Nico, > On Thu, Jun 9, 2011 at 12:03 AM, Paul E. Jones <pau...@packetizer.com> > wrote: > > What issues, specifically. (Messages are all over the place and I > > don’t know exactly what issues you’re raising. Is it with the > > approach we’re proposing or something else?) > > The fundamental issue is that protecting the cookie alone is not enough. > On open wifi networks it's a fair assumption that the difficulty of > active attacks is about the same as the difficulty of passive attacks. > Therefore you need to provide integrity protection for most of the > request and most of the response, including the bodies.
While I will not claim that our current draft is bullet proof, we did make an attempt to define a means of allowing the client and server to be able to detect if a request has been altered, including both message headers and message body. Draft: http://tools.ietf.org/html//draft-salgueiro-secure-state-management-04 Paul _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
