one client can always share the protected data with another client once retrieved, regardless of pop or secure elements
Hans. On Fri, Nov 8, 2019 at 8:38 AM Denis <denis.i...@free.fr> wrote: > Daniel, > > No. It is not a correct summary. One client can allow another client to > get an access token that belongs to it. > The key point is that a software only solution can't prevent this > collaborative attack and since, at this time, > the OAuth WG is not considering the use of secure elements, the attack > cannot be countered. > > Please have a look at: > https://www.ietf.org/mail-archive/web/oauth/current/msg16767.html > > Denis > > > Hi Denis, > > Am 07.11.19 um 09:16 schrieb Denis: > > > *Whatever kind of cryptographic is being used, when two users > collaborate, a software-only solution will be unable to prevent the > transmission * > * of an attribute of a user that possess it to another user that > does not possess it. * > > To stay in OAuth lingo, what you are saying is: Two collaborating clients > can exchange their access tokens and use them. > > Is that a correct summary of your attack? > > -Daniel > > > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- hans.zandb...@zmartzone.eu ZmartZone IAM - www.zmartzone.eu
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
