Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"

n-sakimura <n-sakimura@nri.co.jp> Wed, 04 December 2019 10:09 UTC

Return-Path: <n-sakimura@nri.co.jp>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 441EF120170 for <oauth@ietfa.amsl.com>; Wed, 4 Dec 2019 02:09:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3gnyp1enoYxe for <oauth@ietfa.amsl.com>; Wed, 4 Dec 2019 02:09:10 -0800 (PST)
Received: from nrifs01.index.or.jp (nrigw01.index.or.jp [133.250.250.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBF0F12016E for <oauth@ietf.org>; Wed, 4 Dec 2019 02:09:09 -0800 (PST)
Received: from nrimmfm052.index.or.jp (unknown [172.19.246.144]) by nrifs01.index.or.jp (Postfix) with ESMTP id ADE4177EE4; Wed, 4 Dec 2019 19:09:08 +0900 (JST)
Received: from index.or.jp (unknown [172.19.246.151]) by nrimmfm052.index.or.jp (Postfix) with ESMTP id 8A1824E0046; Wed, 4 Dec 2019 19:09:08 +0900 (JST)
Received: from nriea04.index.or.jp (localhost.localdomain [127.0.0.1]) by pps.mf051 (8.15.0.59/8.15.0.59) with SMTP id xB4A98He024587; Wed, 4 Dec 2019 19:09:08 +0900
Received: from nrims00b.nri.co.jp ([192.50.135.12]) by nriea04.index.or.jp with ESMTP id xB4A98FB024580; Wed, 04 Dec 2019 19:09:08 +0900
Received: from nrims00b.nri.co.jp (localhost.localdomain [127.0.0.1]) by nrims00b.nri.co.jp (Switch-3.3.4/Switch-3.3.4) with ESMTP id xB4A98Os040489; Wed, 4 Dec 2019 19:09:08 +0900
Received: (from mailnull@localhost) by nrims00b.nri.co.jp (Switch-3.3.4/Switch-3.3.0/Submit) id xB4A98jq040488; Wed, 4 Dec 2019 19:09:08 +0900
X-Authentication-Warning: nrims00b.nri.co.jp: mailnull set sender to n-sakimura@nri.co.jp using -f
Received: from nrizmf15.index.or.jp ([172.100.25.24]) by nrims00b.nri.co.jp (Switch-3.3.4/Switch-3.3.4) with ESMTP id xB4A98FL040485; Wed, 4 Dec 2019 19:09:08 +0900
Received: from CUEXE02PA.cu.nri.co.jp (192.51.23.32) by CUEXM03PA.cu.nri.co.jp (172.159.253.23) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 4 Dec 2019 19:09:07 +0900
Received: from JPN01-OS2-obe.outbound.protection.outlook.com (104.47.92.56) by ex.nri.co.jp (192.51.23.33) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 4 Dec 2019 19:09:07 +0900
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jjEbvQpO0nHvN+MhgkqYlVyEwGHrDlbTtgQ2PD5bG2DbJqocL0lDNFLA5dYms5HHefi6XuwjoK6CjNj7gFrqKY2lI/2qNjHlE9wGKLmvj8A+m36RXo4xACwbfFxfgiIbvM+agKd4BPA05G5Vki7Y3QvayOjWnXB6c7gUDEjKvRVLOskV7vhp6tIKI1gLUT2CqcN1UoHBqvzw4P4LfpI7KYLInHU8Gxa9LZqvs27cReofjZuX+7DrjQE+IJ0fAfrXcSyvtk3zzdfC3XGfz8XpGpii958yZuJZjDDqtUzHXbdPbPdT3Wbyw0cqQ/Z7yR/BYSDmbWSudCeyIaUA8pgFmQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sccRYvbHO7M3V+7OqQWUBQrJp0sWFiLpqxwLjkbIKHU=; b=A3lIip3zcaivA91QditykmIP5sufUWqcEN8gb3Zx9tlxCn9PTim3o5CUoD3fStMMzYc50ryfVZpVaAUBWWK42+C3b3yEjAzM/yvRMx0fi/U0sW0Hf3eW/83aDnNodU5lY6qx4BGN9PimPfyOThWL9Pi+JAEO3OBqPpeVHL4h4F4sodQmAA8Xdlx+TchuzOF1yqNx0gteuavepTIGgQVjdv6J22TCio/BDi83JP70DQcFbv3Yh5lCXpaLhedl2SZYPJbWjmEqsCtFEybUYZ6YpJTaGM7vLoHnCLR40o17PjAoz++LEfJDgTBrM2YUqQ6CZ71Oasz/6UKv9kN2i7Na/A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cu.nri.co.jp; dmarc=pass action=none header.from=cu.nri.co.jp; dkim=pass header.d=cu.nri.co.jp; arc=none
Received: from TYAPR01MB4413.jpnprd01.prod.outlook.com (20.179.187.79) by TYAPR01MB3152.jpnprd01.prod.outlook.com (20.177.104.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.20; Wed, 4 Dec 2019 10:09:06 +0000
Received: from TYAPR01MB4413.jpnprd01.prod.outlook.com ([fe80::6172:bb3b:698e:e9e3]) by TYAPR01MB4413.jpnprd01.prod.outlook.com ([fe80::6172:bb3b:698e:e9e3%7]) with mapi id 15.20.2495.014; Wed, 4 Dec 2019 10:09:06 +0000
