Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
Jim Manico <jim@manicode.com> Tue, 27 November 2018 15:55 UTC
Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2B6B130DC4 for <oauth@ietfa.amsl.com>; Tue, 27 Nov 2018 07:55:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IkTUk-J6FQZr for <oauth@ietfa.amsl.com>; Tue, 27 Nov 2018 07:55:09 -0800 (PST)
Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5165112D4E9 for <oauth@ietf.org>; Tue, 27 Nov 2018 07:55:09 -0800 (PST)
Received: by mail-pf1-x42c.google.com with SMTP id c72so8580768pfc.6 for <oauth@ietf.org>; Tue, 27 Nov 2018 07:55:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode.com; s=google; h=subject:to:cc:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=iCTtuYp14fzvxMii2P+MQ+Ap0mlpH7h3eMLysjYMdas=; b=RLZvwm/eE/t8mVlmaOf9TJLiXxgpdb9CQLEiYJ4VTCJe5Nz5N2yhXHwugAr5IJvarJ AnDIlgz4JOVOh4MS2EE/Zoe4xGm0WIuPaM7qVu0o1uUBjAQMXnewJU3Oo+GReKvpOh/J FYYIpOwdIL18YcOlO92PoENtIFlSya5C/lCp/i2+KK4QPei7cXi1fW4x0SfXcR/x+eR3 XPD2A4rDoAzAARozlpvOy26Z0m2Smjwnbx4OGwr7BYk5uE6tAsRiycdjCJKD53ZyemZz ExCRJ17Q7teyggV7O8r8wJRSzSLHmLRCkXgl0Eqym8eh/0UVQHSXjRYCU3obPusIIVEm M/sA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language; bh=iCTtuYp14fzvxMii2P+MQ+Ap0mlpH7h3eMLysjYMdas=; b=fl3uuuD3Vd0M4vInOZd3kyXPLTao5W3bHgGUfzaWNcU4k+QyXQO41YwoaQc+9lbGJn 6DEEd4tfx5G72G+iWb1yLTwSLU1DkGD8WQoalJDPXlx0f1mgtr7SQ2Ool8KgQjAgr0rj 9nSmGvb6A+n4TAcllG+gd8s/J1wvaKQoV79LqK3rTlW1rUIIqpyxoeup/5XOmkQ2tmDI WF1i2Xaj5B3FFCMnEcyMvxJG68+9/lIMq/RnMDaeiY4JVwo5OwgKyo4RoaAsbW2+nDqu gr10zWcucRn7fNRiRg7NhOneud9tm4I2bxC/1ar7kCS02/0Y+HX3ydJUB8qj/MNbB6ea qrIw==
X-Gm-Message-State: AA+aEWY/0HIDZa8uRftXatOTSzdhxrJ0xVP+QiZv0uzNaW15qRXOBMlU jgTzKzAzezpgBiJj/LrJU7x/GOkuuuXmdQMQ
X-Google-Smtp-Source: AFSGD/WXu/x2ZhDDTdenjFPo94rfefNI5AClmFIW6Fe2obYxYjO5RiPVFnKXRlG5xe9ZpmRuM0kOoA==
X-Received: by 2002:a63:f811:: with SMTP id n17mr30466590pgh.23.1543334108465; Tue, 27 Nov 2018 07:55:08 -0800 (PST)
Received: from heembo.local (zipline.atenlabs.com. [206.251.244.230]) by smtp.googlemail.com with ESMTPSA id s2-v6sm11314300pfk.133.2018.11.27.07.55.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 27 Nov 2018 07:55:07 -0800 (PST)
To: Nat Sakimura <sakimura@gmail.com>, Vladimir Dzhuvinov <vladimir@connect2id.com>
Cc: "openid-specs-ab@lists.openid.net Ab" <openid-specs-ab@lists.openid.net>, oauth@ietf.org
References: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com> <5494f764-2d14-089a-8fe8-132a65e32d5e@manicode.com> <8935ff0f-aeab-c773-5e2d-6fedcc29119d@connect2id.com> <CABzCy2D0JAr-C1-jTcodpBdoUNx1We3JDg-PMcsOBL1Ga_m-Hw@mail.gmail.com>
From: Jim Manico <jim@manicode.com>
Openpgp: preference=signencrypt
Autocrypt: addr=jim@manicode.com; prefer-encrypt=mutual; keydata= xsFNBFcMHBYBEADN65JL/EhBkLog2kXXIvM90vyMfDgHWK0qP5lKaMWJdrZ/0AKJnGzOGWFg 8ezOlLp7yJQO/QBm+XDq6yda3uSNg3EugBjnPa24fcsb0fuEmoG0xq1TiF3G8byBxdr7TQqn 9xLUvkivl7XUfpeoKiHXpAwahLJiJsT3Y8oc32qF7IPiQLvqZBNNTesK+cz+MLm5UZxI5ZtH 1bfiyht+5eFrWIOQKFu7EEapRtBScY561xj7WKsLmj0F6cK/vG9CNss8lBsBgpBUXD1aE+Iy BJb98cZwbebfJA/AMg4W/HTcQSxfael8GfbOFidxT5uu45o/X6kjfa3ITU5YKM2EYaDZHiMo Qoojny83O7PrIJaB7JoIRD1h6Jtq0WjtSv08YO8r+d8QmEQ9gMt8oON7YYP69OsK+lBU+mKZ C5OfTW7GEW3egHqd7UtfzU/Sadp8MXr54/U3Elg0/E/da/OoxYyvoBInJVcR8QlfcA1JEr+R YFutoISigv6qSFHBssvaRK93W+R3TdHcJZUu33lk65FKnbbdcPmKWWXk1ZWBcaXZ2Rwa+NyR RCCVw2Sy/jVPCNvTtZuI9oeNXxgKfF2o5pVH3J/P7viKXFQafE9zLJC9Y2E5gP/FfHkFNaem X/RCggxQFtABhhOmHnho4tPeu55Jv0pd8d4xW4YlaeZb15wzGwARAQABzR1KaW0gTWFuaWNv IDxqaW1AbWFuaWNvZGUuY29tPsLBfQQTAQoAJwUCVwwcFgIbIwUJCWYBgAULCQgHAwUVCgkI