Messages - 8. Add Threats and controls

Comments (3)

1. 

   Michael Jones

   • assigned issue to
     
     Nat Sakimura
   • changed status to open

   Nat will work with Torsten on wording for this

   • 2012-02-16T23:48:53+00:00
2. 

   Nat Sakimura reporter

   Replay has been dealt with http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-06

   Token substitution attack is being added to OAuth 2.0 security consideration as Resource Owner Impersonation.

   Thus, it is not necessary now to add these to OpenID Connect.

   We probably do not want to repeat all the threats and controls in X.1264 | ISO 29115. We could start writing down what the implementation may do as controls, but that will make the security consideration too long. We should just reference it and say appropriate measure should be taken.

   Thus, proposed text:

   Current:

   8.  Security Considerations
   
   OAuth 2.0 Threat Model and Security Considerations [OAuth.Threat] provides an extensive list of threats and controls that applies to this standard as well. In addition, this standard provides additional control measures listed below.
   

   Proposal:

   8.  Security Considerations
   
   OAuth 2.0 Threat Model and Security Considerations [OAuth.Threat] provides an extensive list of threats and controls that applies to this standard as well. ITU-T X.1254 | ISO/IEC 29115 also provides threats and controls that implementors should take into account. In addition, this standard provides additional control measures listed below.
   

   • 2012-06-28T04:30:15+00:00
3. 

   Nat Sakimura reporter

   • changed status to resolved

   Fixed #543 - Messages - Security Consideration. Added ref to X.1254 | ISO 29115.

   → 06567cecff76

   • 2012-08-30T13:16:56+00:00
4. Log in to comment