Gabriel Corona comments

Results 204 comments of


                                            Gabriel Corona

3.5.3 update (stateless token signature or mac)

@ryarmst, this looks good but the first half is somewhat tautological, > Verify that cryptographically secured tokens use a digital signature or MAC […] where, > Cryptographically Secured Token -...

51.2.15 - OAuth - ask to be transaction-specific

> Although, I believe you are correct that the way 51.3.2 is written it is already handled in 51.2.2. We can remove 51.3.2 then since 51.2.2 handles it. Yes, I...

51.2.15 - OAuth - ask to be transaction-specific

> Is there any need to say the the nonce must be a unpredictable? I think, this should probably be somewhere and I don't believe it's currently really states **but**...

51.2.15 - OAuth - ask to be transaction-specific

> Potential [resource](https://ldapwiki.com/wiki/Wiki.jsp?page=Authorization%20Code%20Flow). In complete objectivity, I have to recommend [this resource](https://www.gabriel.urdhr.fr/2023/02/06/oauth2-diagr

51.2.15 - OAuth - ask to be transaction-specific

The fact that the authorization code is single use indeed prevent against authorization code replay (implemented AS-side). > From the authorization code replay attack point of view, being transaction-specific provides...

51.2.15 - OAuth - ask to be transaction-specific

See for reference on this topic [4.5.3](https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-24.html#name-countermeasures-4) from the Oauth Security topics draft. And: > **4.3.1 [Authorization Code in Browser History](https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-24.html#name-authorization-code-in-brows)** > > Countermeasures: > > * Authorization code replay...