CwUWAgMBAAIeAQIXgAAKCRBMeWW7x/Jmpp2VD/9lhjkr35vO7ZYRvTRnUeF/eDgfCYcRO1MD X0UNjX0rp02MB8BOqlFDiwUR9B3Mzh54GGHUsuUcmClTHm19SSGKvp8m8N68Uo47tc1BV7R9 6sINqgAr6LmIzCjhfABL4WhvpFu4i6eCcx/9kThWuX86IOAdXFiwvaUkYVr8krEDHyQaUn2j 9CbYqnXm6Ig9stJo9mrzB9lOKAxFTDuV7dMcV3zYTZ8T8AqwwRzoWFAT30n8/pU+rYyRmA6w B54LRCcsv7JxkVowmuXcsOZs5hw/qLN6Q1X5LJRAhYCjl+juX1FbiSNV4j3cEiEMKhOjtSVG iwgKHs94yfR9Y6zVcSVhYgUGb6luGLaZo3LbOEB3vinS+VU0yLM7EWDz41CAdPuiue/L4/+n ZnNEdOgSaLB1e9nX5AjbHIb7MYzYH359MwhXJv1uyY5PTg2CWPfJjtoh5R75NjjruZn3XZ1q 9PYVsmw4BiWia+0y7WBqR5UYPUHvqiMoqPxIYSFwECxuXlDDQvqYlaWBMDObxXTFbrHtg4I/ eDsMDWJtj1H/zDaD67DjoRLrZ/iL1eqWAweFXiaPg+q3071W1IxAeYrMoyDM0m5ZYUrwWubT U/T04VV/fJ+1r1Neu+hPEvquH9AguPHn2qYM/nnD8u7TLXd6q6gFQnfpBbsDPPWiqaGEW80m ys7BTQRXDBwWARAAnVe6i3g1q8YnoHsUwmF8XqkIntMJzRSLORr/bkNQ8Z8ajq6wgXcLQlVk cha5Acn/FKhcd8dyForbQvURlrnOrw3h8gna8Jq3muqIMfa6H/F889CPVkx7vW5rGUB7NsmH toSx7TH1IQPUfq99y0cwKGfWttdKBiUG5D7gpKtH3B78hz78+wSK3SUR4KEPdYXSzVqFlnOY McPwoY0jC2q991k4rSZeSEN7iXYhoUqzpMyeMItGhDskmE/0lYiB/ZlBUmq7LP7khQ1fJUf+ BeDyCBHNrK/kYi/ur597cyd92KuIUeDkuNIB/ZxVIZ24f9MTw5JHLcyk6IMzpgdw2NFfxzTL htoHtNhlzLkFAEfWu1OSjlZGh2YfybUt4cxp7ntV5tNRR/MDKrHSABbR4seX5L68KA/74osM LNK7KbpFAViZghoMFB/USzNrog8OBuktczdTYthi/U/UiE8n/sJ7IQ0WFuF2srfAlNrUdPnW QeJhVhKutyajTXai9M+RJ49p30fRhEpcWlvS1Rd7GXTJrLnEiL4u0E9Q5UA/khq2TwXZ4M6C 7KutaBBqz12dc/ENrJv0o6MI9srq14HmE2qqO46/PFJFWKSHWyousaMbKpmB8qPTP2S+swm+ xpk20Ck3Bco5sW8rv+Fza0i3+gXgTeMZ79gRMiWKxpQGaqvUsjkAEQEAAcLBZQQYAQoADwUC VwwcFgIbDAUJCWYBgAAKCRBMeWW7x/JmpgrrEADJ0BEmJX286qV/tT6WBoxffmOJm8ThrxVb NMrNjkQrEX2GiQTcZ93NTX39k7jctG6UFbvIAjhMm3lymAppXIXu66hA2sgnlNwYJkpj6xLj LhkK9rLNFDjWeBeqm4yfsnrST0CoO3j/1KkMSRuLnkFBGLiLjoijfRLudcR+wmRI5Nj0MWD0 3ejNEFyiMn34di3ULHvYdAjPdyIqvUjj9MPuRFz+rYEeBPoAMKsDdl5mQ/3UHGHzxNTTgN8B P1ansWK2oSB0bIBdjB13lUeBYctGUuH89c+3OzuBIwnvGc/J7aYwnLxr/qgPB6bvUltJ8FUz S6nSoFFNr+NIayVCrE3jzgsfyZxQZznX2Faa8dogIcOl5LiosgjUZG1T+7Zt8taaMBBeT6NZ hP/mmd5Oep/5kl+MihTdfj5w9evMItGIfIXr7OUDnO/zOPxL7e8CpZkR95j9Gjy7PrV5ahqK EAKb0rNV3k1XI1OJNefnfZRDMH/oGfhiGmT6KW/43lF18wfIH0u6ysALKGGOC+XCu4/k0xsJ MAdIvVGKXirAoA98RvSlstqMAPj7j7xX3/JWMQ5ynlpaecWtahzscLSut9IxhTIFWpstTGrH TI6CzZ3akG7EQJAN0OxhrA6iGfhL1bNoQZ7HvTf8yYZQSQBaFBqJvwqXFMyfV9QhhXiIQO9H Bw==
Message-ID: <2297d085-28f2-15dd-6dba-937dce9f2122@manicode.com>
Date: Tue, 27 Nov 2018 21:25:03 +0530
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.3.1
MIME-Version: 1.0
In-Reply-To: <CABzCy2D0JAr-C1-jTcodpBdoUNx1We3JDg-PMcsOBL1Ga_m-Hw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------A549AABB3A1EED42F8395AF5"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/qGx02nZDGKI4hLLvL_wiUk_H-ZE>
Subject: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Nov 2018 15:55:12 -0000
Nat, How is proof of possession established in a modern web browser in the implicit flow? My understanding is that token binding was removed from Chrome recently effectively killing browser-based PoP tokens. https://identiverse.com/2018/10/31/chrome-puts-token-binding-in-a-bind/ Am I missing something? Aloha, Jim On 11/27/18 9:00 PM, Nat Sakimura wrote: > I am actually -1. > > +1 for public client and the tokens that are not sender/key constrained. > > Just not being used right now does not mean that it is not useful.. In > fact, I see it coming. > Implicit (well, Hybrid “token id_token” really) is very useful in > certain cases. > Specifically, when the client is confidential (based on public key > pair), and uses sender constrained (key-constrained) token such as the > one explained in > https://tools.ietf.org/html/draft-sakimura-oauth-jpop-04#section-5, it > is