From: n-sakimura <n-sakimura@nri.co.jp>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: WGLC for "OAuth 2.0 Security Best Current Practice"
Thread-Index: AdWUe7vJeyT5tvxoSSGfe7d18Ckk5QWDfArw
Date: Wed, 4 Dec 2019 10:09:06 +0000
Message-ID: <TYAPR01MB44130B21920E252EF68720C5F95D0@TYAPR01MB4413.jpnprd01.prod.outlook.com>
References: <VI1PR08MB5360FBBAF0D3A38BDBED618BFA790@VI1PR08MB5360.eurprd08.prod.outlook.com>
In-Reply-To: <VI1PR08MB5360FBBAF0D3A38BDBED618BFA790@VI1PR08MB5360.eurprd08.prod.outlook.com>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailadviser: Ver 3.40R03
authentication-results: spf=none (sender IP is ) smtp.mailfrom=n-sakimura@cu.nri.co.jp;
x-originating-ip: [133.250.166.13]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 88cdb3ae-d119-453e-9149-08d778a1ff83
x-ms-traffictypediagnostic: TYAPR01MB3152:
x-microsoft-antispam-prvs: <TYAPR01MB3152A4F994CE267F4E3F46F1F95D0@TYAPR01MB3152.jpnprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0241D5F98C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(136003)(396003)(39860400002)(366004)(376002)(13464003)(365934003)(199004)(189003)(53754006)(40434004)(966005)(446003)(256004)(14444005)(11346002)(5024004)(229853002)(6436002)(55016002)(25786009)(8936002)(110136005)(81156014)(81166006)(33656002)(478600001)(14454004)(8676002)(9686003)(6306002)(7736002)(74316002)(316002)(6246003)(71200400001)(15650500001)(52536014)(7696005)(102836004)(76176011)(26005)(2501003)(5660300002)(53546011)(6506007)(6116002)(3846002)(76116006)(86362001)(64756008)(66476007)(66556008)(66446008)(71190400001)(66946007)(305945005)(186003)(2906002)(99286004); DIR:OUT; SFP:1102; SCL:1; SRVR:TYAPR01MB3152; H:TYAPR01MB4413.jpnprd01.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:0; MX:1;
received-spf: None (protection.outlook.com: cu.nri.co.jp does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: bH8CVDceZ3h/bSs0SFwh8RCmUH6/Ty88jk0TyZZskfXH3+ZVTO4B5e/FpOSYpdFH90R50GNKkx7EZoY59b0E5IBqkCv5XXhxncoM/JeMtJW/xhb7vJ4NPsfR/EdCBZutRggVq5tPjKa88lp92avsVgsvb79l+OP75z7EgGitjsV6paZxiHcXUebPLKvjBqj/wJd/Zhhn4cxSPUGRkyCVAW0PMz6rn2sXbBK8uDFipeUHx/yWXR+KKX/ppHrEehSmZgfgq+Rm6sHqaN+XDQ0JDyp3pSmDP/pC1g06aECUmv11Oj8fQdoJvO27vEDAoLygqN05g9WYd21C9AQlkPKucm/VvqToGPYZ3a8iBSYzdi2GfZPIVen3vTBIX6VYUSHLVqo+M7sBhOfuTJ/6i1SS51aPQOZTLlbfaVQXN69R/2/oTD9pd65pxjD0UNzCIrp9LNO97u4J07GPOFNd/5l9RY7duusiLqgJfKTLkGZW80rR2TeAZWQJMiYEbkU6c1M5ehN7hJi1h5aoTbmkJTDy3z5pXiryH10Tx98VnkwaPf3gy259uJC3OSLwLaUsvri4yGsvYDXfgQProk1E6q+QltXYSEd4QFXcSkYfLVXsiYE=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-2022-jp"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 88cdb3ae-d119-453e-9149-08d778a1ff83
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Dec 2019 10:09:06.7655 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e3e360d9-7e7f-48d5-ac33-3c5de61f0a75
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: /LjTwJQ4xB2lUGRAL9jZUHA73TYNT5dEfg8L0ds4e4x2jIjpaE3fEtpKBv7Gw8CN6mgYg0BWFeg51JV5h/KhlQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TYAPR01MB3152
X-OrganizationHeadersPreserved: TYAPR01MB3152.jpnprd01.prod.outlook.com
X-CrossPremisesHeadersPromoted: CUEXE02PA.cu.nri.co.jp
X-CrossPremisesHeadersFiltered: CUEXE02PA.cu.nri.co.jp
X-OriginatorOrg: cu.nri.co.jp
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/2geWHoMxG-K8L7o9xCOT247KT2Q>
Subject: Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Dec 2019 10:09:12 -0000

