Add sentence suggesting that Issuer information should be validated by the Receiver #174

FragLegs · 2024-05-24T14:25:32Z

There are three problems mentioned in Issue #166:

We need to add language that suggests the Receiver validate the Issuer value before doing discovery. This PR addresses that.
We need to add TLS restriction to the stream management endpoints. PR Added language requiring authorization of stream management API #173 addresses that.
We need to restrict delivery methods to only secure options. That is already done by the fact that the Stream Configuration metadata's delivery.method field can only be one of push or poll.

…y the Receiver

openid-sharedsignals-framework-1_0.md

Co-authored-by: Tim Cappalli <tim@cloudauth.dev>

Add sentence suggesting that Issuer information should be validated b…

898ed73

…y the Receiver

FragLegs requested a review from a team as a code owner May 24, 2024 14:25

FragLegs linked an issue May 24, 2024 that may be closed by this pull request

Initial security audit feedback #166

Closed

tulshi approved these changes May 24, 2024

View reviewed changes

tulshi requested a review from timcappalli May 24, 2024 20:49

timcappalli requested changes May 26, 2024

View reviewed changes

openid-sharedsignals-framework-1_0.md Outdated Show resolved Hide resolved

FragLegs and others added 2 commits May 26, 2024 19:00

Update openid-sharedsignals-framework-1_0.md

40f8f03

Co-authored-by: Tim Cappalli <tim@cloudauth.dev>

Merge branch 'main' into 166-initial-security-audit-feedback

ae4df64

tulshi approved these changes Jun 4, 2024

View reviewed changes

timcappalli approved these changes Jun 6, 2024

View reviewed changes

FragLegs merged commit 7f5b8cf into main Jun 6, 2024
2 checks passed

FragLegs deleted the 166-initial-security-audit-feedback branch June 6, 2024 18:53

Provide feedback