IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-spop-14.txt

William Denniss <wdenniss@google.com> Wed, 08 July 2015 00:38 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 245251B2C29 for <oauth@ietfa.amsl.com>; Tue, 7 Jul 2015 17:38:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.367
X-Spam-Level:
X-Spam-Status: No, score=-0.367 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MISSING_HEADERS=1.021, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qhRN4ScGgykh for <oauth@ietfa.amsl.com>; Tue, 7 Jul 2015 17:38:40 -0700 (PDT)
Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FE851B2C28 for <oauth@ietf.org>; Tue, 7 Jul 2015 17:38:40 -0700 (PDT)
Received: by qkeo142 with SMTP id o142so152746917qke.1 for <oauth@ietf.org>; Tue, 07 Jul 2015 17:38:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:cc :content-type; bh=0YFIGFEGCzuDQeVS7NEVDyVxr5RJ+XZj+Fl/sWGpJmM=; b=ouyW9kuEEDLXAraDss23cLw7jSOZ7+VPpcR5UceeRuP0jNbqGvEk5ZTD21Jaf+KzsF 7pv5EIQ+3kCus2Wz4vGRMYABIy+1CkzzpNGoMB7HYq0jWPD8lFwTmqtmmRFvGloYVyBz 5jCS6/X6yb8yh/gN39RqL1B/HuEVT5eEMoIkxjn+aV+nEak2/whIFrQ0LtxRyqCBuItY LlD0FSR3BtJeh5394OdLz2Cu11/CL76PEBUQkgn4AZFinNo0ZPmkj6q9cPcIIzJ0KNTG rDswndCSPNM0YzLJCt987rrvInK1a62wSWt12dBagFWyEqMI50qH1H432Qa8nO1fmRHU +edw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:cc:content-type; bh=0YFIGFEGCzuDQeVS7NEVDyVxr5RJ+XZj+Fl/sWGpJmM=; b=foAVCFNahU3iEBBwXisnLTimtbYw/QkdcsndCSMrMwk2qXax6iLAJdCYx2/H4sINS+ rQJFrj3uyXVJe6fMvkhtPMLjdJ6SFn0WeDgz3CwFMBWAOtNZtRhQgquANjqqFjjRCqfN +yQkd13JC0HEu1P73LEWGXpNtnuauQlvZ+6yixOFofEJSNlux6H0LxAvYZTNVmK4royx wCD45/q8em/IN6BzmxRs8+ARfTJL+UF+Z6HGx49Kzen6Heuitu4ZOB/Yw3Z3ZcR2Uzh0 zhl4mYfRa/7a3yCiprHzFDAscKuI1+ta1hitq8Vc36Ntg9NveZDhSf0dkMoCtGLZQOI/ YzAg==
X-Gm-Message-State: ALoCoQkB809urZdOUNZFe0TLv4Iz1HdeirDD7NFw2ZEeTK0uPaycl95k4hHS9CvOBiIqzWif8n9W
X-Received: by 10.140.47.86 with SMTP id l80mr11463680qga.35.1436315919603; Tue, 07 Jul 2015 17:38:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.19.98 with HTTP; Tue, 7 Jul 2015 17:38:20 -0700 (PDT)
In-Reply-To: <20150706230550.12450.15077.idtracker@ietfa.amsl.com>
References: <20150706230550.12450.15077.idtracker@ietfa.amsl.com>
From: William Denniss <wdenniss@google.com>
Date: Tue, 07 Jul 2015 17:38:20 -0700
Message-ID: <CAAP42hD=CXnWUgQ5b=cgtqp2TkOgXWQ89yZtyEJe9_19K+72Mw@mail.gmail.com>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c172de2c94e7051a525c95"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/-u6AeVG6KUIugUJqRI2jHUgItwk>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-spop-14.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2015 00:38:42 -0000

In version 14, there's a typo on this line ("deso") in Section 7.2:

`"plain" method deso not protect`

Also, in the 1.1 Protocol Flow diagram, regarding the text:

`+ t(code_verifier), t`

I wonder if it makes more sense to represent as `+ t(code_verifier), "t"`
(note the quotes on the second 't') given that it's a string representation
of the method that's being sent?


On Mon, Jul 6, 2015 at 4:05 PM, <internet-drafts@ietf.org> wrote:

>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
>  This draft is a work item of the Web Authorization Protocol Working Group
> of the IETF.
>
>         Title           : Proof Key for Code Exchange by OAuth Public
> Clients
>         Authors         : Nat Sakimura
>                           John Bradley
>                           Naveen Agarwal
>         Filename        : draft-ietf-oauth-spop-14.txt
>         Pages           : 20
>         Date            : 2015-07-06
>
> Abstract:
>    OAuth 2.0 public clients utilizing the Authorization Code Grant are
>    susceptible to the authorization code interception attack.  This
>    specification describes the attack as well as a technique to mitigate
>    against the threat through the use of Proof Key for Code Exchange
>    (PKCE, pronounced "pixy").
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-spop/
>
> There's also a htmlized version available at:
> https://tools.ietf.org/html/draft-ietf-oauth-spop-14
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-spop-14
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email