Sorry to chime in so late as well as I have not been able to follow up all the mail in the tread, so it may have come up before but just for the sake... 

1) Spelling of "OpenID"
"OpenID" is sometimes spelled "OpenID" and sometimes " OpenId". 
Please unify to "OpenID" as that is the official way of expressing it. 
Of course, it does not apply to the URIs. 

2) Has WPAD/PAC attack been mitigated in all user-agents? 

WPAD/PAC used to trivially leak the request URIs (in terms of HTTP, not OAuth) in some browsers that were configured to use proxy auto-config. So, in that kind of scenario, both Authorization Request URI and Authorization Response URI would have leaked. 
(Depending on the HTTP agent that the client uses, it would have leaked its requests as well though they are typically not auto-configured so are save in most cases.) 
Did those browsers disappeared? (Hopefully yes but not sure.) 
If not, it might be worth adding it. 

Best, 

Nat Sakimura
---------------------------------------------------------
PLEASE READ:This e-mail is confidential and intended for the named recipient only. If you are not an intended recipient, please notify the sender and delete this e-mail.

-----Original Message-----
From: OAuth <oauth-bounces@ietf.org> On Behalf Of Hannes Tschofenig
Sent: Wednesday, November 6, 2019 5:27 PM
To: oauth@ietf.org
Subject: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"

Hi all,

this is a working group last call for "OAuth 2.0 Security Best Current Practice".

Here is the document:
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13

Please send you comments to the OAuth mailing list by Nov. 27, 2019.
(We use a three week WGLC because of the IETF meeting.)

Ciao
Hannes & Rifaat

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth