Hi Hans,
Am 11.11.19 um 10:57 schrieb Hans Zandbelt:
>
> P17
> About the description of the mixup attack: as long as the attacker is
> able to trigger a request (by having the user click a link) and read
> the query/POST parameters on the A-AS (perhaps from the logs) he can
> execute a mixup attac
Hi Hans,
> On 11. Nov 2019, at 17:57, Hans Zandbelt wrote:
>
> Hi,
>
> Please find my feedback on page 11-20 below.
>
> Hans.
>
> P14
> 4.2.4 For an RP there should be more explicit text and guidance about having
> a single dedicated immutatable redirect URI per client that "demultiplexes"
