Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"

Justin Richer <jricher@mit.edu> Wed, 06 November 2019 20:56 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFB4B12010E for <oauth@ietfa.amsl.com>; Wed, 6 Nov 2019 12:56:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SNConHOM4NwC for <oauth@ietfa.amsl.com>; Wed, 6 Nov 2019 12:56:00 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7630120072 for <oauth@ietf.org>; Wed, 6 Nov 2019 12:55:59 -0800 (PST)
Received: from [192.168.1.7] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id xA6Ktsat003895 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 6 Nov 2019 15:55:55 -0500
From: Justin Richer <jricher@mit.edu>
Message-Id: <3ECDBBC5-F183-4227-857A-A95C53C74274@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1BD5C1C9-8CC6-4F05-AF0F-0ED5B445D5A3"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 6 Nov 2019 15:55:54 -0500
In-Reply-To: <CAMVRk++o2MdndK37FfADzEZJx988o=PvPWN_mhdgDK=OU1dtow@mail.gmail.com>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "oauth@ietf.org" <oauth@ietf.org>
To: Jared Jennings <jaredljennings@gmail.com>
References: <VI1PR08MB5360FBBAF0D3A38BDBED618BFA790@VI1PR08MB5360.eurprd08.prod.outlook.com> <CAMVRk++o2MdndK37FfADzEZJx988o=PvPWN_mhdgDK=OU1dtow@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3RzQmfBbt9stqK_EmUWSm-KxGQQ>
Subject: Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Nov 2019 20:56:02 -0000

1. Normative MUST/REQUIRED is fine in a BCP. 

2. This is not the definitive list, but instead the best list of things that we have at this time. There will be more attacks, and more mitigations for those attacks.

 — Justin

> On Nov 6, 2019, at 3:16 PM, Jared Jennings <jaredljennings@gmail.com> wrote:
> 
> Hi,
> 
> This is my first time reviewing a document or responding to the group. So, with that introduction feel free to guide me along the way.
> 
> Reading through the document, I had a few high-level questions first. I will have more detailed comments later, once I know I'm on the right track and I assume those comments I should just share with the mailing list?
> 
> 1. Since the document is a "Best Practices" document, are the words "MUST" and "REQUIRED" and other definitive terms? Would instead SHOULD and RECOMMENDED be used?
> 
> 2. Should other possible threats and vulnerabilities be included? Meaning, is the list the definitive known list?
> 
> Thanks!
> -Jared
> Skype:jaredljennings
> Signal:+1 816.730.9540
> WhatsApp: +1 816.678.4152
> 
> 
> 
> On Wed, Nov 6, 2019 at 2:27 AM Hannes Tschofenig <Hannes.Tschofenig@arm.com <mailto:Hannes.Tschofenig@arm.com>> wrote:
> Hi all,
> 
> this is a working group last call for "OAuth 2.0 Security Best Current Practice".
> 
> Here is the document:
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13 <https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13>
> 
> Please send you comments to the OAuth mailing list by Nov. 27, 2019.
> (We use a three week WGLC because of the IETF meeting.)
> 
> Ciao
> Hannes & Rifaat
> 
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth