Thanks for the quick followup. I will take a look at the next version
-Ekr
On Fri, Apr 13, 2018 at 6:06 PM, Mike Jones
wrote:
> We still need to add the text addressing the points described in John
> Bradley’s reply to you sent while in London.
>
>
>
>
We still need to add the text addressing the points described in John Bradley’s
reply to you sent while in London.
-- Mike
From: OAuth On Behalf Of Eric Rescorla
Sent: Friday, April 13, 2018 6:00 PM
To: oauth@ietf.org
Subject: [OAUTH-WG] Fo
Hi folks,
I just looked at the -08 diffs and I see a new section on brute forcing the
token
but not describing the confused deputy attack. Did I miss something, or
were you
still planning to add more text?
Thanks
-Ekr
___
OAuth mailing list
OAuth@ietf.o
Hi folks,
I've gone over draft-ietf-oauth-token-exchange-12 and things seem
generally OK. I do still have one remaining concern, which is about
the actor claim. Specifically, what is the RP supposed to do when they
encounter it? This seems kind of underspecified.
In particular:
1. What facts am
I’m not particularly wedded to SHA-512, just that it should be possible to use
something else. At the moment, the draft seems pretty wedded to SHA-256.
SHA-512 may be overkill, but it is fast (faster than SHA-256 on many 64-bit
machines) and provides a very wide security margin against any futur
