[OAUTH-WG] Fwd: New Version Notification for draft-meyerzuselhausen-oauth-iss-auth-resp-01.txt

Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de> Mon, 02 November 2020 07:54 UTC

Return-Path: <karsten.meyerzuselhausen@hackmanit.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2B7A3A044E for <oauth@ietfa.amsl.com>; Sun, 1 Nov 2020 23:54:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_FACE_BAD=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hackmanit.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TEmcPp-0KEDV for <oauth@ietfa.amsl.com>; Sun, 1 Nov 2020 23:54:21 -0800 (PST)
Received: from mail-oo1-xc2b.google.com (mail-oo1-xc2b.google.com [IPv6:2607:f8b0:4864:20::c2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D4AE3A044A for <oauth@ietf.org>; Sun, 1 Nov 2020 23:54:21 -0800 (PST)
Received: by mail-oo1-xc2b.google.com with SMTP id n16so3152192ooj.2 for <oauth@ietf.org>; Sun, 01 Nov 2020 23:54:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hackmanit.de; s=google; h=references:to:from:cc:subject:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=ygzt3N1HqmUnKYBYK2ym+uvfUTb7le0wQieXQref9CM=; b=f5OfB/RWOpvdfnrN6wUJthnlKSifzpDTUrj+K6q+OFlcFPnhkdnxhKAMf8px7mJW/5 2LDKswtr/x5Uh+U6+hulO72WFEf35sXUw+7luqbfqkVxQHZd1PRTXKZtysSXwQ79EuFc uBhvHziX04NORnFnLRzsVG53mYz1r93kkrfOom8gjBkU8rB562wxw16TgP9lrmS9vMf/ tnwDHFSn2aic2ft/sw5KgvA5cLkt3VXgjB8pcUOZ9GNer5h44WT3Y82SyubhV/KP2ItM kOxxTBTteuR/wqmSlNVsckZmEVOcQ3dtWCmrbw3GTrWwmL6sMvMqRMxJa3b1uSv/ZK/A Pz0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:references:to:from:cc:subject:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=ygzt3N1HqmUnKYBYK2ym+uvfUTb7le0wQieXQref9CM=; b=TighUJvGieFTWPvbJbUqYtJo5Yo1hWGlIinwmYE9O2tlWKf90WmSyaen5IlzP/2As2 jvGCihtLiXLeCpa4vWe+lsFvtFo0bug7nujlTo84NI7+QTiIxUs5m749LIVojlVnrb44 tEZbMfXU1WWQH303V/mEi3uCbi4C5XUjEXCCVaf7/HRL9sz9TxgmCIXswZ9WuqgYxqdJ lGKNeoJ7+2+qx5ssx95zKegvMBmTS9O5kdHLddM0/EHfhWC0D0YpuZhU5JcxHxIYZ8b0 XTDni8wlyNytSAthcVrZFPDJ0PbHS49PcITC1CNhXcv9rSfJOAk47lIAnw3XXsqi9bUS rzYw==
X-Gm-Message-State: AOAM5319alZGGWYG5PE4jO8xr6/7sA5rz25p8uA70iBKI+rQXIribT0O 03MWKDc7407p9KWOg+yy69Bd+A==
X-Google-Smtp-Source: ABdhPJxcDdQPLioqmoT6IVENu/7IFtJ4TGuAbEvxC0PyjLyBAAWHlMXLAgzEsKdHgJUOqBa5J57vJg==
X-Received: by 2002:a4a:b40a:: with SMTP id y10mr11025479oon.71.1604303660482; Sun, 01 Nov 2020 23:54:20 -0800 (PST)
Received: from [192.168.178.22] (b2b-37-24-87-133.unitymedia.biz. [37.24.87.133]) by smtp.gmail.com with ESMTPSA id q24sm674629otm.22.2020.11.01.23.54.18 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 01 Nov 2020 23:54:19 -0800 (PST)
References: <160430230298.9780.18195581822860811409@ietfa.amsl.com>
To: oauth@ietf.org
From: Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de>
X-Forwarded-Message-Id: <160430230298.9780.18195581822860811409@ietfa.amsl.com>
Message-ID: <fc75c5d7-49b2-7760-c98a-8dd6ca3d09eb@hackmanit.de>
Date: Mon, 2 Nov 2020 08:54:16 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.4.0
MIME-Version: 1.0
In-Reply-To: <160430230298.9780.18195581822860811409@ietfa.amsl.com>
Content-Type: multipart/alternative; boundary="------------B768C6A5413BDE6AADCA153F"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7UQfc1O0iK-T1xxa3yG2l4waGOw>
Subject: [OAUTH-WG] Fwd: New Version Notification for draft-meyerzuselhausen-oauth-iss-auth-resp-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Nov 2020 07:54:24 -0000

Hi all,

Daniel and I published a new version of the "iss" response parameter 
draft to address the feedback from the WG.

Changes in -01:

  * Incorporated first WG feedback
  * Clarifications for use with OIDC
  * Added note that clients supporting just one AS are not vulnerable
  * Renamed metadata parameter
  * Various editorial changes


We would like to ask you for further feedback and comments on the new 
draft version.

Best regards,
Karsten

-------- Forwarded Message --------
Subject: 	New Version Notification for 
draft-meyerzuselhausen-oauth-iss-auth-resp-01.txt
Date: 	Sun, 01 Nov 2020 23:31:42 -0800
From: 	internet-drafts@ietf.org
To: 	Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de>de>, 
Karsten zu Selhausen <karsten.meyerzuselhausen@hackmanit.de>de>, Daniel 
Fett <mail@danielfett.de>




A new version of I-D, draft-meyerzuselhausen-oauth-iss-auth-resp-01.txt
has been successfully submitted by Karsten Meyer zu Selhausen and posted 
to the
IETF repository.

Name: draft-meyerzuselhausen-oauth-iss-auth-resp
Revision: 01
Title: OAuth 2.0 Authorization Server Issuer Identifier in Authorization 
Response
Document date: 2020-11-01
Group: Individual Submission
Pages: 10
URL: 
https://www.ietf.org/archive/id/draft-meyerzuselhausen-oauth-iss-auth-resp-01.txt
Status: 
https://datatracker.ietf.org/doc/draft-meyerzuselhausen-oauth-iss-auth-resp/
Html: 
https://www.ietf.org/archive/id/draft-meyerzuselhausen-oauth-iss-auth-resp-01.html
Htmlized: 
https://tools.ietf.org/html/draft-meyerzuselhausen-oauth-iss-auth-resp-01
Diff: 
https://www.ietf.org/rfcdiff?url2=draft-meyerzuselhausen-oauth-iss-auth-resp-01

Abstract:
This document specifies a new parameter "iss" that is used to
explicitly include the issuer identifier of the authorization server
in the authorization response of an OAuth authorization flow. If
implemented correctly, the "iss" parameter serves as an effective
countermeasure to "mix-up attacks".



Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat


-- 
Karsten Meyer zu Selhausen
IT Security Consultant
Phone:	+49 (0)234 / 54456499
Web:	https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training

Does your OAuth or OpenID Connect implementation use PKCE to strengthen the security? Learn more about the procetion PKCE provides and its limitations in our new blog post:
https://www.hackmanit.de/en/blog-en/123-when-pkce-cannot-protect-your-confidential-oauth-client

Hackmanit GmbH
Universitätsstraße 60 (Exzenterhaus)
44789 Bochum

Registergericht: Amtsgericht Bochum, HRB 14896
Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Dr. Marcus Niemietz