- edited description
Normatively require Attackermodel
The current text does not require Attackermodel document. I think this is not right. We should make it so that there is a requirement that references the attackermodel document.
One way of doing it is to (while it is a bit weird to read):
Make
5.1. Introduction
The FAPI 2.0 Security Profile is an API security profile based on the OAuth 2.0 Authorization Framework [RFC6749], that aims to reach the security goals laid out in the Attacker Model [attackermodel].
into
5.1. Introduction
The FAPI 2.0 Security Profile is an API security profile based on the OAuth 2.0 Authorization Framework [RFC6749], that
aims to reachshall fulfill the security goals laid out in the Attacker Model [attackermodel].
In addition, creating a terms and definition section in the attackermodel document and defining the following, and including them in clause 3 of this document, would be a good idea.
- A1 - Web Attacker
- A1a - Web Attacker participating as AS
- A2 - Network attacker
- A3a - Attacker at the authorization endpoint with Read Authorization Request capability
- A5 - Attacker at the token endpoint with Read and Tamper with Token Requests and Responses capability
- A7 - Attackers at the Resource Server with Read Resource Requests capability
Comments (2)
-
reporter -
- changed status to resolved
PR has been merged
- Log in to comment