Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-threatmodel-07.txt

Hi all,

the new revision covers token substitution, which has been added to the 
core spec lately. Additionally, it describes a similar attack on the 
code flow, which is prevented by forcing the authorization server to 
validate that an authorization code had been issued to the calling client.

We also made the references to core and bearer spec normative.

regards,
Torsten.

Am 16.08.2012 19:14, schrieb internet-drafts@ietf.org:
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>   This draft is a work item of the Web Authorization Protocol Working Group of the IETF.
>
> 	Title           : OAuth 2.0 Threat Model and Security Considerations
> 	Author(s)       : Torsten Lodderstedt
>                            Mark McGloin
>                            Phil Hunt
> 	Filename        : draft-ietf-oauth-v2-threatmodel-07.txt
> 	Pages           : 70
> 	Date            : 2012-08-16
>
> Abstract:
>     This document gives additional security considerations for OAuth,
>     beyond those in the OAuth specification, based on a comprehensive
>     threat model for the OAuth 2.0 Protocol.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-threatmodel
>
> There's also a htmlized version available at:
> http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-07
>
> A diff from the previous version is available at:
> http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-v2-threatmodel-07
>
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth