Hi Barry, let me explain this pre-condition a bit more since I wrote the text:
On 06/11/2015 08:49 PM, Barry Leiba wrote: > *** IMPORTANT *** I am still puzzled by this, in pre-condition (4), which > seems to contradict what John said and what I proposed above: > > 4) The attacker (via the installed app) is able to observe responses > from the authorization endpoint. As a more sophisticated attack > scenario the attacker is also able to observe requests (in > addition to responses) to the authorization endpoint. With the attack that occurred in the wild the main issue was that an attacker exploits the feature of smart phone OSs to register multiple apps using the same custom URI scheme. In this model the adversary will see response messages. However, it is possible for an attacker to also compromise the smart phone OS in such a way that he/she is also able to see the request as well as the responses. In such a "more sophisticated attack" the proposed mechanism does not help. Does this additional description help? Ciao Hannes
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
