I'm a -1 on both of these until I re-read the attack description and really
parse this again. Perhaps I'm being confused by the usage of "client" here.
My initial reaction is that any time we are relying on the client to protect
itself from CSRF it is a mistake.
I do think that CSRF protection is REQUIRED, the remaining question is whether
it's reasonable to force folks to use the state parameter. My gut says it's
not unreasonable to force this simple model.
I also don't particularly like either CSRF description used. As I've said
before I think there are better discussions of it out there.
More later when I have more time to think on this.
-bill
________________________________
From: Barry Leiba <barryle...@computer.org>
To: Anthony Nadalin <tony...@microsoft.com>
Cc: "e...@sled.com" <e...@sled.com>; "OAuth WG (oauth@ietf.org)"
<oauth@ietf.org>
Sent: Monday, August 15, 2011 8:06 AM
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
On Mon, Aug 15, 2011 at 10:51 AM, Anthony Nadalin <tony...@microsoft.com> wrote:
> That's nice, four people come up with text and you decide to use your text.
> Making state optional does nothing to fix the protocol issue, people will get
> this wrong and have. Our developers have been through this and agreed
> upon the text that was generated. They find the text in the current draft
> unacceptable and confusing and think that new text is acceptable.
I have to agree with what Tony says above. The text proposed in his
message was agreed upon by several WG participants, and unless there's
some significant objection to it I think we should use it in the -21
version, subject to final WG review.
Barry, as chair
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
