[Dropped a few lists.] On Thu, Jun 9, 2011 at 12:03 AM, Paul E. Jones <pau...@packetizer.com> wrote: > What issues, specifically. (Messages are all over the place and I don’t > know exactly what issues you’re raising. Is it with the approach we’re > proposing or something else?)
The fundamental issue is that protecting the cookie alone is not enough. On open wifi networks it's a fair assumption that the difficulty of active attacks is about the same as the difficulty of passive attacks. Therefore you need to provide integrity protection for most of the request and most of the response, including the bodies. Nico -- _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
