Ah, guess that settles it then. Mike, if you have any suggested text to make this point clearer in the spec, this is probably the best place to put it.
-- Justin On Tue, 2011-09-06 at 23:52 -0400, Manger, James H wrote: > A strange aspects of this thread is that the current draft already talks > about exactly this issue: > > draft-ietf-oauth-v2-21 section 9 "Native Applications" > > "...Native applications can invoke an external user-agent or > embed a user-agent within the application > ... > Embedded user-agents pose a security challenge because resource > owners are authenticating in an unidentified window without access > to the visual protections found in most external user-agents. > Embedded user-agents educate end-user to trust unidentified > requests for authentication (making phishing attacks easier to > execute)." > > The webView that Michael Thomas talks about is an "embedded user-agent". > > -- > James Manger > > > ---------- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of > Michael Thomas > > ... > At this point, it would be just nice for the industry to know that the issue > even *exists*. > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
