Hi, Hannes, and thanks for clearing this bit up. >> 4) The attacker (via the installed app) is able to observe responses >> from the authorization endpoint. As a more sophisticated attack >> scenario the attacker is also able to observe requests (in >> addition to responses) to the authorization endpoint. .. > In this model the adversary will see response messages. However, it is > possible for an attacker to also compromise the smart phone OS in such a > way that he/she is also able to see the request as well as the > responses. In such a "more sophisticated attack" the proposed mechanism > does not help.
Ah, got it. Then it would be good for (4) to say that, maybe just by adding to the end, "This mechanism does not protect again the more sophisticated attack." Sound OK? Barry _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
