Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"

n-sakimura <> Wed, 04 December 2019 10:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 441EF120170 for <>; Wed, 4 Dec 2019 02:09:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3gnyp1enoYxe for <>; Wed, 4 Dec 2019 02:09:10 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id EBF0F12016E for <>; Wed, 4 Dec 2019 02:09:09 -0800 (PST)
Received: from (unknown []) by (Postfix) with ESMTP id ADE4177EE4; Wed, 4 Dec 2019 19:09:08 +0900 (JST)
Received: from (unknown []) by (Postfix) with ESMTP id 8A1824E0046; Wed, 4 Dec 2019 19:09:08 +0900 (JST)
Received: from (localhost.localdomain []) by pps.mf051 ( with SMTP id xB4A98He024587; Wed, 4 Dec 2019 19:09:08 +0900
Received: from ([]) by with ESMTP id xB4A98FB024580; Wed, 04 Dec 2019 19:09:08 +0900
Received: from (localhost.localdomain []) by (Switch-3.3.4/Switch-3.3.4) with ESMTP id xB4A98Os040489; Wed, 4 Dec 2019 19:09:08 +0900
Received: (from mailnull@localhost) by (Switch-3.3.4/Switch-3.3.0/Submit) id xB4A98jq040488; Wed, 4 Dec 2019 19:09:08 +0900
X-Authentication-Warning: mailnull set sender to using -f
Received: from ([]) by (Switch-3.3.4/Switch-3.3.4) with ESMTP id xB4A98FL040485; Wed, 4 Dec 2019 19:09:08 +0900
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 4 Dec 2019 19:09:07 +0900
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 4 Dec 2019 19:09:07 +0900
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=jjEbvQpO0nHvN+MhgkqYlVyEwGHrDlbTtgQ2PD5bG2DbJqocL0lDNFLA5dYms5HHefi6XuwjoK6CjNj7gFrqKY2lI/2qNjHlE9wGKLmvj8A+m36RXo4xACwbfFxfgiIbvM+agKd4BPA05G5Vki7Y3QvayOjWnXB6c7gUDEjKvRVLOskV7vhp6tIKI1gLUT2CqcN1UoHBqvzw4P4LfpI7KYLInHU8Gxa9LZqvs27cReofjZuX+7DrjQE+IJ0fAfrXcSyvtk3zzdfC3XGfz8XpGpii958yZuJZjDDqtUzHXbdPbPdT3Wbyw0cqQ/Z7yR/BYSDmbWSudCeyIaUA8pgFmQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sccRYvbHO7M3V+7OqQWUBQrJp0sWFiLpqxwLjkbIKHU=; b=A3lIip3zcaivA91QditykmIP5sufUWqcEN8gb3Zx9tlxCn9PTim3o5CUoD3fStMMzYc50ryfVZpVaAUBWWK42+C3b3yEjAzM/yvRMx0fi/U0sW0Hf3eW/83aDnNodU5lY6qx4BGN9PimPfyOThWL9Pi+JAEO3OBqPpeVHL4h4F4sodQmAA8Xdlx+TchuzOF1yqNx0gteuavepTIGgQVjdv6J22TCio/BDi83JP70DQcFbv3Yh5lCXpaLhedl2SZYPJbWjmEqsCtFEybUYZ6YpJTaGM7vLoHnCLR40o17PjAoz++LEfJDgTBrM2YUqQ6CZ71Oasz/6UKv9kN2i7Na/A==
ARC-Authentication-Results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.20; Wed, 4 Dec 2019 10:09:06 +0000
Received: from ([fe80::6172:bb3b:698e:e9e3]) by ([fe80::6172:bb3b:698e:e9e3%7]) with mapi id 15.20.2495.014; Wed, 4 Dec 2019 10:09:06 +0000
From: n-sakimura <>
To: Hannes Tschofenig <>, "" <>
Thread-Topic: WGLC for "OAuth 2.0 Security Best Current Practice"
Thread-Index: AdWUe7vJeyT5tvxoSSGfe7d18Ckk5QWDfArw
Date: Wed, 04 Dec 2019 10:09:06 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
x-mailadviser: Ver 3.40R03
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 88cdb3ae-d119-453e-9149-08d778a1ff83
x-ms-traffictypediagnostic: TYAPR01MB3152:
x-microsoft-antispam-prvs: <>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0241D5F98C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(136003)(396003)(39860400002)(366004)(376002)(13464003)(365934003)(199004)(189003)(53754006)(40434004)(966005)(446003)(256004)(14444005)(11346002)(5024004)(229853002)(6436002)(55016002)(25786009)(8936002)(110136005)(81156014)(81166006)(33656002)(478600001)(14454004)(8676002)(9686003)(6306002)(7736002)(74316002)(316002)(6246003)(71200400001)(15650500001)(52536014)(7696005)(102836004)(76176011)(26005)(2501003)(5660300002)(53546011)(6506007)(6116002)(3846002)(76116006)(86362001)(64756008)(66476007)(66556008)(66446008)(71190400001)(66946007)(305945005)(186003)(2906002)(99286004); DIR:OUT; SFP:1102; SCL:1; SRVR:TYAPR01MB3152;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:0; MX:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: bH8CVDceZ3h/bSs0SFwh8RCmUH6/Ty88jk0TyZZskfXH3+ZVTO4B5e/FpOSYpdFH90R50GNKkx7EZoY59b0E5IBqkCv5XXhxncoM/JeMtJW/xhb7vJ4NPsfR/EdCBZutRggVq5tPjKa88lp92avsVgsvb79l+OP75z7EgGitjsV6paZxiHcXUebPLKvjBqj/wJd/Zhhn4cxSPUGRkyCVAW0PMz6rn2sXbBK8uDFipeUHx/yWXR+KKX/ppHrEehSmZgfgq+Rm6sHqaN+XDQ0JDyp3pSmDP/pC1g06aECUmv11Oj8fQdoJvO27vEDAoLygqN05g9WYd21C9AQlkPKucm/VvqToGPYZ3a8iBSYzdi2GfZPIVen3vTBIX6VYUSHLVqo+M7sBhOfuTJ/6i1SS51aPQOZTLlbfaVQXN69R/2/oTD9pd65pxjD0UNzCIrp9LNO97u4J07GPOFNd/5l9RY7duusiLqgJfKTLkGZW80rR2TeAZWQJMiYEbkU6c1M5ehN7hJi1h5aoTbmkJTDy3z5pXiryH10Tx98VnkwaPf3gy259uJC3OSLwLaUsvri4yGsvYDXfgQProk1E6q+QltXYSEd4QFXcSkYfLVXsiYE=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-2022-jp"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 88cdb3ae-d119-453e-9149-08d778a1ff83
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Dec 2019 10:09:06.7655 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e3e360d9-7e7f-48d5-ac33-3c5de61f0a75
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: /LjTwJQ4xB2lUGRAL9jZUHA73TYNT5dEfg8L0ds4e4x2jIjpaE3fEtpKBv7Gw8CN6mgYg0BWFeg51JV5h/KhlQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TYAPR01MB3152
Archived-At: <>
Subject: Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 04 Dec 2019 10:09:12 -0000

Sorry to chime in so late as well as I have not been able to follow up all the mail in the tread, so it may have come up before but just for the sake... 

1) Spelling of "OpenID"
"OpenID" is sometimes spelled "OpenID" and sometimes " OpenId". 
Please unify to "OpenID" as that is the official way of expressing it. 
Of course, it does not apply to the URIs. 

2) Has WPAD/PAC attack been mitigated in all user-agents? 

WPAD/PAC used to trivially leak the request URIs (in terms of HTTP, not OAuth) in some browsers that were configured to use proxy auto-config. So, in that kind of scenario, both Authorization Request URI and Authorization Response URI would have leaked. 
(Depending on the HTTP agent that the client uses, it would have leaked its requests as well though they are typically not auto-configured so are save in most cases.) 
Did those browsers disappeared? (Hopefully yes but not sure.) 
If not, it might be worth adding it. 


Nat Sakimura
PLEASE READ:This e-mail is confidential and intended for the named recipient only. If you are not an intended recipient, please notify the sender and delete this e-mail.

-----Original Message-----
From: OAuth <> On Behalf Of Hannes Tschofenig
Sent: Wednesday, November 6, 2019 5:27 PM
Subject: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"

Hi all,

this is a working group last call for "OAuth 2.0 Security Best Current Practice".

Here is the document:

Please send you comments to the OAuth mailing list by Nov. 27, 2019.
(We use a three week WGLC because of the IETF meeting.)

Hannes & Rifaat

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

OAuth mailing list