A7 Attacker Clarification
Issue #542
resolved
From Tim
One additional note: It should be clarified when/where the requests/responses leak. Following the section heading, I’d assume that they leak at the RS, e.g., a resource request leaks only after the “honest” request arrived at the RS. This distinction is important when considering DPoP Proof Replay: If the attacker has a chance to use a leaked DPoP proof before the honest request using that proof arrives at the RS, the RS cannot detect/prevent the attack (e.g., using DPoP nonces or the jti claim).
Comments (3)
-
-
-
- changed status to resolved
- Log in to comment
I want to also add my original note on the A7 attacker in PR #358, as this question was a source of confusion for us (i.e., may be a source of confusion for others, as well):