Hi Phil,

Since I was not in Darmstadt, I really do not know what was discussed
there, but with the compromised developer documentation described in
http://nat.sakimura.org/2016/01/15/idp-mix-up-attack-on-oauth-rfc6749/, all
RFC6749 clients with a naive implementer will be affected. The client does
not need to be talking to multiple IdPs.

Nat

2016年1月26日(火) 3:58 Phil Hunt (IDM) <phil.h...@oracle.com>:

> I recall making this point in Germany. 99% of existing use is fine. OIDC
> is probably the largest community that *might* have an issue.
>
> I recall proposing a new security document that covers oauth security for
> dynamic scenarios. "Dynamic" being broadly defined to mean:
> * clients who have configured at runtime or install time (including
> clients that do discovery)
> * clients that communicate with more than one endpoint
> * clients that are deployed in large volume and may update frequently
> (more discussion of "public" cases)
> * clients that are script based (loaded into browser on the fly)
> * others?
>
> Phil
>
> > On Jan 25, 2016, at 10:39, George Fletcher <gffle...@aol.com> wrote:
> >
> > would
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to