openid / mobile / issues / #122 - Security Considerations — Bitbucket

Issue #122 resolved

Dave Tonge created an issue 2018-11-28

I've opened this issue so we can get any additional security considerations into the draft. From the user_code issue we have the following:

user_code should not be stored by the RP
The OP should provide a method for the user to change the user_code

(are these security considerations or should they go into the user_code section of the spec)

Comments (7)

Dave Tonge reporter
- edited description
- 2018-11-28T08:40:54+00:00
Dave Tonge reporter
user_code MUST NOT be stored by the RP
- 2018-12-04T15:26:00+00:00
Dave Tonge reporter
we agreed to make the first point a MUST NOT and keep the second as a SHOULD. We discussed making the wording more explicit in the first one, i.e. the RP MUST ask the user for the user-code each time.

I will propose wording for this. We also agreed that this should be in the main user_code section rather than in the security considerations
- 2018-12-04T16:04:07+00:00
Dave Tonge reporter
- assigned issue to
  
  Dave Tonge
- 2018-12-06T10:00:25+00:00
Dave Tonge reporter
https://bitbucket.org/openid/mobile/commits/46cfd90cc66bfbbeec817e6acf842be4d1b161d2
- 2018-12-06T10:40:54+00:00
Brian Campbell
Merged pull request ~~#52~~

I think this can be resolved @dgtonge, if the "2 extra clauses to the user code section" are all that were still needed?
- 2018-12-11T21:24:24+00:00
Dave Tonge reporter
- changed status to resolved
2 clauses agreed and have been added
- 2018-12-12T12:35:54+00:00
Log in to comment

Assignee: Dave Tonge

Type: enhancement

Priority: major

Status: resolved

Component: CIBA

Milestone: CIBA Implementer's Draft

Votes: 0

Watchers: 0

Jira: the preferred issue tracker for Bitbucket. Join the team!