Maybe this has been covered elsewhere, but one can see the case where "iss" in
an example is set to "my_auth_server" and that cut/paste gets re-used. That's
also possible even in the OpenID Discovery mechanism, it requires the
implementer to actually pick a unique value. It would be better if
Thanks Mike (and reluctantly John, I guess). I'm pleased to hear about the
direction things are taking and look forward to reviewing -01.
On Tue, Jan 12, 2016 at 3:53 PM, Mike Jones
wrote:
> John Bradley and I went over this today and I'm already planning on
> simplifying the draft along the lin
I fully agree with Brian. We came up with a rather simple (== w/o
crypto) solution to mitigate the mix-up attack. We should first specify
them as discussed and then have a discussion in the working group - also
about additional attack vectors.
As discussed in Darmstadt, we should also come up
