Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
Jim Manico <jim@manicode.com> Tue, 27 November 2018 13:21 UTC
Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86B8B128D09 for <oauth@ietfa.amsl.com>; Tue, 27 Nov 2018 05:21:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g2jJUGyZ7tzJ for <oauth@ietfa.amsl.com>; Tue, 27 Nov 2018 05:21:31 -0800 (PST)
Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com [IPv6:2607:f8b0:4864:20::42b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78273130DF9 for <oauth@ietf.org>; Tue, 27 Nov 2018 05:21:31 -0800 (PST)
Received: by mail-pf1-x42b.google.com with SMTP id b85so8368321pfc.3 for <oauth@ietf.org>; Tue, 27 Nov 2018 05:21:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode.com; s=google; h=subject:to:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=l+56pmVed7ZrevOGXhSJ4x+r7Cfysd3lW/lIGrigcUY=; b=GwZewUTHejZBnK/M6Fvz7Lgdmbmq2NmDoKInkEH3/Xh1NP/VcbYUWIa+XhjXQxQQ2O NWpXsq027DInnXXNgqH2qaOZDMmj+NbI3/l5lZexRO3nbmNH96MT/qM7j7Xb7hF5Y3Xb +uoPpfFxrP29dEhguJfgvF6QAP6JSo3onyeUIFWIBAYJkK96xYLNvvA/xPM5jQ9ceUoK LtrZWSjJkVNW1CoA+Ycf3nwU+IfKhXMAJwZgrVpAsfqPi3U+3xbe2MVmvG2Zk4Z8H7CQ 3yTA3BGOB7wV9tA5eoHnoXjYgZ3JJUPXkufJs6XuSt0d5ZXzr6IKE0W5s0Q9KOGVRQxu YDVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language; bh=l+56pmVed7ZrevOGXhSJ4x+r7Cfysd3lW/lIGrigcUY=; b=dlmG328X8hqAsO6GUpFmTTPGszqsbJkMgANX/SxqCXmUGw8kE3x07cZwHUE/Prc/e4 zsje2DoIgJNXpej8pGYI8vp9N6MVVWuLLlJJWrDR4rmRFK5F4elG1XaWzPTVZzKcrKsI c4BbFUJiK6gILNOnNE0givLMAL1Knzug0/G99NMIv0NMwauJsaZP5X6gAueGk6xE9z9t R1aZ1Kb+E7ZPM+sRCzpIhxwWG1uxHcuSMKYAAh+9GqOZWxnVOdh+iMv6Nmohz8F57a35 XBx5cLs3kztk5suSBhZHDUoQ4qEgDCOLqZK7KY0bv99t4qf98Lp3XxlBv6CknLH4zpko LIgg==
X-Gm-Message-State: AA+aEWZiELoyfwxtXJp0fa0LNldaTmWtY+TrKOOz3KzGZ3B0Ke2zF6KG KH6+/EluU0LY3dDs8E+rkYYRY1EQTGLguh7i
X-Google-Smtp-Source: AFSGD/XEgMuOOR78zrsua9apF5uZn2ED9S0JVRGilWv3Jl545BcBArEW+tGb5qtmvBI9wXqEVLtFEQ==
X-Received: by 2002:a63:5026:: with SMTP id e38mr29316359pgb.123.1543324890639; Tue, 27 Nov 2018 05:21:30 -0800 (PST)
Received: from heembo.local (zipline.atenlabs.com. [206.251.244.230]) by smtp.googlemail.com with ESMTPSA id m20sm4141306pgv.93.2018.11.27.05.21.28 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 27 Nov 2018 05:21:29 -0800 (PST)
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, oauth <oauth@ietf.org>
References: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com>
From: Jim Manico <jim@manicode.com>
Openpgp: preference=signencrypt
Autocrypt: addr=jim@manicode.com; prefer-encrypt=mutual; keydata= xsFNBFcMHBYBEADN65JL/EhBkLog2kXXIvM90vyMfDgHWK0qP5lKaMWJdrZ/0AKJnGzOGWFg 8ezOlLp7yJQO/QBm+XDq6yda3uSNg3EugBjnPa24fcsb0fuEmoG0xq1TiF3G8byBxdr7TQqn 9xLUvkivl7XUfpeoKiHXpAwahLJiJsT3Y8oc32qF7IPiQLvqZBNNTesK+cz+MLm5UZxI5ZtH 1bfiyht+5eFrWIOQKFu7EEapRtBScY561xj7WKsLmj0F6cK/vG9CNss8lBsBgpBUXD1aE+Iy BJb98cZwbebfJA/AMg4W/HTcQSxfael8GfbOFidxT5uu45o/X6kjfa3ITU5YKM2EYaDZHiMo Qoojny83O7PrIJaB7JoIRD1h6Jtq0WjtSv08YO8r+d8QmEQ9gMt8oON7YYP69OsK+lBU+mKZ C5OfTW7GEW3egHqd7UtfzU/Sadp8MXr54/U3Elg0/E/da/OoxYyvoBInJVcR8QlfcA1JEr+R YFutoISigv6qSFHBssvaRK93W+R3TdHcJZUu33lk65FKnbbdcPmKWWXk1ZWBcaXZ2Rwa+NyR RCCVw2Sy/jVPCNvTtZuI9oeNXxgKfF2o5pVH3J/P7viKXFQafE9zLJC9Y2E5gP/FfHkFNaem X/RCggxQFtABhhOmHnho4tPeu55Jv0pd8d4xW4YlaeZb15wzGwARAQABzR1KaW0gTWFuaWNv IDxqaW1AbWFuaWNvZGUuY29tPsLBfQQTAQoAJwUCVwwcFgIbIwUJCWYBgAULCQgHAwUVCgkI