Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-11.txt
Torsten Lodderstedt <torsten@lodderstedt.net> Fri, 28 December 2018 18:03 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74C44131063 for <oauth@ietfa.amsl.com>; Fri, 28 Dec 2018 10:03:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y2nYgVYBqV5Z for <oauth@ietfa.amsl.com>; Fri, 28 Dec 2018 10:03:10 -0800 (PST)
Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.31.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFA8E130E7E for <oauth@ietf.org>; Fri, 28 Dec 2018 10:03:10 -0800 (PST)
Received: from [91.13.153.47] (helo=[192.168.71.123]) by smtprelay01.ispgateway.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from <torsten@lodderstedt.net>) id 1gcwTU-0003mr-Pi for oauth@ietf.org; Fri, 28 Dec 2018 19:03:08 +0100
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_2159782A-9FD2-4A54-97E1-669837A61D7D"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Fri, 28 Dec 2018 19:03:07 +0100
References: <154601787561.21480.16867279894249777899@ietfa.amsl.com>
To: oauth <oauth@ietf.org>
In-Reply-To: <154601787561.21480.16867279894249777899@ietfa.amsl.com>
Message-Id: <75EF29A8-B856-4F20-BAD1-4A89D5502F19@lodderstedt.net>
X-Mailer: Apple Mail (2.3445.102.3)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/4-Q_NxoKDql7M7hO1SOt6KSCM1k>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-11.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Dec 2018 18:03:13 -0000
Hi all, the new revision incorporates the outcome of the consensus call on implicit grant (and the like). It also has more text on Refresh Token expiration and implementation of Refresh Token replay detection via Refresh Token rotation. Thanks a lot for all the valuable feedback. kind regards, Torsten, > Am 28.12.2018 um 18:24 schrieb internet-drafts@ietf.org: > > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Web Authorization Protocol WG of the IETF. > > Title : OAuth 2.0 Security Best Current Practice > Authors : Torsten Lodderstedt > John Bradley > Andrey Labunets > Daniel Fett > Filename : draft-ietf-oauth-security-topics-11.txt > Pages : 32 > Date : 2018-12-28 > > Abstract: > This document describes best current security practice for OAuth 2.0. > It updates and extends the OAuth 2.0 Security Threat Model to > incorporate practical experiences gathered since OAuth 2.0 was > published and covers new threats relevant due to the broader > application of OAuth 2.0. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-11 > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-11 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-security-topics-11 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] I-D Action: draft-ietf-oauth-security-… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Torsten Lodderstedt