On Fri, Jun 10, 2011 at 10:36 AM, Nico Williams <n...@cryptonector.com> wrote: > [Dropped a few lists.] > > On Thu, Jun 9, 2011 at 12:03 AM, Paul E. Jones <pau...@packetizer.com> wrote: >> What issues, specifically. (Messages are all over the place and I don’t >> know exactly what issues you’re raising. Is it with the approach we’re >> proposing or something else?) > > The fundamental issue is that protecting the cookie alone is not > enough. On open wifi networks it's a fair assumption that the > difficulty of active attacks is about the same as the difficulty of > passive attacks. Therefore you need to provide integrity protection > for most of the request and most of the response, including the > bodies.
You can repeat that statement as many times as you want, but that doesn't make it true. Adam _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