CwUWAgMBAAIeAQIXgAAKCRBMeWW7x/Jmpp2VD/9lhjkr35vO7ZYRvTRnUeF/eDgfCYcRO1MD X0UNjX0rp02MB8BOqlFDiwUR9B3Mzh54GGHUsuUcmClTHm19SSGKvp8m8N68Uo47tc1BV7R9 6sINqgAr6LmIzCjhfABL4WhvpFu4i6eCcx/9kThWuX86IOAdXFiwvaUkYVr8krEDHyQaUn2j 9CbYqnXm6Ig9stJo9mrzB9lOKAxFTDuV7dMcV3zYTZ8T8AqwwRzoWFAT30n8/pU+rYyRmA6w B54LRCcsv7JxkVowmuXcsOZs5hw/qLN6Q1X5LJRAhYCjl+juX1FbiSNV4j3cEiEMKhOjtSVG iwgKHs94yfR9Y6zVcSVhYgUGb6luGLaZo3LbOEB3vinS+VU0yLM7EWDz41CAdPuiue/L4/+n ZnNEdOgSaLB1e9nX5AjbHIb7MYzYH359MwhXJv1uyY5PTg2CWPfJjtoh5R75NjjruZn3XZ1q 9PYVsmw4BiWia+0y7WBqR5UYPUHvqiMoqPxIYSFwECxuXlDDQvqYlaWBMDObxXTFbrHtg4I/ eDsMDWJtj1H/zDaD67DjoRLrZ/iL1eqWAweFXiaPg+q3071W1IxAeYrMoyDM0m5ZYUrwWubT U/T04VV/fJ+1r1Neu+hPEvquH9AguPHn2qYM/nnD8u7TLXd6q6gFQnfpBbsDPPWiqaGEW80m ys7BTQRXDBwWARAAnVe6i3g1q8YnoHsUwmF8XqkIntMJzRSLORr/bkNQ8Z8ajq6wgXcLQlVk cha5Acn/FKhcd8dyForbQvURlrnOrw3h8gna8Jq3muqIMfa6H/F889CPVkx7vW5rGUB7NsmH toSx7TH1IQPUfq99y0cwKGfWttdKBiUG5D7gpKtH3B78hz78+wSK3SUR4KEPdYXSzVqFlnOY McPwoY0jC2q991k4rSZeSEN7iXYhoUqzpMyeMItGhDskmE/0lYiB/ZlBUmq7LP7khQ1fJUf+ BeDyCBHNrK/kYi/ur597cyd92KuIUeDkuNIB/ZxVIZ24f9MTw5JHLcyk6IMzpgdw2NFfxzTL htoHtNhlzLkFAEfWu1OSjlZGh2YfybUt4cxp7ntV5tNRR/MDKrHSABbR4seX5L68KA/74osM LNK7KbpFAViZghoMFB/USzNrog8OBuktczdTYthi/U/UiE8n/sJ7IQ0WFuF2srfAlNrUdPnW QeJhVhKutyajTXai9M+RJ49p30fRhEpcWlvS1Rd7GXTJrLnEiL4u0E9Q5UA/khq2TwXZ4M6C 7KutaBBqz12dc/ENrJv0o6MI9srq14HmE2qqO46/PFJFWKSHWyousaMbKpmB8qPTP2S+swm+ xpk20Ck3Bco5sW8rv+Fza0i3+gXgTeMZ79gRMiWKxpQGaqvUsjkAEQEAAcLBZQQYAQoADwUC VwwcFgIbDAUJCWYBgAAKCRBMeWW7x/JmpgrrEADJ0BEmJX286qV/tT6WBoxffmOJm8ThrxVb NMrNjkQrEX2GiQTcZ93NTX39k7jctG6UFbvIAjhMm3lymAppXIXu66hA2sgnlNwYJkpj6xLj LhkK9rLNFDjWeBeqm4yfsnrST0CoO3j/1KkMSRuLnkFBGLiLjoijfRLudcR+wmRI5Nj0MWD0 3ejNEFyiMn34di3ULHvYdAjPdyIqvUjj9MPuRFz+rYEeBPoAMKsDdl5mQ/3UHGHzxNTTgN8B P1ansWK2oSB0bIBdjB13lUeBYctGUuH89c+3OzuBIwnvGc/J7aYwnLxr/qgPB6bvUltJ8FUz S6nSoFFNr+NIayVCrE3jzgsfyZxQZznX2Faa8dogIcOl5LiosgjUZG1T+7Zt8taaMBBeT6NZ hP/mmd5Oep/5kl+MihTdfj5w9evMItGIfIXr7OUDnO/zOPxL7e8CpZkR95j9Gjy7PrV5ahqK EAKb0rNV3k1XI1OJNefnfZRDMH/oGfhiGmT6KW/43lF18wfIH0u6ysALKGGOC+XCu4/k0xsJ MAdIvVGKXirAoA98RvSlstqMAPj7j7xX3/JWMQ5ynlpaecWtahzscLSut9IxhTIFWpstTGrH TI6CzZ3akG7EQJAN0OxhrA6iGfhL1bNoQZ7HvTf8yYZQSQBaFBqJvwqXFMyfV9QhhXiIQO9H Bw==
Message-ID: <5494f764-2d14-089a-8fe8-132a65e32d5e@manicode.com>
Date: Tue, 27 Nov 2018 18:51:26 +0530
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.3.1
MIME-Version: 1.0
In-Reply-To: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------1FEC292D2809F4B9916FDC6C"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/m4TbFlhPDz_NzYnxadZamoTFJoA>
Subject: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Nov 2018 13:21:34 -0000
Manicode Security is strongly in favor of deprecating the implicit flow in favor of the authorization code flow as suggested by this recommendation. We're also eager to see secure implementations for SPA delegation be clarified by the working group as well. Thank you for this important work! Aloha and Well Wishes, -- Jim Manico Manicode Security https://www.manicode.com On 11/19/18 4:04 PM, Hannes Tschofenig wrote: > Hi all, > > The authors of the OAuth Security Topics draft came to the conclusion > that it is not possible to adequately secure the implicit flow against > token injection since potential solutions like token binding or JARM > are in an