[OAUTH-WG] Security BCP Review

Lee McGovern <Lee_McGovern@swissre.com> Tue, 05 November 2019 11:59 UTC

Return-Path: <Lee_McGovern@swissre.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B84E41208E6 for <oauth@ietfa.amsl.com>; Tue, 5 Nov 2019 03:59:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Z_bKj8PkEr4 for <oauth@ietfa.amsl.com>; Tue, 5 Nov 2019 03:59:48 -0800 (PST)
Received: from esa10.hc1106-67.c3s2.iphmx.com (esa10.hc1106-67.c3s2.iphmx.com [139.138.36.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCF2A1200B3 for <oauth@ietf.org>; Tue, 5 Nov 2019 03:59:47 -0800 (PST)
IronPort-SDR: 2lQubVBZi6P6s1SJfF7yvhRlr+5IvJdtTyOIjjHLpH4gi5MXTMOInvE4IF8gD4IKPpXbu9Q1gd ap/Sm7CF5FII/x+73pc4x0CchxfgPDhcITTJPrEh4cBvjUTdIjvvKaQZPvDgTqhSJPo2HpEQiU WyYTfSN1x+mzJxDocEjiI8whnrXYxbdPX+lrizUtXfxBsQ8MKTjolpHPda9tDaVTAPIQP3mVSx HynZs9o+GcqgQ/TY0rv7FQfwpHYb/JY2z4miBrHvv6zUt41iwoc5raAkL6nG/lJXEf4cPauIBG Gac=
X-Amp-Result: SKIPPED(no attachment in message)
Received: from edge.swissre.com ([193.246.239.100]) by esa10.hc1106-67.c3s2.iphmx.com with ESMTP/TLS/ECDHE-RSA-AES256-SHA384; 05 Nov 2019 11:59:44 +0000
Received: from CHRP5013.corp.gwpnet.com (10.53.1.46) by edge.swissre.com (193.246.239.100) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 5 Nov 2019 12:59:43 +0100
Received: from CHRP5009.corp.gwpnet.com (10.53.1.44) by CHRP5013.corp.gwpnet.com (10.53.1.46) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 5 Nov 2019 12:59:41 +0100
Received: from CHRP5009.corp.gwpnet.com ([fe80::39a1:59b8:2e6a:5da6]) by CHRP5009.corp.gwpnet.com ([fe80::39a1:59b8:2e6a:5da6%15]) with mapi id 15.00.1473.003; Tue, 5 Nov 2019 12:59:41 +0100
From: Lee McGovern <Lee_McGovern@swissre.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Security BCP Review
Thread-Index: AdWT0ICkX9HZU4pbQKepV3hk+Xa3kQ==
Date: Tue, 5 Nov 2019 11:59:40 +0000
Message-ID: <e8801fda98a44c8eafad0856ce86c248@CHRP5009.corp.gwpnet.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_90c2fedb-0da6-4717-8531-d16a1b9930f4_Enabled=True; MSIP_Label_90c2fedb-0da6-4717-8531-d16a1b9930f4_SiteId=45597f60-6e37-4be7-acfb-4c9e23b261ea; MSIP_Label_90c2fedb-0da6-4717-8531-d16a1b9930f4_Owner=Lee_McGovern@swissre.com; MSIP_Label_90c2fedb-0da6-4717-8531-d16a1b9930f4_SetDate=2019-11-05T11:59:39.8849799Z; MSIP_Label_90c2fedb-0da6-4717-8531-d16a1b9930f4_Name=Internal; MSIP_Label_90c2fedb-0da6-4717-8531-d16a1b9930f4_Application=Microsoft Azure Information Protection; MSIP_Label_90c2fedb-0da6-4717-8531-d16a1b9930f4_Extended_MSFT_Method=Automatic; Sensitivity=Internal
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.62.28.10]
x-rcom-deduphash: 703879e4-644a-43bc-b33f-8d2e00b199ff
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
X-GBS-PROC: Uuu/QJ/pOQ7KCDEkvBtph8lwbvaj1NAoa9B9PmhCqvA=
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1LpwxgaSBG1tAVG_CHzLSnsk1cs>
Subject: [OAUTH-WG] Security BCP Review
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2019 11:59:52 -0000

As discussed on call yesterday here is my comments after review of https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13 

3.1 - "Clients MUST memorize which authorization server they sent an authorization request to" - is memorize the best synonym here, perhaps store or retain is more aligned with computational language?

