handles user
>> authentication in an appropriate way
>>
>>
>> Regards
>> Mark
>>
>> André DeMarre wrote on 16/01/2012 23:20:02:
>>
>> >
>> > To:
>> >
>> > Eran Hammer 16/01/2012 23:22
>> >
>>
gt;
> Regards
> Mark
>
> André DeMarre wrote on 16/01/2012 23:20:02:
>
> >
> > To:
> >
> > Eran Hammer 16/01/2012 23:22
> >
>
> >
> > Re: [OAUTH-WG] Phishing with Client Application Name Spoofing
> >
> > Eran,
> >
lient application handles user
authentication in an appropriate way
Regards
Mark
André DeMarre wrote on 16/01/2012 23:20:02:
>
> To:
>
> Eran Hammer 16/01/2012 23:22
>
>
> Re: [OAUTH-WG] Phishing with Client Application Name Spoofing
>
> Eran,
>
> Yes; I
Eran,
Yes; I think a section should be added to the security model doc.
On 2011-12-16 Mark Mcgloin agreed and suggested we call it "Client
Registration of phishing clients":
http://www.ietf.org/mail-archive/web/oauth/current/msg08061.html
I'm happy to propose the text; it might be one or two day
Should this be added to the security model document? Is it already addressed
there?
EHL
> -Original Message-
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of André DeMarre
> Sent: Tuesday, October 04, 2011 11:33 AM
> To: OAuth WG
> Subject: [OAUTH-WG] Phishin
Andre
You are right that the threat model does not cover this kind of issue
related to client registration. Client registration is considered to be out
of scope in the oauth spec but it is worth drawing developers attention to
this. I can add a threat entitled something like "Client Registration
You are right that they are similar, but there is a difference, and
only one of the six countermeasures is relevant to the threat I
described.
http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-01#section-4.4.1.4
seems to be about an attack where the malicious client impersonates a
differe
Hi Andre,
how do you think differs the threat you descibed from
http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-01#section-4.4.1.4?
regards,
Torsten.
Am 26.10.2011 22:44, schrieb André DeMarre:
Should a brief explanation of this be added to the Threat Model and
Security Considerati
Should a brief explanation of this be added to the Threat Model and
Security Considerations document? Or does anyone even agree that this
can be a problem?
Regards,
Andre DeMarre
On Tue, Oct 4, 2011 at 11:32 AM, André DeMarre wrote:
> I've not seen this particular variant of phishing and client
