Re: [OAUTH-WG] Call for adoption: OAuth Security Topics

Anthony Nadalin <tonynad@microsoft.com> Thu, 02 February 2017 19:11 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E36C312959D for <oauth@ietfa.amsl.com>; Thu, 2 Feb 2017 11:11:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.022
X-Spam-Level:
X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r4HoPvlQxLlK for <oauth@ietfa.amsl.com>; Thu, 2 Feb 2017 11:11:12 -0800 (PST)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01on0128.outbound.protection.outlook.com [104.47.32.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 392E8129541 for <oauth@ietf.org>; Thu, 2 Feb 2017 11:11:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=HfOeUy2HOF5GaKOHY8s5X8lohkuehU6v9fWaeD/74eM=; b=b6KEd5nautUdMWXwZumoZ6bdJAp7p8rPJp8KEwD5WeiZ4Bz5xmP22i1pJrX+BWH/IBjuYIPZOvkMf+bqlP/5NqqDt63Z9OdSgqioWEGl1hi8vVLsYLuXnsgY6Y74f3shpGIzHVFs7/9HwP2Uo8QBefjzPxw5qB6qLYR0Zqau5Uo=
Received: from SN1PR0301MB2029.namprd03.prod.outlook.com (10.163.226.27) by SN1PR0301MB2032.namprd03.prod.outlook.com (10.163.226.30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.860.13; Thu, 2 Feb 2017 19:11:09 +0000
Received: from SN1PR0301MB2029.namprd03.prod.outlook.com ([10.163.226.27]) by SN1PR0301MB2029.namprd03.prod.outlook.com ([10.163.226.27]) with mapi id 15.01.0860.027; Thu, 2 Feb 2017 19:11:09 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Call for adoption: OAuth Security Topics
Thread-Index: AQHSfSNklg6OLVxbOk+PWUOxKxjXA6FWFePA
Date: Thu, 02 Feb 2017 19:11:09 +0000
Message-ID: <SN1PR0301MB20299945EF8EC72CD3C0CD06A64C0@SN1PR0301MB2029.namprd03.prod.outlook.com>
References: <ae7d8912-2a13-4d19-62b4-0b1d1106a555@gmx.net>
In-Reply-To: <ae7d8912-2a13-4d19-62b4-0b1d1106a555@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=tonynad@microsoft.com;
x-originating-ip: [2001:4898:80e8:2::220]
x-ms-office365-filtering-correlation-id: c1fc06b2-bc33-48f6-6c7a-08d44b9f3f4b
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:SN1PR0301MB2032;
x-microsoft-exchange-diagnostics: 1; SN1PR0301MB2032; 7:7eAJNXE+LQvhkVoUZqi6Ly4fTFpE8Nhjg+jpP6NpqXQv7HZTIi/T098tVHlV3SI4a2ZVqBwCMdH/nBbdzrIW6CgqPlVgk+qsFiV+nrecd+SRHixifoVEQGXqCjq4zt5ZIkal5F8WWU1udohA5eIPuBCqFJ+RaUAzOeMyerGAarIolNkKBjkwKfr3u69TuJBOFnGCHGAhsK//hkGqyRHquPlPXE0nR9QZLvLsJmMJFnFNCdzXP+2WadOodpEgP2tiSnBuFUGnY00ff3NjkLPwZielUBzcUEUrX7nA6R7qWCjE+3TU4cjTbjgl/GdDlZwCQdCdA4qB6nfxyf01PwMJKmv5sjY46fWUGsxyyLG8jf74MXD3FpJv2+IO0FReNi3iRw4wV9A2reKo9cV0XcX150AuZfraG6ULba39/95L9uU1yyWxONbN1i1PA8/+q8xhE0usdmCHP0Ph0TZ3fAMrPUa2yN8hgizw9jtWm9j0w9JqeD5iXzz7SbN6m1cXDNEu8ae1ixWQmZVxQsWfEy+KS+MZGpnDscSDLKoVcWmbTQdi2UwM+69ITFmb/IRSJmj8
x-microsoft-antispam-prvs: <SN1PR0301MB2032BD1E55D8593A44F66D9AA64C0@SN1PR0301MB2032.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(189930954265078)(219752817060721);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123558025)(20161123564025)(20161123560025)(20161123555025)(20161123562025)(6072148); SRVR:SN1PR0301MB2032; BCL:0; PCL:0; RULEID:; SRVR:SN1PR0301MB2032;
x-forefront-prvs: 02065A9E77
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39840400002)(39860400002)(39450400003)(39850400002)(39410400002)(13464003)(53754006)(189002)(199003)(377454003)(7736002)(86612001)(101416001)(10290500002)(5001770100001)(305945005)(92566002)(189998001)(50986999)(97736004)(76176999)(5005710100001)(86362001)(10090500001)(54356999)(122556002)(107886002)(33656002)(2900100001)(105586002)(53936002)(106116001)(74316002)(106356001)(8990500004)(68736007)(81156014)(81166006)(8936002)(8676002)(2950100002)(3660700001)(15650500001)(2906002)(102836003)(3280700002)(6116002)(7696004)(6436002)(229853002)(5660300001)(6506006)(38730400001)(25786008)(9686003)(77096006)(99286003)(55016002)(6306002)(2501003)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:SN1PR0301MB2032; H:SN1PR0301MB2029.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Feb 2017 19:11:09.8231 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR0301MB2032
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7PkEkPFZ3zd9ZYgCXSkrFzmXIys>
Subject: Re: [OAUTH-WG] Call for adoption: OAuth Security Topics
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Feb 2017 19:11:15 -0000

I would be in favor of this 

-----Original Message-----
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Wednesday, February 1, 2017 11:10 PM
To: oauth@ietf.org
Subject: [OAUTH-WG] Call for adoption: OAuth Security Topics

Hi all,

this is the call for adoption of the 'OAuth Security Topics' document following the positive call for adoption at the last IETF meeting in Seoul.

Here is the document:
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-lodderstedt-oauth-security-topics-00&data=02%7C01%7Ctonynad%40microsoft.com%7Cdd2d04df662a4bfe36e508d44b3a84e6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636216162098338101&sdata=9tMjjKtTBQrNVEEpwfMaIH2gTymyADdgjEJnKU4MP6U%3D&reserved=0

The intention with this document is to have a place to collect discussions and conclusions around OAuth 2.0 security and to reference the actual solution specifications.

Please let us know by Feb 16th whether you accept / object to the adoption of this document as a starting point for work in the OAuth working group.

Ciao
Hannes & Derek