IETF Logo Mail Archive

[OAUTH-WG] OAuth Device Flow spec addressing Area Director comments

Mike Jones <Michael.Jones@microsoft.com> Mon, 23 April 2018 19:17 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58948126B6E for <oauth@ietfa.amsl.com>; Mon, 23 Apr 2018 12:17:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dLxFR6b1j9Dg for <oauth@ietfa.amsl.com>; Mon, 23 Apr 2018 12:17:27 -0700 (PDT)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0108.outbound.protection.outlook.com [104.47.37.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B15112D810 for <oauth@ietf.org>; Mon, 23 Apr 2018 12:17:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=weWHFzpcS34mNU15RwTcujjx1F3Asf09XVpGZWg1dNY=; b=bKhTIHzzV0Ic8MGfoXSZKaGslRwa40v6g1L4WujQ+ZmoffoqZZ/DCJrd389a85IR6fnIbmtKfKH2IEsK4l0ZqxdrTFQLMkAsL4P45++zVePdN7BtB+ZCzLj461o+q9U8HhXwQc9BFRpBvBozbKdJYZuV/qkYXudAkZdaZXfRL3c=
Received: from DM5PR00MB0296.namprd00.prod.outlook.com (2603:10b6:4:9e::37) by DM5PR00MB0422.namprd00.prod.outlook.com (2603:10b6:4:a0::34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.746.0; Mon, 23 Apr 2018 19:17:25 +0000
Received: from DM5PR00MB0296.namprd00.prod.outlook.com ([fe80::e0eb:d2f7:29c5:1a1b]) by DM5PR00MB0296.namprd00.prod.outlook.com ([fe80::e0eb:d2f7:29c5:1a1b%2]) with mapi id 15.20.0747.000; Mon, 23 Apr 2018 19:17:25 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: OAuth Device Flow spec addressing Area Director comments
Thread-Index: AdPbNgH4jqD+9n5fSSaHzJsDpiE4sw==
Date: Mon, 23 Apr 2018 19:17:25 +0000
Message-ID: <DM5PR00MB0296E989389D78FE7567A73FF5890@DM5PR00MB0296.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=mbj@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2018-04-23T19:17:23.8531038Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
x-originating-ip: [2001:4898:80e8:6::36]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR00MB0422; 7:PnZYulRJ9CBz4hl1AlbYjPMHuN589XK6a++OVRpBTDGdPyt9spAmbezSw/FHOnNaYHnETXdpiJHMtMgYOzcNofw/DsvYg7zMcBFfD/PMbP9AVnZlfG1RQgBKKokMVjWTiu2Ytw8XwxpFnbxFAeQ0PEyXzPFnBvLj2ArF8rOYXB1ALcRbh4Qp6QZlmoz9VZYaSvg2Cev2+gqMusau5R+1RCBRvXDjvKUyIoNXTGc80cYjl8pAWx5abfGwxGrNUbDy; 20:29PfuOHtu2BPyC4NTmZ5VOs4rbzO9hL0HjzFNJ1TqMCbLePrlRAzgvsovuInXvIwutUeFmIlPnGj3SfybQMup6ORBLdZp6QPDflFSHiBbUhZONJ9+2ZApILKVTFK5kwWybdHr38tNU9zgwjwPCV1oD0LK26Z/uzSXvDUxPwk5Z8=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7193020); SRVR:DM5PR00MB0422;
x-ms-traffictypediagnostic: DM5PR00MB0422:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-microsoft-antispam-prvs: <DM5PR00MB042282C0D4E80D8AFD250DA0F5890@DM5PR00MB0422.namprd00.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(192374486261705)(31418570063057)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(2017102700009)(2017102701064)(6040522)(2401047)(8121501046)(5005006)(2017102702064)(20171027021009)(20171027022009)(20171027023009)(20171027024009)(20171027025009)(20171027026009)(2017102703076)(10201501046)(3002001)(3231232)(944501410)(52105095)(93006095)(93001095)(6055026)(6041310)(20161123558120)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(6072148)(201708071742011); SRVR:DM5PR00MB0422; BCL:0; PCL:0; RULEID:; SRVR:DM5PR00MB0422;
x-forefront-prvs: 06515DA04B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(346002)(366004)(39860400002)(396003)(39380400002)(209900001)(25786009)(606006)(10090500001)(2351001)(8990500004)(966005)(72206003)(3660700001)(8936002)(478600001)(8676002)(3280700002)(1730700003)(6306002)(2906002)(6916009)(33656002)(86612001)(5630700001)(790700001)(6116002)(81166006)(14454004)(10290500003)(7736002)(99286004)(5640700003)(5660300001)(9686003)(54896002)(7696005)(236005)(52396003)(476003)(53936002)(53376002)(22452003)(55016002)(21615005)(74316002)(59450400001)(6506007)(102836004)(5250100002)(316002)(2501003)(46003)(186003)(86362001)(2900100001)(6436002)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR00MB0422; H:DM5PR00MB0296.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; MLV:ovrnspm; PTR:InfoNoRecords;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: /mXPJmHXiULDBtOv8NqzkD1aic7ku6z5rTs5jy+Zi2cD5uZ/9R3Vu4ISx1DH0j9CWnhwgAsoVs+7rUlhkIDI+tJ7LsCcx0gJ+B9A11/R+5SO0b4otdSpZ6xSFOsrqQuq/2gSF+f9j92ox+s+T7gsCGeqJCFz1FbTqSMPdKcNr2SlRWnsi0E7qtMmS8IrWwAa
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM5PR00MB0296E989389D78FE7567A73FF5890DM5PR00MB0296namp_"
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 25de7561-932e-4365-78f6-08d5a94ed8e4
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 25de7561-932e-4365-78f6-08d5a94ed8e4
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Apr 2018 19:17:25.2877 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR00MB0422
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/4q4LgVbHv8pCLmzs4J9-mUmAuW4>
Subject: [OAUTH-WG] OAuth Device Flow spec addressing Area Director comments
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Apr 2018 19:17:30 -0000

The OAuth 2.0 Device Flow for Browserless and Input Constrained Devices specification has been updated to address feedback by Security Area Director Eric Rescorla about the potential of a confused deputy attack.  Thanks to John Bradley<https://twitter.com/ve7jtb> for helping work out the response to Eric and to William Denniss<https://twitter.com/WilliamDenniss> for reviewing and publishing the changes to the draft.

The specification is available at:

  *   https://tools.ietf.org/html/draft-ietf-oauth-device-flow-09

An HTML-formatted version is also available at:

  *   http://self-issued.info/docs/draft-ietf-oauth-device-flow-09.html

                                                                -- Mike

P.S.  This notice was also published at http://self-issued.info/?p=1823 and as @selfissued<https://twitter.com/selfissued>.

v2.23.0 | Report a Bug | By Email