very useful. > (Key-constrained token is the remaining portion of this draft that did > not get incorporated in the MTLS draft. ) > In fact it is the only viable method for Self-Issued OpenID Provider. > > So, the text is generally good but it needs to be constrained like > “Unless the client is confidential and the access token issued is key > constrained, ... “ > > Best, > > Nat Sakimura > > > 2018年11月27日(火) 16:01 Vladimir Dzhuvinov <vladimir@connect2id.com > <mailto:vladimir@connect2id.com>>: > > +1 to recommend the deprecation of implicit. > > I don't see a compelling reason to keep implicit when there is an > established alternative that is more secure. > > Our duty as WG is to give developers the best and most sensible > practice. > > CORS adoption is currently at 94% according to > https://caniuse.com/#feat=cors > > Vladimir > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > -- > Nat Sakimura (=nat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- Jim Manico Manicode Security https://www.manicode.com
- [OAUTH-WG] OAuth Security Topics -- Recommend aut… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Mike Jones
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Aaron Parecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Mike Jones
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… George Fletcher
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… George Fletcher
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hans Zandbelt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Antonio Sanso
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Antonio Sanso
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… George Fletcher
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vladimir Dzhuvinov
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… John Bradley
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… John Bradley
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… William Denniss
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Nat Sakimura
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… n-sakimura
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dick Hardt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Richard Backman, Annabelle
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… William Denniss
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Petteri Stenius
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… William Denniss
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dave Tonge
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dick Hardt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Willeke
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Aaron Parecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dominick Baier
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dick Hardt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Marius Scurtescu
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Tomek Stojecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Tomek Stojecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Tomek Stojecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Justin Richer
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Phil Hunt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Phil Hunt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nov Matake
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nov Matake
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brock Allen
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Phil Hunt