
>>>
>>> *From:* OAuth *On Behalf Of *Aaron Parecki
&
xample, an attacker may obtain the
>> Authorization Code and the Code Verifier from a log and replay it.
>>
>>
>>
>> Cheers
>>
>>
>>
>> Pieter
>>
>>
>>
>> *From:* OAuth *On Behalf Of *Aaron Parecki
>> *Sent:* Wednesday 13 October
>
>
> *From:* OAuth *On Behalf Of *Aaron Parecki
> *Sent:* Wednesday 13 October 2021 18:40
> *To:* Warren Parad
> *Cc:* Mike Jones ;
> oauth@ietf.org
> *Subject:* [EXTERNAL] Re: [OAUTH-WG] Authorization code reuse and OAuth
> 2.1
>
>
>
> Warren, I didn't see you
and the Code Verifier
from a log and replay it.
Cheers
Pieter
From: OAuth On Behalf Of Aaron Parecki
Sent: Wednesday 13 October 2021 18:40
To: Warren Parad
Cc: Mike Jones ; oauth@ietf.org
Subject: [EXTERNAL] Re: [OAUTH-WG] Authorization code reuse and OAuth 2.1
Warren, I didn't see you
17 matches
Mail list logo