Existing implementations are for the large part ok and do not need these mitigations.
Only the new use cases we have been discussing (configure on the fly and multi-as, etc) really need mitigation. The updated by approach seems like a good way to address the new cases. Phil > On Apr 6, 2016, at 14:35, Hannes Tschofenig <hannes.tschofe...@gmx.net> wrote: > > Hi all, > > today we discussed the OAuth Authorization Server Mixup draft. We were > wondering what types of threats the document should find solutions for. > > We discussed various document handling approaches including > * OAuth Mix-Up and Cut-and-Paste attacks documented in separate > solution documents > * combined solution document covering the OAuth Mix-Up and the > Cut-and-Paste attacks. > > Barry pointed out that these documents could update the OAuth base > specification. > > As a more radical change it was also suggested to revise RFC 6749 "OAuth > 2.0 Authorization Framework" and RFC 6819 "OAuth 2.0 Threat Model and > Security Considerations". > > Opening up the OAuth base specification obviously raises various other > questions about cleaning up parts that go far beyond the AS mix-up and > the cut-and-paste attacks. Other specifications, such as the Open > Redirector, could be folded into such a new specification. > > Derek and I would appreciate your input on this topic before we make a > decision since it has significant impact on our work. > > Ciao > Hannes & Derek > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
