|
|
|
|
|
|
by bgidley
3694 days ago
|
|
|
I agree - but as you say OAuth also suffers from MITM weaknesses. I'm just not convinced 'plain' client certs solve that as it's very hard to distribute those securely and manage them.
I guess it depends where you see these being used, if used Server to Server it's not too bad, but if pushed out mobile devices (as I suspect they will be) they are very likely to leak unless strong app protection is applied. If you're banking on strong app protection working you really need to be notified of it's state on the server which this won't do, you need to use a securely signed message from the verification/protection libraries on the client. That can be done by storing this key into a cryptographic whitebox and then linking using it to integrity verification. |
|
|