We're trying to design around transport security with short expiration and single use tokens. SSL solves the problem
> -----Original Message----- > From: Brian Eaton [mailto:bea...@google.com] > Sent: Wednesday, July 14, 2010 1:35 PM > To: William Mills > Cc: Eran Hammer-Lahav; OAuth WG > Subject: Re: [OAUTH-WG] single use authorization codes > > On Wed, Jul 14, 2010 at 11:58 AM, William Mills > <wmi...@yahoo-inc.com> wrote: > > If I can see things go by on the fly I can submit the token > late and > > mess with the user by revoking their session. > > Meh. > > If the best the attacker can do in those circumstances is > DOS, we're in good shape. > > Bear in mind that if we do nothing, the attacker can probably > get the user's data. > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
