I have some questions concerning the oauth-security document.
1. collusion
Only collusion between resource servers are considered,
however, collusion between resource server and client could happen.
2. AS-to-RS relationship anonymity
if "the Client must not provide information about the Resource Server
in the access token request."
then how AS can encrypt access token using the key shared between AS
and RS?
I feel this requirement is unclear and conflict with some security
measures that might be taken in OAuth 2.0.
3. Compromise of client, RS have been considered (separately)
But the result of their compromise may not be limited to "client
accessing more resources ",
it could be compromised client/RS redirect RO to a manipulated AS
phishing RO's credential, for example.
oauth-boun...@ietf.org 写于 2013-01-17 21:43:26:
> Hi all,
>
> We will have our next OAuth conference call on the 21st January
> 2013, 1pm EST (for roughly one hour).
>
> John & Nat kindly offered their conference bridge. It is the same
> bridge we used before.
> https://www3.gotomeeting.com/join/695548174
>
> We will continue where we stopped last time, namely we stopped our
> discussions at the crypto agility requirement
> (first requirement in http://tools.ietf.org/html/draft-tschofenig-
> oauth-security-01#section-5).
>
> Here is the slide set I used last time:
> http://www.tschofenig.priv.at/OAuth2-Security-11Jan2013.ppt
> (We stopped at slide #2.)
>
> We also did not manage to get to discuss the use case Justin raised
> at the first conference call. He distributed a writeup on the list:
> http://www.ietf.org/mail-archive/web/oauth/current/msg10407.html
>
> Ciao
> Hannes & Derek
>
> PS: I will try to distribute my meeting minute notes from the
> previous call by tomorrow.
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