3.1.2 How does the draft https://tools.ietf.org/html/draft-parecki-oauth-browser-based-apps-02 align with this guidance and will a future BCP update include a direct reference to the final published version of this spec?

3.5, 3.6 Since there is a reference to the MTLS draft could there also be some guidance on the usage of token exchange best practise and also for the contents of the access token to be aligned https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-02

-----Original Message-----
From: OAuth <oauth-bounces@ietf.org> On Behalf Of oauth-request@ietf.org
Sent: Donnerstag, 17. Oktober 2019 21:00
To: oauth@ietf.org
Subject: OAuth Digest, Vol 132, Issue 24

Send OAuth mailing list submissions to
	oauth@ietf.org

To subscribe or unsubscribe via the World Wide Web, visit
	https://www.ietf.org/mailman/listinfo/oauth
or, via email, send a message with subject or body 'help' to
	oauth-request@ietf.org

You can reach the person managing the list at
	oauth-owner@ietf.org

When replying, please edit your Subject line so it is more specific than "Re: Contents of OAuth digest..."


Today's Topics:

   1. Re: Virtual Interim Meeting - Nov. 4th (Daniel Fett)
   2. Web Authorization Protocol (oauth) WG Virtual Meeting:
      2019-11-04 (IESG Secretary)


----------------------------------------------------------------------

Message: 1
Date: Thu, 17 Oct 2019 12:35:35 +0200
From: Daniel Fett <danielf+oauth@yes.com>
To: oauth@ietf.org
Subject: Re: [OAUTH-WG] Virtual Interim Meeting - Nov. 4th
Message-ID: <726efad4-a76c-c4dd-8a6e-b1097ac519c5@yes.com>
Content-Type: text/plain; charset="utf-8"

I'm in as well.

