[OAUTH-WG] Fwd: New Version Notification for draft-meyerzuselhausen-oauth-iss-auth-resp-01.txt
Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de> Mon, 02 November 2020 07:54 UTC
Return-Path: <karsten.meyerzuselhausen@hackmanit.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2B7A3A044E for <oauth@ietfa.amsl.com>; Sun, 1 Nov 2020 23:54:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_FACE_BAD=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hackmanit.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TEmcPp-0KEDV for <oauth@ietfa.amsl.com>; Sun, 1 Nov 2020 23:54:21 -0800 (PST)
Received: from mail-oo1-xc2b.google.com (mail-oo1-xc2b.google.com [IPv6:2607:f8b0:4864:20::c2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D4AE3A044A for <oauth@ietf.org>; Sun, 1 Nov 2020 23:54:21 -0800 (PST)
Received: by mail-oo1-xc2b.google.com with SMTP id n16so3152192ooj.2 for <oauth@ietf.org>; Sun, 01 Nov 2020 23:54:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hackmanit.de; s=google; h=references:to:from:cc:subject:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=ygzt3N1HqmUnKYBYK2ym+uvfUTb7le0wQieXQref9CM=; b=f5OfB/RWOpvdfnrN6wUJthnlKSifzpDTUrj+K6q+OFlcFPnhkdnxhKAMf8px7mJW/5 2LDKswtr/x5Uh+U6+hulO72WFEf35sXUw+7luqbfqkVxQHZd1PRTXKZtysSXwQ79EuFc uBhvHziX04NORnFnLRzsVG53mYz1r93kkrfOom8gjBkU8rB562wxw16TgP9lrmS9vMf/ tnwDHFSn2aic2ft/sw5KgvA5cLkt3VXgjB8pcUOZ9GNer5h44WT3Y82SyubhV/KP2ItM kOxxTBTteuR/wqmSlNVsckZmEVOcQ3dtWCmrbw3GTrWwmL6sMvMqRMxJa3b1uSv/ZK/A Pz0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:references:to:from:cc:subject:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=ygzt3N1HqmUnKYBYK2ym+uvfUTb7le0wQieXQref9CM=; b=TighUJvGieFTWPvbJbUqYtJo5Yo1hWGlIinwmYE9O2tlWKf90WmSyaen5IlzP/2As2 jvGCihtLiXLeCpa4vWe+lsFvtFo0bug7nujlTo84NI7+QTiIxUs5m749LIVojlVnrb44 tEZbMfXU1WWQH303V/mEi3uCbi4C5XUjEXCCVaf7/HRL9sz9TxgmCIXswZ9WuqgYxqdJ lGKNeoJ7+2+qx5ssx95zKegvMBmTS9O5kdHLddM0/EHfhWC0D0YpuZhU5JcxHxIYZ8b0 XTDni8wlyNytSAthcVrZFPDJ0PbHS49PcITC1CNhXcv9rSfJOAk47lIAnw3XXsqi9bUS rzYw==
X-Gm-Message-State: AOAM5319alZGGWYG5PE4jO8xr6/7sA5rz25p8uA70iBKI+rQXIribT0O 03MWKDc7407p9KWOg+yy69Bd+A==
X-Google-Smtp-Source: ABdhPJxcDdQPLioqmoT6IVENu/7IFtJ4TGuAbEvxC0PyjLyBAAWHlMXLAgzEsKdHgJUOqBa5J57vJg==
X-Received: by 2002:a4a:b40a:: with SMTP id y10mr11025479oon.71.1604303660482; Sun, 01 Nov 2020 23:54:20 -0800 (PST)
Received: from [192.168.178.22] (b2b-37-24-87-133.unitymedia.biz. [37.24.87.133]) by smtp.gmail.com with ESMTPSA id q24sm674629otm.22.2020.11.01.23.54.18 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 01 Nov 2020 23:54:19 -0800 (PST)
References: <160430230298.9780.18195581822860811409@ietfa.amsl.com>
To: oauth@ietf.org
From: Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de>
X-Forwarded-Message-Id: <160430230298.9780.18195581822860811409@ietfa.amsl.com>
Message-ID: <fc75c5d7-49b2-7760-c98a-8dd6ca3d09eb@hackmanit.de>
Date: Mon, 02 Nov 2020 08:54:16 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.4.0
MIME-Version: 1.0
In-Reply-To: <160430230298.9780.18195581822860811409@ietfa.amsl.com>
Content-Type: multipart/alternative; boundary="------------B768C6A5413BDE6AADCA153F"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7UQfc1O0iK-T1xxa3yG2l4waGOw>
Subject: [OAUTH-WG] Fwd: New Version Notification for draft-meyerzuselhausen-oauth-iss-auth-resp-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Nov 2020 07:54:24 -0000
