It is apparently essential for the security of the protocol that the client state is not guessable by an attacker, as described at:
http://www.ietf.org/mail-archive/web/oauth/current/msg05733.html (That link might fail if the mail archive is reindexed. It's a 23 Mar 2011 email with subject "Protocol breaks if states are guessable".) Does that belong in the security considerations? It seems to me it belongs somewhere, unless someone can provide a reasonable argument that it's not true. Tim Freeman Email: tim.free...@hp.com Desk in Palo Alto: (650) 857-2581 Home: (408) 774-1298 Cell: (408) 348-7536 -----Original Message----- From: Barry Leiba [mailto:barryleiba.mailing.li...@gmail.com] Sent: Monday, March 28, 2011 1:19 AM To: Peter Saint-Andre Cc: Freeman, Tim; OAuth WG Subject: Re: [OAUTH-WG] What's up with the secuity considerations? (was RE: Preview of -14) I have also just submitted this draft: http://tools.ietf.org/html/draft-leiba-oauth-additionalsecurityconsiderations Hannes has asked me to talk about it for a few minutes in the OAuth meeting on Friday, and I plan to. Barry _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
