Hello Jared,
You raised the following question :
*
**Should other possible threats and vulnerabilities be included?
Meaning, is the list the definitive known list?*
This list is certainly not a "definitive /known /list" since there
exists an additional /known /threat that has been advertised
Hi Denis,
Am 07.11.19 um 09:16 schrieb Denis:
>
> *Whatever kind of cryptographic is being used, when two users
> collaborate, a software-only solution will be unable to prevent the
> transmission *
> * of an attribute of a user that possess it to another user that
> does not possess
Daniel,
No. It is not a correct summary. One client can allow another client to
get an access token that belongs to it.
The key point is that a software only solution can't prevent this
collaborative attack and since, at this time,
the OAuth WG is not considering the use of secure elements, the
