Hi Phil, Since I was not in Darmstadt, I really do not know what was discussed there, but with the compromised developer documentation described in http://nat.sakimura.org/2016/01/15/idp-mix-up-attack-on-oauth-rfc6749/, all RFC6749 clients with a naive implementer will be affected. The client does not need to be talking to multiple IdPs.
Nat 2016年1月26日(火) 3:58 Phil Hunt (IDM) <phil.h...@oracle.com>: > I recall making this point in Germany. 99% of existing use is fine. OIDC > is probably the largest community that *might* have an issue. > > I recall proposing a new security document that covers oauth security for > dynamic scenarios. "Dynamic" being broadly defined to mean: > * clients who have configured at runtime or install time (including > clients that do discovery) > * clients that communicate with more than one endpoint > * clients that are deployed in large volume and may update frequently > (more discussion of "public" cases) > * clients that are script based (loaded into browser on the fly) > * others? > > Phil > > > On Jan 25, 2016, at 10:39, George Fletcher <gffle...@aol.com> wrote: > > > > would > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth