Re: [OAUTH-WG] OAuth 2.0 Device Flow: Call for Adoption Finalized

Torsten Lodderstedt <torsten@lodderstedt.net> Sat, 06 February 2016 11:41 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39F001B2C78 for <oauth@ietfa.amsl.com>; Sat, 6 Feb 2016 03:41:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.251
X-Spam-Level:
X-Spam-Status: No, score=-2.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eZVstbla1stB for <oauth@ietfa.amsl.com>; Sat, 6 Feb 2016 03:41:53 -0800 (PST)
Received: from smtprelay05.ispgateway.de (smtprelay05.ispgateway.de [80.67.31.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DC061B2C77 for <oauth@ietf.org>; Sat, 6 Feb 2016 03:41:53 -0800 (PST)
Received: from [79.218.87.147] (helo=[192.168.71.102]) by smtprelay05.ispgateway.de with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.84) (envelope-from <torsten@lodderstedt.net>) id 1aS1FR-0007MP-0G; Sat, 06 Feb 2016 12:41:53 +0100
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>
References: <56B3A3E6.5000109@gmx.net>
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-ID: <56B5DBE6.3090300@lodderstedt.net>
Date: Sat, 6 Feb 2016 12:41:26 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <56B3A3E6.5000109@gmx.net>
Content-Type: multipart/alternative; boundary="------------020108070608050606030005"
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/5SWmCXYgmhg4Yi2HVH9jhtkzwD0>
Subject: Re: [OAUTH-WG] OAuth 2.0 Device Flow: Call for Adoption Finalized
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Feb 2016 11:41:55 -0000

I support adoption of this draft as starting point.

I would like to note the following:
- this flow is vulnerable to session fixation - A discussion of this 
threat along with a reasonable mitigation needs to be added.
- I dont't understand why this particular flow precludes use of client 
secrets. The application rendered on a device with limited input 
capabilities could be a web application as well. For exampe, we run such 
apps on our IP TV platform.

kind regards,
Torsten.

Am 04.02.2016 um 20:17 schrieb Hannes Tschofenig:
> Hi all,
>
> On January 19th I posted a call for adoption of the OAuth 2.0 Device
> Flow specification, see
> http://www.ietf.org/mail-archive/web/oauth/current/msg15403.html
>
> The feedback at the Yokohama IETF meeting was very positive and also the
> response on the mailing list was positive.
>
> To conclude, based on the call <draft-denniss-oauth-device-flow-00> will
> become the starting point for work in the OAuth working group. Please
> submit the document as draft-ietf-oauth-device-flow-00.txt.
>
> Ciao
> Hannes & Derek
>
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth