In my (probably simplistic) understanding of things, the root underlying
issue that allows for mix-up in its variations is the lack of anything
identifying the AS in the authorization response. Following from that,
introducing and using an `iss` authorization response parameter has always
seemed li
Hi all,
I was wondering if we should move towards introducing and (more
explicitly) recommending the iss parameter in the security BCP, for the
reasons laid out below and in the article (which is now at
https://danielfett.de/2020/05/04/mix-up-revisited/).
Any thoughts on this?
-Daniel
Am 04.05.2
Hi all,
to make substantiated recommendations for FAPI 2.0, the security
considerations for PAR, and the security BCP, I did another analysis on
the threats that arise from mix-up attacks. I was interested in
particular in two questions:
* Does PAR help preventing mix-up attacks?
* Do we need
