We probably don't want this secret that is used as confirmation of the code to 
be confused with a client secret that is bound to a client.  
They are verified by different levels of the stack.   One client_id may have 
many instances all using different values of the code proof of possession 
simultaneously.

So I prefer to eliminate the term client secret entirely.


On 2013-08-28, at 12:12 PM, Sergey Beryozkin <sberyoz...@gmail.com> wrote:

> Hi,
> 
> can you consider replacing "tcs" and "tcsh" with "temp_client_secret" and 
> "temp_client_secret_hash" ? in OAuth2 we have "client_id", "client_secret" 
> (ex, in dyn reg), and having a temp variant of "client_secret" called as 
> "tcs" seems a bit cryptic to me :-), not a bit issue though
> 
> Sergey
> 
> On 30/07/13 16:36, Nat Sakimura wrote:
>> Hi.
>> 
>> I had to fix a few issues with the previous draft text.
>> No normative changes, but just removed some extra text.
>> 
>> Nat
>> 
>> ---------- Forwarded message ----------
>> From: **<internet-dra...@ietf.org <mailto:internet-dra...@ietf.org>>
>> Date: 2013/7/31
>> Subject: New Version Notification for draft-sakimura-oauth-tcse-01.txt
>> To: Nat Sakimura <sakim...@gmail.com <mailto:sakim...@gmail.com>>, John
>> Bradley <jbrad...@pingidentity.com <mailto:jbrad...@pingidentity.com>>,
>> Naveen Agarwal <n...@google.com <mailto:n...@google.com>>
>> 
>> 
>> 
>> A new version of I-D, draft-sakimura-oauth-tcse-01.txt
>> has been successfully submitted by Nat Sakimura and posted to the
>> IETF repository.
>> 
>> Filename:        draft-sakimura-oauth-tcse
>> Revision:        01
>> Title:           OAuth Transient Client Secret Extension for Public Clients
>> Creation date:   2013-07-30
>> Group:           Individual Submission
>> Number of pages: 7
>> URL: http://www.ietf.org/internet-drafts/draft-sakimura-oauth-tcse-01.txt
>> Status: http://datatracker.ietf.org/doc/draft-sakimura-oauth-tcse
>> Htmlized: http://tools.ietf.org/html/draft-sakimura-oauth-tcse-01
>> Diff: http://www.ietf.org/rfcdiff?url2=draft-sakimura-oauth-tcse-01
>> 
>> Abstract:
>>    The OAuth 2.0 public client utilizing authorization code grant is
>>    susceptible to the code interception attack.  This specification
>>    describe a mechanism that acts as a control against this threat.
>> 
>> 
>> 
>> 
>> 
>> Please note that it may take a couple of minutes from the time of submission
>> until the htmlized version and diff are available at tools.ietf.org
>> <http://tools.ietf.org/>.
>> 
>> The IETF Secretariat
>> 
>> 
>> 
>> 
>> --
>> Nat Sakimura (=nat)
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en
>> 
>> 
>> 2013/7/30 Nat Sakimura <sakim...@gmail.com <mailto:sakim...@gmail.com>>
>> 
>>    As some of you know, passing the authorization code securely to a
>>    native app on iOS platform is next to impossible. Malicious
>>    application may register the same custom scheme as the victim
>>    application and hope to obtain the code, whose success rate is
>>    rather high.
>> 
>>    We have discussed about it during the OpenID Conenct Meeting at IETF
>>    87 on Sunday, and over a lengthy thread on the OpenID AB/Connect
>>    work group list. I have captured the discussion in the form of I-D.
>>    It is pretty short and hopefully easy to read.
>> 
>>    IMHO, although it came up as an issue in OpenID Connect, this is a
>>    quite useful extension to OAuth 2.0 in general.
>> 
>>    Best,
>> 
>>    Nat Sakimura
>> 
>>    ---------- Forwarded message ----------
>>    From: ** <internet-dra...@ietf.org <mailto:internet-dra...@ietf.org>>
>>    Date: 2013/7/30
>>    Subject: New Version Notification for draft-sakimura-oauth-tcse-00.txt
>>    To: Nat Sakimura <sakim...@gmail.com <mailto:sakim...@gmail.com>>,
>>    John Bradley <jbrad...@pingidentity.com
>>    <mailto:jbrad...@pingidentity.com>>, Naveen Agarwal <n...@google.com
>>    <mailto:n...@google.com>>
>> 
>> 
>> 
>>    A new version of I-D, draft-sakimura-oauth-tcse-00.txt
>>    has been successfully submitted by Nat Sakimura and posted to the
>>    IETF repository.
>> 
>>    Filename:        draft-sakimura-oauth-tcse
>>    Revision:        00
>>    Title:           OAuth Transient Client Secret Extension for Public
>>    Clients
>>    Creation date:   2013-07-29
>>    Group:           Individual Submission
>>    Number of pages: 7
>>    URL:
>>    http://www.ietf.org/internet-drafts/draft-sakimura-oauth-tcse-00.txt
>>    Status: http://datatracker.ietf.org/doc/draft-sakimura-oauth-tcse
>>    Htmlized: http://tools.ietf.org/html/draft-sakimura-oauth-tcse-00
>> 
>> 
>>    Abstract:
>>        The OAuth 2.0 public client utilizing code flow is susceptible
>>    to the
>>        code interception attack.  This specification describe a mechanism
>>        that acts as a control against this threat.
>> 
>> 
>> 
>> 
>> 
>>    Please note that it may take a couple of minutes from the time of
>>    submission
>>    until the htmlized version and diff are available at tools.ietf.org
>>    <http://tools.ietf.org>.
>> 
>>    The IETF Secretariat
>> 
>> 
>> 
>> 
>>    --
>>    Nat Sakimura (=nat)
>>    Chairman, OpenID Foundation
>>    http://nat.sakimura.org/
>>    @_nat_en
>> 
>> 
>> 
>> 
>> --
>> Nat Sakimura (=nat)
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to