Hi all, Daniel and I published a new version of the "iss" response parameter draft to address the feedback from the WG. Changes in -01: * Incorporated first WG feedback * Clarifications for use with OIDC * Added note that clients supporting just one AS are not vulnerable * Renamed metadata parameter * Various editorial changes We would like to ask you for further feedback and comments on the new draft version. Best regards, Karsten -------- Forwarded Message -------- Subject: New Version Notification for draft-meyerzuselhausen-oauth-iss-auth-resp-01.txt Date: Sun, 01 Nov 2020 23:31:42 -0800 From: internet-drafts@ietf.org To: Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de>, Karsten zu Selhausen <karsten.meyerzuselhausen@hackmanit.de>, Daniel Fett <mail@danielfett.de> A new version of I-D, draft-meyerzuselhausen-oauth-iss-auth-resp-01.txt has been successfully submitted by Karsten Meyer zu Selhausen and posted to the IETF repository. Name: draft-meyerzuselhausen-oauth-iss-auth-resp Revision: 01 Title: OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response Document date: 2020-11-01 Group: Individual Submission Pages: 10 URL: https://www.ietf.org/archive/id/draft-meyerzuselhausen-oauth-iss-auth-resp-01.txt Status: https://datatracker.ietf.org/doc/draft-meyerzuselhausen-oauth-iss-auth-resp/ Html: https://www.ietf.org/archive/id/draft-meyerzuselhausen-oauth-iss-auth-resp-01.html Htmlized: https://tools.ietf.org/html/draft-meyerzuselhausen-oauth-iss-auth-resp-01 Diff: https://www.ietf.org/rfcdiff?url2=draft-meyerzuselhausen-oauth-iss-auth-resp-01 Abstract: This document specifies a new parameter "iss" that is used to explicitly include the issuer identifier of the authorization server in the authorization response of an OAuth authorization flow. If implemented correctly, the "iss" parameter serves as an effective countermeasure to "mix-up attacks". Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat -- Karsten Meyer zu Selhausen IT Security Consultant Phone: +49 (0)234 / 54456499 Web: https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training Does your OAuth or OpenID Connect implementation use PKCE to strengthen the security? Learn more about the procetion PKCE provides and its limitations in our new blog post: https://www.hackmanit.de/en/blog-en/123-when-pkce-cannot-protect-your-confidential-oauth-client Hackmanit GmbH Universitätsstraße 60 (Exzenterhaus) 44789 Bochum Registergericht: Amtsgericht Bochum, HRB 14896 Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Dr. Marcus Niemietz
- [OAUTH-WG] Fwd: New Version Notification for draf… Karsten Meyer zu Selhausen
- Re: [OAUTH-WG] Fwd: New Version Notification for … Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fwd: New Version Notification for … Takahiko Kawasaki
- Re: [OAUTH-WG] Fwd: New Version Notification for … Vladimir Dzhuvinov
- Re: [OAUTH-WG] New Version Notification for draft… Joseph Heenan
- Re: [OAUTH-WG] New Version Notification for draft… Takahiko Kawasaki
- Re: [OAUTH-WG] New Version Notification for draft… Takahiko Kawasaki
- Re: [OAUTH-WG] Fwd: New Version Notification for … Pretty Little Wife
- Re: [OAUTH-WG] New Version Notification for draft… Vladimir Dzhuvinov
- Re: [OAUTH-WG] New Version Notification for draft… Takahiko Kawasaki
- Re: [OAUTH-WG] New Version Notification for draft… Vladimir Dzhuvinov
- Re: [OAUTH-WG] New Version Notification for draft… Daniel Fett