- edited description
Create a Threat Document about the Misuse of OAuth
Issue #1010
open
The article that prompted this discussion is https://www.blackhat.com/docs/eu-16/materials/eu-16-Yang-Signing-Into-Billion-Mobile-Apps-Effortlessly-With-OAuth20-wp.pdf
The presentation about it is: https://www.blackhat.com/docs/eu-16/materials/eu-16-Yang-Signing-Into-Billion-Mobile-Apps-Effortlessly-With-OAuth20.pdf
Collect a summary of our discussions from December and January and see if it can be assigned to someone.
Comments (6)
-
reporter
-
I have always felt that OAuth 2 suffered from a fatal weakness wrt privacy. The base assumption is that all parties to the transaction are trustworthy. Where privacy is involved, this is seldom true. The only way for a security and privacy preserving identity ecosystem to develop is the work to make all of the parties to the transaction comply with rules. In this case it is the mobile apps, mostly from RPs, but it could be flows directly to an RP that just asked for more user private information that was needed to complete the transaction. I have been building an RP best practice example which shows how an RP can be compliant with the rules of the IDEF of the IDESG. Given such a set of rules it would be low cost for an RP to get audited as compliant if that were important to their success. That is still a challenge, but at least we know how to do it.
-
Some of https://tools.ietf.org/html/draft-ietf-oauth-security-topics is relevant to this issue.
-
reporter
- changed status to open
-
reporter
Tom is going to add some links to the healthcare good practices and code of conducts.
-
Here is an example of a code of conduct which uses self-attested statements in US Healthcare. It is planned to push forward with a required audit in the near future. This solution applies only to federations. The Open Web is another issue altogether. https://www.carinalliance.com/our-work/trust-framework-and-code-of-conduct/
- Log in to comment
