Annabelle Backman

icon indicating a website link https://www.amazon.jobs/en/landing_pages/aws-identity icon indicating an email [email protected]

icon company @amzn icon location Seattle, WA icon location Principal Security Engineer in @AWS Identity. Co-chair of the @OpenID Shared Signals and Events Working Group.

Results 5 comments of Annabelle Backman

Support expected authority changes

I agree that `@authority` is the right tool to address this, however the current language for it and `@target-uri` seem to not leave a lot of leeway for the verifier...

Add "ECDSA using curve P-384 DSS and SHA-384" algorithm

I agree with not defining every possible algorithm; however we should include those with known use cases, and AWS intends to use -384. Since the spec isn't finalized and the...

Signature Context

@yaronf Could you provide an example attack scenario that cannot be mitigated by signing additional semantically relevant message components, and is mitigated by the addition of a `context` parameter? The...

Signature Context

> Concretely, having a mandatory httpsign\n as the first line of the signature base would be a much better mitigation. I'm not sure I buy this. If a non-HTTPSig consumer...

AWS Amplify Auth is not using Rotating Refresh Tokens

To elaborate on @rachitdhall's reply, part of that evaluation involves looking at how refresh token rotation would contribute to our overall threat mitigation strategy. As @frederikprijck rightly noted, refresh token...