top | item 11637235

(no title)

bgidley | 9 years ago

I agree - but as you say OAuth also suffers from MITM weaknesses. I'm just not convinced 'plain' client certs solve that as it's very hard to distribute those securely and manage them. I guess it depends where you see these being used, if used Server to Server it's not too bad, but if pushed out mobile devices (as I suspect they will be) they are very likely to leak unless strong app protection is applied.

If you're banking on strong app protection working you really need to be notified of it's state on the server which this won't do, you need to use a securely signed message from the verification/protection libraries on the client.

That can be done by storing this key into a cryptographic whitebox and then linking using it to integrity verification.

discuss

sjtgraham|9 years ago

This is the first version of TAuth where only server apps are in scope. Work is already underway on the solution for Mobile… Teller will need it soon for upcoming products.