Daniel,
No. It is not a correct summary. One client can allow another client to
get an access token that belongs to it.
The key point is that a software only solution can't prevent this
collaborative attack and since, at this time,
the OAuth WG is not considering the use of secure elements, the attack
cannot be countered.
Please have a look at:
https://www.ietf.org/mail-archive/web/oauth/current/msg16767.html
Denis
Hi Denis,
Am 07.11.19 um 09:16 schrieb Denis:
*Whatever kind of cryptographic is being used, when two users
collaborate, a software-only solution will be unable to prevent the
transmission *
* of an attribute of a user that possess it to another user
that does not possess it. *
To stay in OAuth lingo, what you are saying is: Two collaborating
clients can exchange their access tokens and use them.
Is that a correct summary of your attack?
-Daniel
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
