- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Sun, 25 Dec 2011 11:14:32 +0100
- To: Amos Jeffries <squid3@treenet.co.nz>
- CC: ietf-http-wg@w3.org
On 2011-12-25 07:21, Amos Jeffries wrote: > On Sat, 24 Dec 2011 08:46:45 -0500, Mark Nottingham wrote: >> The OAUTH WG is creating a new authentication scheme for bearer tokens: >> http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-15 >> > > Reading section 2.3, it appears this method of transferring the > credentials is open to replay attacks when caching TLS middleware is > present. I believe this spec should mandate cache controls on responses > using that method. Otherwise a lot of HTTP compliant middleware will > feel free to store and supply the protected response to later replay > attacks. > ... ...you may want to send this to the OAuth WG... Best regards, Julian
Received on Sunday, 25 December 2011 10:15:23 UTC