On Fri, Apr 26, 2019 at 10:51:53AM +0000, Luca Arnaboldi wrote: > * I spoke with Hannes after the IETF meeting in Prague and he expressed the > need to enhance our formal analysis (as presented at the OAuth Security > Workshop) to verify whether it is necessary to demonstrate possession of the > private key by the client to the authorization server. > > > * The analysis checked whether it was necessary for a proof of possession to > be performed between the client and AS to ensure security. The result was > that even without verification by the AS the client would not be able to > access the resource from the RS without possessing the secret key associated > to the token (assuming the check is done correctly by the RS).
My apologies for not checking the model directly (I'm on a plane), but I'll note that we have seen similar PoP scenarios in other protocols where a misbehaving client will deliberately try to bind the (valid) key from another party to a token it authorizes, which can sometimes result in the other party taking actions different from the ones they intended. So I'd suggest being careful about what scope of attacks are considered. Thanks, Ben _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
