On 30 Oct 2019, at 16:41, Salz, Rich <rs...@akamai.com> wrote:
>
> I'm thinking of a uniformly random 16 byte name right now. Have at it.
> Cute but missing the point. I don’t have to guess it.
To quote your previous claim: "There is no such thing as an unguessable name."
> YOU have to securely deploy it across your proxy (however many staff), your
> backend (however many staff), your application developers (however many), and
> perhaps your diagnosing or debug teams if they are different. And then you
> must make sure that if ANYONE ever takes a packet trace, or makes a slide out
> of a sample message, that they don’t disclose the header, such as by showing
> “here’s how we do OAUTH” at a user group meeting.
Even if your deployment team had such staggeringly bad operational security
practices as to allow people to take packet captures from an internal network
and show them on public slides without any kind of questions being asked, if
this actually happens *YOU ARE NO WORSE OFF THAN IN THE SITUATION WHERE YOU
USED A WELL-KNOWN HEADER NAME*!
I don't know how many different ways I can say that this is a defense in depth
*in addition to* everything else you would normally do to secure traffic
between your RP and backend servers. As with all defense in depth, the aim is
to be more than 1 configuration mistake away from total compromise.
-- Neil
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
