Baseline: Clause 7.4.1 Talks about security issues with authorization requests and responses but incorrectly refers to encrypting authorization 'responses' not requests.

Comments (14)

1. 

   Daniel Fett

   I think that this is correct as is. The first sentence is for the authorization request. The second sentence says that the response (unlike the request) can be ‘encrypted’ by encrypting the ID token.

   • 2021-07-07T11:54:39+00:00
2. 

   Ralph Bragg reporter

   But the implication of these two sentences is that the issue with leaking data in the request can be mitigated by encrypting the response which isn’t correct.

   • 2021-07-07T11:58:21+00:00
3. 

   Dave Tonge

   So I think the wording could be improved. @Nat Sakimura what is the process for errata?

   • 2021-09-29T13:51:30+00:00
4. 

   Nat Sakimura

   • changed component to Part 1: Baseline

   • 2022-12-14T15:35:55+00:00
5. 

   Nat Sakimura

   • changed component to FAPI 1 - Part 1: Baseline

   • 2022-12-14T15:36:27+00:00
6. 

   Nat Sakimura

   • changed component to FAPI 1 – Part 1: Baseline

   • 2022-12-14T15:37:00+00:00
7. 

   Nat Sakimura

   • changed component to FAPI 1 – Baseline

   • 2022-12-14T15:38:22+00:00
8. 

   Nat Sakimura

   • changed component to FAPI 1: Baseline

   • 2022-12-14T15:39:11+00:00
9. 

   Nat Sakimura

   As it stands, it is not proposing anything to mitigate the threats in the request. Since Baseline does not create request object, it has no option of encrypting it either.

   • 2023-05-24T20:04:48+00:00
10. 

    Nat Sakimura

    • changed status to open

    • 2023-06-07T14:26:45+00:00
11. 

    Dave Tonge

    we discussed on the call changing the 2nd sentence to read:

    The leakage of information from the ID token can be mitigated by encrypting the ID token. If the leakage of any other information in the authorization response is of concern then consider using JARM with encryption

    ‌

    • 2023-07-12T14:42:33+00:00
12. 

    Dave Tonge

    • changed status to resolved

    Merged in fapi1_errata_428 (pull request #428)

    fixes #428 -

    • fixes #428 - Baseline: Clause 7.4.1 Talks about security issues with authorization requests and responses but incorrectly refers to encrypting authorization 'responses' not requests.

    • fixes #428 - update text for using encryption and JARM if desired.

    Approved-by: Dima Postnikov Approved-by: Dave Tonge Approved-by: Nat Sakimura Approved-by: Joseph Heenan

    → <<cset 19a6d5ef55d1>>

    • 2023-08-09T13:28:40+00:00
13. 

    Dave Tonge

    Merged in fapi1_errata_428 (pull request #428)

    fixes #428 -

    • fixes #428 - Baseline: Clause 7.4.1 Talks about security issues with authorization requests and responses but incorrectly refers to encrypting authorization 'responses' not requests.

    • fixes #428 - update text for using encryption and JARM if desired.

    Approved-by: Dima Postnikov Approved-by: Dave Tonge Approved-by: Nat Sakimura Approved-by: Joseph Heenan

    → <<cset 19a6d5ef55d1>>

    • 2023-08-09T13:28:40+00:00
14. 

    Dave Tonge

    Merged in fapi1_errata_428 (pull request #428)

    fixes #428 -

    • fixes #428 - Baseline: Clause 7.4.1 Talks about security issues with authorization requests and responses but incorrectly refers to encrypting authorization 'responses' not requests.

    • fixes #428 - update text for using encryption and JARM if desired.

    Approved-by: Dima Postnikov Approved-by: Dave Tonge Approved-by: Nat Sakimura Approved-by: Joseph Heenan

    → <<cset 19a6d5ef55d1>>

    • 2023-08-09T13:28:40+00:00
15. Log in to comment