Re: [OAUTH-WG] First Draft of OAuth 2.1

Brian Campbell <bcampbell@pingidentity.com> Thu, 12 March 2020 21:17 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06DF53A09A4 for <oauth@ietfa.amsl.com>; Thu, 12 Mar 2020 14:17:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id az8Iz0uh0R7e for <oauth@ietfa.amsl.com>; Thu, 12 Mar 2020 14:17:57 -0700 (PDT)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63CBF3A09A3 for <oauth@ietf.org>; Thu, 12 Mar 2020 14:17:57 -0700 (PDT)
Received: by mail-lf1-x12d.google.com with SMTP id b13so6098525lfb.12 for <oauth@ietf.org>; Thu, 12 Mar 2020 14:17:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NUwl8TIlAG/FsE+HFCilayo1Z4jwqtW/Qkt5YS+VZ+k=; b=BxdaxR92o83gOXVSJ9d9rVucIm9JmBaJ9uFsCitMcDnGarLSJxgUUT2s+4hjlp+oAw rusCv8mB4Awdfhkl0w4uoITLYvXeYaK09QyBxYii5uiLfpxYmc4JdG+ZGpNvtX/ZV+SY OGiy1shflKkfKZ0VcaPLmrzzEPVCIlgEAzti/a11Zo43Kmdebhvk5r5JYIyF043KdinR djCmZaprl8AIUqbdNBCaZfVnRD2nd2zUtJSmvU0Wrgu2lVJnHJEbLSdVyOerMJgjapSr vUg/yjBdwi6XLjbV0QDoOvzMCswC303KVG9p0zfaW+AxvEYYeU7vgOTYLOPgsM42IxFU D0TQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NUwl8TIlAG/FsE+HFCilayo1Z4jwqtW/Qkt5YS+VZ+k=; b=bQb0iFyX/5F6hjMHQP9POIo+zLv43NRW0oqMPbl6UATd++JfWEZSKwp5qQ/WZAGDQm dFLWvUkAP1bQ9tAOqSblI2q+Q2A8lFrvzx4ezdkh1Jznh3sKL6H+lefL46CUacd+QVaI fW4VpeAp25ZbHxNNAUrcRSl0jmM5zinJSwx87Ro70G4mkU8RbtUvmvHX4KKFsCbAnOUh m0oFiseFu7AZyywnk1smnpqgGqnZYUSu51S76gpUWY/yRBqxNkY9PXGlzqr0IImYstG0 L0/DG43xmavKn5Vn+J2q27oOjYfTJkGsneIEFnOjBZFmb7TBOn1tw8bK+l+JAYSmFonR Qhuw==
X-Gm-Message-State: ANhLgQ0YbYBOInmb2CZOQz8Xy/T6IbBS5RgyebUsxgGUDQHRblLOku8r CYthrcy7QPlpuEY3VmycwTgyrH1WAOo5LPKmcpiOgH2unZWLuJzpBnkuHs5RdMmozuOfmOkj4Cu GSKr1KyHF4Arw5C1qX/o=
X-Google-Smtp-Source: =?utf-8?q?ADFU+vuID4wfZ+/7Kftm2x3KD7xYFLNv9/BwVNjRGpV7?= =?utf-8?q?Fxcr1GJHvUWZlt8YWnpEZXWVc6djBrDA87SPTiRkngNI5Go=3D?=
X-Received: by 2002:ac2:51c7:: with SMTP id u7mr6347318lfm.195.1584047875127; Thu, 12 Mar 2020 14:17:55 -0700 (PDT)
MIME-Version: 1.0
References: <CAGBSGjr5L5sNoexzOgipkVVewNL+DypSo5S8bkai8PuJ61GB+Q@mail.gmail.com> <D292892C-D0EB-42A8-B5BD-372227EB3728@lodderstedt.net> <CAGBSGjotot2h2GPx+QBgsn_u_O50gTV7isb0F1dnSGeC1TdaGA@mail.gmail.com>
In-Reply-To: <CAGBSGjotot2h2GPx+QBgsn_u_O50gTV7isb0F1dnSGeC1TdaGA@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 12 Mar 2020 15:17:28 -0600
Message-ID: <CA+k3eCTiHabzfaXEnnUkZXbG=_udLVLzuQ9AAPwufp+PU4h2Lw@mail.gmail.com>
To: Aaron Parecki <aaron@parecki.com>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e7a30205a0aee27b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1Y1-FR2I4vmu8e0l7bOhaQWIwd8>
Subject: Re: [OAUTH-WG] First Draft of OAuth 2.1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2020 21:17:59 -0000

On Thu, Mar 12, 2020 at 3:03 PM Aaron Parecki <aaron@parecki.com> wrote:

> > The Security BCP recommends S256.
>
> Is a recommendation enough to change the default?


No.

How would that work in practice anyway? If no code_challenge_method was
present, then you'd need to know which version of OAuth is being used
(how?) in order to know which default code challenge method to use.

Please don't.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._