Nat Sakimura lays out the similarities and differences between OAuth and the proposed OpenID Contract Exchange extension, and argues that CX, even though using a similar protocol flow, is not vulnerable to OAuth's Session Fixation attack - this because CX makes identities explicit where OAuth doesn't.
Of course, making identities explicit is pretty straight forward when you're using a global identifier - gets alot messier if you want to inhibit correlation through pairwise pseudonyms.
No comments:
Post a Comment