>
> >
> > *From:*OAuth [mailto:oauth-boun...@ietf.org
> <mailto:oauth-boun...@ietf.org>] *On Behalf Of *Nat Sakimura
> > *Sent:* Monday, May 9, 2016 7:34 PM
> > *To:* Guido Schmitz <mailto:g.schm...@gtr
t;
> >
> > *From:*OAuth [mailto:oauth-boun...@ietf.org] *On Behalf Of *Nat Sakimura
> > *Sent:* Monday, May 9, 2016 7:34 PM
> > *To:* Guido Schmitz ; oauth@ietf.org
> > *Subject:* Re: [OAUTH-WG] Multi-AS State Re-Use
> >
> >
> >
> > As far as I am
ject:* Re: [OAUTH-WG] Multi-AS State Re-Use
>
>
>
> As far as I am aware of, state was meant to be nonce. Replay possibility
> etc. were known. It is probably a bad documentation that every reviewers
> missed because they were assuming it.
--
Informationssicherheit und Krypto
-AS State Re-Use
As far as I am aware of, state was meant to be nonce. Replay possibility etc.
were known. It is probably a bad documentation that every reviewers missed
because they were assuming it.
Best,
Nat
On Mon, May 9, 2016 at 20:14 Guido Schmitz
mailto:g.schm...@gtrs.de>> wrote:
As far as I am aware of, state was meant to be nonce. Replay possibility
etc. were known. It is probably a bad documentation that every reviewers
missed because they were assuming it.
Best,
Nat
On Mon, May 9, 2016 at 20:14 Guido Schmitz wrote:
> Hi all,
>
> can anybody confirm that this is a ne
Hi all,
can anybody confirm that this is a new / undocumented attack?
Cheers,
Guido, Daniel, and Ralf
On 22.04.2016 16:23, Daniel Fett wrote:
> Hi all,
>
> Besides the state leakage attack we found that another important fact
> regarding state is underspecified: Each state value should only be
Hi all,
Besides the state leakage attack we found that another important fact
regarding state is underspecified: Each state value should only be
used for one run of the protocol, in particular, each AS should see a
different state in multi-AS settings. Clients might be tempted to
generate state on
