Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-Up Mitigation

Brian Campbell <bcampbell@pingidentity.com> Wed, 20 January 2016 22:43 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66EC51B2A1F for <oauth@ietfa.amsl.com>; Wed, 20 Jan 2016 14:43:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VUz_pi__iWYT for <oauth@ietfa.amsl.com>; Wed, 20 Jan 2016 14:43:02 -0800 (PST)
Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C8EC1B2A1A for <oauth@ietf.org>; Wed, 20 Jan 2016 14:43:00 -0800 (PST)
Received: by mail-io0-x22f.google.com with SMTP id g73so36560172ioe.3 for <oauth@ietf.org>; Wed, 20 Jan 2016 14:43:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=1tgaoBy1zkyGN9iiF2QPhLkdGZzDvZn/syEVe108mCE=; b=gWFGre85VT08M8QJbWWQ3aB1FGlIldgsckSeIkVNduAiiYbJIqdiVgovW/3nNB1882 MhfNeXl6dK4YtHnZnLrP2GmtFC5fezVXRaPoaVTGkey+kVwhrYk/To4pAEt09jRDfKG5 XuwB+7U1JKqHmxQdSJasjlb65QlJD0SQXPe48=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=1tgaoBy1zkyGN9iiF2QPhLkdGZzDvZn/syEVe108mCE=; b=Zg3j60DCsiMKEQl/Mlm31yrxrh12qspenGIToEErRP4pL7W83oRDDrp70OJ+WB6LfI FMDSNdXAw8UBpnghbfHLGMHXbBsZHqSW8UBMFSOIUDViEDZ4bqbvRvr2cXcwQ4dJHWhc 2HSlZ9/9HNuyvWfWvwYy0raR3Nvmt4kaqw1XwllXDTC6G+ujtdj9XiUh75x/MGJuug0G Bf1nGX57NfHh/epUlkeUW4pnKfFCJTHPoukFUDs94htGEdL37JLaW6Q4bdYm4YVx2V1v OoW+csKu705/BBrtu6VYmLZTiC/loCZ65uuIxJN0Sxml2Vc2lvmTXbR415Eq4hHAJBwt Gq2w==
X-Gm-Message-State: ALoCoQl4dFuXEIU5/26e2551susViM+wqsTXkl05knOJIRNT3XrbIA39IcPzKmc2JBFlAz4JtGETGI8pTxFwLpe1WqWH2gAnDWKMztcDLpDnBgfoaUlJTHg=
X-Received: by 10.107.16.226 with SMTP id 95mr39894710ioq.147.1453329779899; Wed, 20 Jan 2016 14:42:59 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.212.69 with HTTP; Wed, 20 Jan 2016 14:42:30 -0800 (PST)
In-Reply-To: <569E22E1.5010402@gmx.net>
References: <569E22E1.5010402@gmx.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 20 Jan 2016 15:42:30 -0700
Message-ID: <CA+k3eCRj9xc-jb_kAub0ZodvVCo1NckHq-wq+xPof+9k4gBw3Q@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary=001a113ecda045cd140529cbb5bd
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/A_RHAVzscqEptdJGjtGQf9bgFdY>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-Up Mitigation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2016 22:43:03 -0000

I conditionally accept this document as a starting point for work in the
OAuth working group on the assumption that the considerable simplifications
discussed and accepted at
http://www.ietf.org/mail-archive/web/oauth/current/msg15351.html will be
incorporated.

This document is (should be) intended to provide a mitigation to a security
problem. As such, it would be nice to see it progress a little faster than
the typical WG document. The more quickly the document can progress and/or
be perceived as stable, the better.

On Tue, Jan 19, 2016 at 4:49 AM, Hannes Tschofenig <
hannes.tschofenig@gmx.net>; wrote:

> Hi all,
>
> this is the call for adoption of OAuth 2.0 Mix-Up Mitigation, see
> https://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-00
>
> Please let us know by Feb 9th whether you accept / object to the
> adoption of this document as a starting point for work in the OAuth
> working group.
>
> Note: This call is related to the announcement made on the list earlier
> this month, see
> http://www.ietf.org/mail-archive/web/oauth/current/msg15336.html. More
> time for analysis is provided due to the complexity of the topic.
>
> Ciao
> Hannes & Derek
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>