IETF Logo Mail Archive

Re: [OAUTH-WG] Draft for “web_message” Response Mode - Asking For Feedback

Filip Skokan <panva.ip@gmail.com> Thu, 04 January 2024 11:11 UTC

Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66A42C151066 for <oauth@ietfa.amsl.com>; Thu, 4 Jan 2024 03:11:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N15T2v0vf_B8 for <oauth@ietfa.amsl.com>; Thu, 4 Jan 2024 03:10:57 -0800 (PST)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9782EC14F71C for <oauth@ietf.org>; Thu, 4 Jan 2024 03:10:57 -0800 (PST)
Received: by mail-lj1-x235.google.com with SMTP id 38308e7fff4ca-2cc6b5a8364so4443791fa.2 for <oauth@ietf.org>; Thu, 04 Jan 2024 03:10:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1704366655; x=1704971455; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=B4GlpARAOZxP0w9RAT/eli+NPny0vgZ826Ewyv0IhPY=; b=ZWm+A5V3+fUQZOcauwroEuQ5lMFpViP/YQNAVFzSw1BkgQxgIAL3BsP7pEJDAPF3Rn lpyYt0x9Y7te8Cw7ffx+r9Q4//8WFdGowQ7v/sLlrrON/mc5XF1kg9cYRTTMC25xGFtQ MGDG6LwhFNjHoLdgkiPGeJ0q5cVBB5fBC2R7gqi87pwSmxYl6m/XpwpNCxZM4j2swgRI oAoedvWdbK5k21VJwXWGLqFb6r+o6j5s0wFxtiePtoPBYdWnKdXG8hW1shwTHpspKJlT NRWB+1itVKrM3mphSLmXbNbv8/nMdy7IGhraV6GteAJx85u29TV70zrB41Hnf96hv4r3 y96g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704366655; x=1704971455; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=B4GlpARAOZxP0w9RAT/eli+NPny0vgZ826Ewyv0IhPY=; b=P0zTnrAbhSlC8zv9Ilfg+yXTpEaxelJOYkh5EaMl+V9//71gm6zLmrhgyREPab5Ndx ue6RQPWHDZUNiKy4f+NOS6ABURWLn1fiPIgpmgoZYfpJH8ptTsB017BAfcSTlR16BuMg k/lH1C6MlBCUFd/ZmqVSdVpAtIULDqGnS+sjxu9mGkSH2hw1/G7rXh7+3GmW9Zj+mYcp qASBpeSyy1e7sgNkTef1sLN/a3M10KYijbrMi8k9Wx9YofLLLMXO7pjHYfIibtfFFQgu MvYUGZDsXUzSyIDXzeY5yeavRWW3AFr/mik2ejVYz1Ax85x8S/nSu/DjScPQkG4veGQN jf+w==
X-Gm-Message-State: AOJu0Yza52cwWuIwPeE/vHZdZcAHh5gzdpFBP/1Gpcad/MYZ97Se6nbe iu9WbKKR0nwkk7+encADNHgkpYBPnctAMMy8YQ==
X-Google-Smtp-Source: AGHT+IHbAEsm6adnAjLSjUAiEcqLaJMbEGTqAutNxhvNfYZueyuZNBQEo4KwDUFABixk/8aFduCda1nntvi8NZdp0PE=
X-Received: by 2002:ac2:455a:0:b0:50e:aa1f:4427 with SMTP id j26-20020ac2455a000000b0050eaa1f4427mr237290lfm.51.1704366655162; Thu, 04 Jan 2024 03:10:55 -0800 (PST)
MIME-Version: 1.0
References: <ea11f400-45b4-4ef2-a926-f3f89697bca9@hackmanit.de> <bc5ccf22-47b3-4ca0-996e-c1cebcbe9a36@hackmanit.de>
In-Reply-To: <bc5ccf22-47b3-4ca0-996e-c1cebcbe9a36@hackmanit.de>
From: Filip Skokan <panva.ip@gmail.com>
Date: Thu, 04 Jan 2024 12:10:19 +0100
Message-ID: <CALAqi__ACWaAX_CoDQQ3wa_59Gnqr5KFMfgmffw0Gh4v878cjg@mail.gmail.com>
To: Karsten Meyer zu Selhausen | Hackmanit <karsten.meyerzuselhausen@hackmanit.de>
Cc: oauth <oauth@ietf.org>, Louis Jannett <louis.jannett@rub.de>, Christian Mainka <christian.mainka@hackmanit.de>
Content-Type: multipart/alternative; boundary="0000000000000c4cbb060e1cc9f2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/0N9v_iONqW7YC7cHzd174Qd4qno>
Subject: Re: [OAUTH-WG] Draft for “web_message” Response Mode - Asking For Feedback
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jan 2024 11:11:01 -0000

Hello Karsten,

Can you summarize in what ways is your draft compatible
with draft-sakimura-oauth-wmrm-00? Which of the described modes in Nat's
document does it cover?

There are existing implementations (both partial and full)
of draft-sakimura-oauth-wmrm-00 so if your draft is not compatible I would
recommend not using the same response mode name/identifier in your proposal.

What prompted you to start a new draft rather than
using draft-sakimura-oauth-wmrm-00?

S pozdravem,
*Filip Skokan*


On Thu, 4 Jan 2024 at 12:04, Karsten Meyer zu Selhausen | Hackmanit <
karsten.meyerzuselhausen@hackmanit.de> wrote:

> Hi all,
>
> we would like to ask again for feedback on our draft for the "web_message"
> response mode:
> *https://datatracker.ietf.org/doc/draft-meyerzuselha-oauth-web-message-response-mode/
> <https://datatracker.ietf.org/doc/draft-meyerzuselha-oauth-web-message-response-mode/>
> *
>
> We think it would be very helpful for implementers and developers to
> specify a secure standard for a postMessage API-based response mode.
>
> Best regards,
> Karsten
> On 23.11.2023 10:11, Karsten Meyer zu Selhausen | Hackmanit wrote:
>
> Hi everyone,
>
> at the last OSW the topic of a response mode based on the postMessage API
> came up. This approach is already used by multiple parties (e.g., Google)
> but lacks standardization.
>
> There was some sense of agreement that it would be a good idea to create
> an RFC defining this response mode to counter security flaws in individual
> implementations and improve interoperability.
>
> Because the efforts in the past were long expired (draft -00 of
> https://datatracker.ietf.org/doc/draft-sakimura-oauth-wmrm/ expired in
> 2016) we took the initiative and started to work on a new ID for the
> "web_message" response mode.
>
> *We would like to to ask the members of the working group for feedback on
> our draft:
> https://datatracker.ietf.org/doc/draft-meyerzuselha-oauth-web-message-response-mode/
> <https://datatracker.ietf.org/doc/draft-meyerzuselha-oauth-web-message-response-mode/>*
>
>
> I see that "draft-sakimura-oauth-wmrm" has been recently updated. However,
> there have not been any changes to its contents. What are the plans of the
> authors for this draft?
>
> Best regards
> Karsten
>
> --
> Karsten Meyer zu Selhausen
> Senior IT Security Consultant
> Phone:	+49 (0)234 / 54456499
> Web:	https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training
>
> Multi-Factor Authentication (MFA) significantly increases the security of your accounts.
> Learn in our blog posts what the best MFA options are and how FIDO2 goes one step further to solve the world’s password problem:https://www.hackmanit.de/en/blog-en/162-what-is-mfahttps://www.hackmanit.de/en/blog-en/165-what-is-fido2
>
> Hackmanit GmbH
> Universitätsstraße 60 (Exzenterhaus)
> 44789 Bochum
>
> Registergericht: Amtsgericht Bochum, HRB 14896
> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Prof. Dr. Marcus Niemietz
>
> --
> Karsten Meyer zu Selhausen
> Senior IT Security Consultant
> Phone:	+49 (0)234 / 54456499
> Web:	https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training
>
> Multi-Factor Authentication (MFA) significantly increases the security of your accounts.
> Learn in our blog posts what the best MFA options are and how FIDO2 goes one step further to solve the world’s password problem:https://www.hackmanit.de/en/blog-en/162-what-is-mfahttps://www.hackmanit.de/en/blog-en/165-what-is-fido2
>
> Hackmanit GmbH
> Universitätsstraße 60 (Exzenterhaus)
> 44789 Bochum
>
> Registergericht: Amtsgericht Bochum, HRB 14896
> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Prof. Dr. Marcus Niemietz
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email