early stage of adoption. For this reason, and since CORS > allows browser-based apps to send requests to the token endpoint, > Torsten suggested to use the authorization code instead of the > implicit grant in call cases in his presentation (see > https://datatracker.ietf.org/meeting/103/materials/slides-103-oauth-sessb-draft-ietf-oauth-security-topics-01). > > A hum in the room at IETF#103 concluded strong support for his > recommendations. We would like to confirm the discussion on the list. > > Please provide a response by December 3rd. > > Ciao > > Hannes & Rifaat > > > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose > the contents to any other person, use it for any purpose, or store or > copy the information in any medium. Thank you. > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] OAuth Security Topics -- Recommend aut… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Mike Jones
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Aaron Parecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Mike Jones
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… George Fletcher
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… George Fletcher
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hans Zandbelt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Antonio Sanso
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Antonio Sanso
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… George Fletcher
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vladimir Dzhuvinov
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… John Bradley
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… John Bradley
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… William Denniss
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Nat Sakimura
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… n-sakimura
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dick Hardt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Richard Backman, Annabelle
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… William Denniss
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Petteri Stenius
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… William Denniss
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dave Tonge
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dick Hardt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Willeke
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Aaron Parecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dominick Baier
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dick Hardt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Marius Scurtescu
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Tomek Stojecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Tomek Stojecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Tomek Stojecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Justin Richer
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Phil Hunt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Phil Hunt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nov Matake
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nov Matake
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brock Allen
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Phil Hunt