Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"

Lee McGovern <> Sun, 10 November 2019 21:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5D95312016E for <>; Sun, 10 Nov 2019 13:02:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YooD9L1BnsMS for <>; Sun, 10 Nov 2019 13:02:46 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 85276120129 for <>; Sun, 10 Nov 2019 13:02:46 -0800 (PST)
IronPort-SDR: X48paAzDTzD9VCLgZeSB+LcEkivsgvtU2pgpt4x0CJ3qsH9gRLGqlfo99jO70YgeHQEoSDyCXP omYMJY6YhbT8hJC5UcwIyXxBcVo9bNuqEOgBDxijW/e0rEW9hPyoFJ+qUuNVfwpjdlN1kV83Dp rDXq1QF/xGEvkVZNQliDQDb+cg7LhowTr1DXr1KGINTs1pXEWeylmoboqagfcL30EVvsd4wJCl D0wBRb+H7rWSPpAyI9q+yDlbzXNYHlzdYOvLXt7VVGaoQ7/I+0+8XbsIJMWINcyP3b2KCSNhaj JUA=
X-Amp-Result: SKIPPED(no attachment in message)
Received: from ([]) by with ESMTP/TLS/ECDHE-RSA-AES256-SHA384; 10 Nov 2019 21:02:42 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1473.3; Sun, 10 Nov 2019 22:02:46 +0100
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1473.3; Sun, 10 Nov 2019 22:02:39 +0100
Received: from ([fe80::39a1:59b8:2e6a:5da6]) by ([fe80::39a1:59b8:2e6a:5da6%15]) with mapi id 15.00.1473.003; Sun, 10 Nov 2019 22:02:39 +0100
From: Lee McGovern <>
To: "" <>
Thread-Topic: WGLC for "OAuth 2.0 Security Best Current Practice"
Thread-Index: AdWYChqDeqcGGMY1SK6hr9VAlkPFWg==
Date: Sun, 10 Nov 2019 21:02:38 +0000
Message-ID: <>
Accept-Language: en-US
Content-Language: en-US
msip_labels: MSIP_Label_90c2fedb-0da6-4717-8531-d16a1b9930f4_Enabled=True; MSIP_Label_90c2fedb-0da6-4717-8531-d16a1b9930f4_SiteId=45597f60-6e37-4be7-acfb-4c9e23b261ea;; MSIP_Label_90c2fedb-0da6-4717-8531-d16a1b9930f4_SetDate=2019-11-10T21:02:37.4752144Z; MSIP_Label_90c2fedb-0da6-4717-8531-d16a1b9930f4_Name=Internal; MSIP_Label_90c2fedb-0da6-4717-8531-d16a1b9930f4_Application=Microsoft Azure Information Protection; MSIP_Label_90c2fedb-0da6-4717-8531-d16a1b9930f4_Extended_MSFT_Method=Automatic; Sensitivity=Internal
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
x-rcom-deduphash: a5a01191-b7f7-4c2c-b363-55041b73dc0d
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
X-GBS-PROC: 15NGs9aROBRTCeaacTtz4Erx9lEiGKWQH/n3y5o7xOw=
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 10 Nov 2019 21:02:50 -0000

3.1 - "Clients MUST memorize which authorization server they sent an authorization request to" - is memorize the best synonym here, perhaps store or retain is more aligned with computational language?

3.1.2 How does the draft align with this guidance and will a future BCP update include a direct reference to the final published version of this spec?

3.5, 3.6 Since there is a reference to the MTLS draft could there also be some guidance on the usage of token exchange best practise and also for the contents of the access token to be aligned


Date: Wed, 6 Nov 2019 08:26:49 +0000
From: Hannes Tschofenig <>
To: "" <>
Subject: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current
Content-Type: text/plain; charset="us-ascii"

Hi all,

this is a working group last call for "OAuth 2.0 Security Best Current Practice".

Here is the document:

Please send you comments to the OAuth mailing list by Nov. 27, 2019.
(We use a three week WGLC because of the IETF meeting.)

Hannes & Rifaat

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

This e-mail, including attachments, is intended for the person(s) or company named and may contain confidential and/or legally privileged information.

Unauthorized disclosure, copying or use of this information may be unlawful and is prohibited. If you are not the intended recipient, please delete this message and notify the sender.
All incoming and outgoing e-mail messages are stored in the Swiss Re Electronic Message Repository.
If you do not wish the retention of potentially private e-mails by Swiss Re, we strongly advise you not to use the Swiss Re e-mail account for any private, non-business related communications.