Am 16.10.19 um 22:46 schrieb Mike Jones:
>
> I would participate.
>
> ?
>
> *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of * Vineet Banga
> *Sent:* Wednesday, October 16, 2019 7:19 AM
> *To:* Aaron Parecki <aaron@parecki.com>
> *Cc:* oauth <oauth@ietf.org>
> *Subject:* Re: [OAUTH-WG] Virtual Interim Meeting - Nov. 4th
>
> ?
>
> I would like to attend as well.
>
> ?
>
> Vineet
>
> ?
>
> On Wed, Oct 16, 2019 at 6:36 AM Aaron Parecki <aaron@parecki.com 
> <mailto:aaron@parecki.com>> wrote:
>
>     I'm interested as well.
>
>     ?
>
>     Aaron Parecki
>
>     ?
>
>     ?
>
>     ?
>
>     On Wed, Oct 16, 2019 at 3:54 AM Torsten Lodderstedt
>     <torsten@lodderstedt..net <mailto:torsten@lodderstedt.net>> wrote:
>
>         Hi,
>
>         I?m interested.
>
>         kind regards,
>         Torsten.
>
>         > On 15. Oct 2019, at 17:44, Hannes Tschofenig
>         <Hannes.Tschofenig@arm.com <mailto:Hannes.Tschofenig@arm.com>>
>         wrote:
>         >
>         > Hi all,
>         >
>         > we would like to hold a virtual interim meeting to discuss
>         the next steps regarding the OAuth 2.0 Security Best Current
>         Practice
>         (https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/
>         <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-oauth-security-topics%2F&data=02%7C01%7CMichael.Jones%40microsoft.com%7C2e9bf2ca971a4052178108d75243ef81%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C637068324058348893&sdata=NwGEWOUYXhrOsqwmqrUnphFFe8k1XsnLzHyIMmvCeXQ%3D&reserved=0>)
>         draft.
>         >
>         > Time would be at our bi-weekly OAuth WG Virtual Office Hours
>         (i.e., 6:00 PM to 6:30 PM, (UTC+01:00) Amsterdam, Berlin,
>         Bern, Rome, Stockholm, Vienna).
>         >
>         > Please let us know if you are interested in the call.
>         >
>         > Ciao
>         > Hannes & Rifaat
>         >
>         > IMPORTANT NOTICE: The contents of this email and any
>         attachments are confidential and may also be privileged. If
>         you are not the intended recipient, please notify the sender
>         immediately and do not disclose the contents to any other
>         person, use it for any purpose, or store or copy the
>         information in any medium. Thank you.
>         >
>         > _______________________________________________
>         > OAuth mailing list
>         > OAuth@ietf.org <mailto:OAuth@ietf.org>
>         > https://www.ietf.org/mailman/listinfo/oauth
>         
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
> .ietf.org%2Fmailman%2Flistinfo%2Foauth&data=02%7C01%7CMichael.Jones%40
> microsoft.com%7C2e9bf2ca971a4052178108d75243ef81%7C72f988bf86f141af91a
> b2d7cd011db47%7C1%7C1%7C637068324058358885&sdata=B%2BnvMjXUIcXk6SJ6T8W
> OpNA9i%2BHeACHFYBku0hOQoXY%3D&reserved=0>
>
>         _______________________________________________
>         OAuth mailing list
>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>         https://www.ietf.org/mailman/listinfo/oauth
>         
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
> .ietf.org%2Fmailman%2Flistinfo%2Foauth&data=02%7C01%7CMichael.Jones%40
> microsoft.com%7C2e9bf2ca971a4052178108d75243ef81%7C72f988bf86f141af91a
> b2d7cd011db47%7C1%7C1%7C637068324058368875&sdata=%2FmKWM%2BqL9l6sVtUfT
> X%2BCHxb%2FTAzX7RiBMPwnM5Ld6Jg%3D&reserved=0>
>
>     --
>
>     ----
>
>     Aaron Parecki
>
>     aaronparecki.com
>     
> <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Faaro
> nparecki.com&data=02%7C01%7CMichael.Jones%40microsoft.com%7C2e9bf2ca97
> 1a4052178108d75243ef81%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C63
> 7068324058378871&sdata=Ro2YHHm5OIVuwfwtSjhtf7YU0IrauEtC6%2Bym52C1tSU%3
> D&reserved=0>
>
>     @aaronpk
>     
> <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftwit
> ter.com%2Faaronpk&data=02%7C01%7CMichael.Jones%40microsoft.com%7C2e9bf
> 2ca971a4052178108d75243ef81%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0
> %7C637068324058378871&sdata=z710a23WXKXSBqVjpE%2BIHqMwnpRuHm%2BVuaddDS
> NnVNY%3D&reserved=0>
>
>     ?
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>     
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
> .ietf.org%2Fmailman%2Flistinfo%2Foauth&data=02%7C01%7CMichael.Jones%40
> microsoft.com%7C2e9bf2ca971a4052178108d75243ef81%7C72f988bf86f141af91a
> b2d7cd011db47%7C1%7C1%7C637068324058388866&sdata=cuSE2sOuZmyqc7GTmAB1c
> C%2BRvOS7tGU11jgOhjeHCmw%3D&reserved=0>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailarchive.ietf.org/arch/browse/oauth/attachments/20191017/6be5bf7c/attachment.html>

------------------------------

Message: 2
Date: Thu, 17 Oct 2019 10:18:33 -0700
From: IESG Secretary <iesg-secretary@ietf.org>
To: "IETF-Announce" <ietf-announce@ietf.org>
Cc: oauth@ietf.org
Subject: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual
	Meeting: 2019-11-04
Message-ID: <157133271343.10206.12697042949233111458@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"

The Web Authorization Protocol (oauth) Working Group will hold a virtual interim meeting on 2019-11-04 from 18:00 to 19:00 Europe/Vienna.

Agenda:
The purpose of the meeting is to discuss the next steps regarding the OAuth 2.0 Security Best Current Practice (https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/) draft.

While our OAuth WG Virtual Office Hours is only 30 minutes long, I have extended the meeting invite to an one hour (in case we need more time).

Webex info:
https://ietf.webex.com/ietf/j.php?MTID=ma9109b49231ef3fee527bbc24b6a285b
Meeting number (access code): 643 148 548 Host key: 317086 


Information about remote participation:
https://ietf.webex.com/ietf/j.php?MTID=ma9109b49231ef3fee527bbc24b6a285b



------------------------------

Subject: Digest Footer

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


------------------------------

End of OAuth Digest, Vol 132, Issue 24
**************************************


This e-mail, including attachments, is intended for the person(s) or company named and may contain confidential and/or legally privileged information.

Unauthorized disclosure, copying or use of this information may be unlawful and is prohibited. If you are not the intended recipient, please delete this message and notify the sender.
All incoming and outgoing e-mail messages are stored in the Swiss Re Electronic Message Repository.
If you do not wish the retention of potentially private e-mails by Swiss Re, we strongly advise you not to use the Swiss Re e-mail account for any private, non-business related communications.