Re: [OAUTH-WG] [Editorial Errata Reported] RFC6819 (5965)

Torsten Lodderstedt <torsten@lodderstedt.net> Fri, 24 January 2020 06:49 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DF11120041 for <oauth@ietfa.amsl.com>; Thu, 23 Jan 2020 22:49:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9uCOZgNwEZYR for <oauth@ietfa.amsl.com>; Thu, 23 Jan 2020 22:49:03 -0800 (PST)
Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3A1A120018 for <oauth@ietf.org>; Thu, 23 Jan 2020 22:48:52 -0800 (PST)
Received: by mail-pl1-x629.google.com with SMTP id s21so375505plr.7 for <oauth@ietf.org>; Thu, 23 Jan 2020 22:48:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=BrpDbuN27mTX3D6Aj54y118Vn0kRRl/tav+844q2c6g=; b=CbBCPEUm9zRGF804/f9X0srisaPKgBjPsjD6P3/NiHnB8em9MXuMDhUQdjNowPvpWZ ztIGJcuDhnjz+csNSEp+MrDqtnpnPyD/QJTpanlT0DSktZx6/ZxewJjm6WUxLkSz4zKF ctnR/O4oP9kWU8Lmn5PRUyjEioKae/6o7stYSB/NwjHy7z0NnF2aK2xur5FDpVU8/WNK BLoESQrc0HU6rzVBA/fcLZ8fiSM/kvct+okdRdnbliEj+joU8yasfCpHlFH897dQTeC1 4IckyKd/4XCTTJn9F7dH1RmdSpIcHBV4Ul03DuA3mKkSLypIhuKIbWaUYXkQ9PV0lotA FAow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=BrpDbuN27mTX3D6Aj54y118Vn0kRRl/tav+844q2c6g=; b=rfu5G1pk+4+8LfGxMvvrHPEiMR00FUkUm5csdHe5NW+37hOBPCGAdxLZYQb5PoYpHT leIS1XoPRxstPhLNpLuu+vYDFxq3vWrebDjOMaiP93zSHE/CTovaAC80qIqjYfeOWdTb ZvuUjO1TlxKHK09TeDWEns9LKXTSb1miqy5ee+/Wb+8ysIc/5K4gYhNvbFWIJgAGA4P1 HQzIPG75YmILFbVL6cW8NF+oU3zs1oiYbEyZfs//iaRXfoxNvVCLVKoC+J29gh6jUucX 9YsiKtXC3WSq0cIJVei/lsZa/Jpl8N4GWU6ePAs12TKuAuusry+0mFbOy1YHZtiug0vG pTfw==
X-Gm-Message-State: APjAAAWh+fYRdZWdwOW007yIumMTV2uTsQMEuLXMqdaNu5O4v6CeSa90 Mn5A0R4Ge/8wdYUfouqs6Zzyzw==
X-Google-Smtp-Source: APXvYqyztrgMvXfiBRFQbIWHKrhTAtjtRAg96waYBFs6flJ+fS2wmROaeqKgj7qTuDizfvZ5ymkM3g==
X-Received: by 2002:a17:902:9687:: with SMTP id n7mr2184541plp.168.1579848531567; Thu, 23 Jan 2020 22:48:51 -0800 (PST)
Received: from [172.20.10.4] (146.198.214.202.rev.vmobile.jp. [202.214.198.146]) by smtp.gmail.com with ESMTPSA id d189sm5057330pga.70.2020.01.23.22.48.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 23 Jan 2020 22:48:50 -0800 (PST)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <FB64B35A-23FB-4A35-A412-D8A40B19EC68@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_C04CF98E-2245-423A-9991-1475F2B34570"; protocol="application/pkcs7-signature"; micalg=sha-256
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
Date: Fri, 24 Jan 2020 15:47:33 +0900
In-Reply-To: <20200123161409.7DC10F406CD@rfc-editor.org>
Cc: Mark Mcgloin <mark.mcgloin@ie.ibm.com>, phil.hunt@yahoo.com, Roman Danyliw <rdd@cert.org>, Benjamin Kaduk <kaduk@mit.edu>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, david.piggott@disneystreaming.com, oauth@ietf.org
To: RFC Errata System <rfc-editor@rfc-editor.org>
References: <20200123161409.7DC10F406CD@rfc-editor.org>
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/AgBqz_i8_YNdiZzowVl4VPBYKJg>
Subject: Re: [OAUTH-WG] [Editorial Errata Reported] RFC6819 (5965)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2020 06:49:07 -0000

This errata is correct.

Thanks for bringing this to our attention!

> On 24. Jan 2020, at 01:14, RFC Errata System <rfc-editor@rfc-editor.org> wrote:
> 
> The following errata report has been submitted for RFC6819,
> "OAuth 2.0 Threat Model and Security Considerations".
> 
> --------------------------------------
> You may review the report below and at:
> https://www.rfc-editor.org/errata/eid5965
> 
> --------------------------------------
> Type: Editorial
> Reported by: David Piggott <david.piggott@disneystreaming.com>
> 
> Section: 4.4.1.2
> 
> Original Text
> -------------
> Store access token hashes only (Section 5.1.4.1.3).
> 
> Corrected Text
> --------------
> Store authorization code hashes only (Section 5.1.4.1.3).
> 
> Notes
> -----
> 
> 
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party  
> can log in to change the status and edit the report, if necessary. 
> 
> --------------------------------------
> RFC6819 (draft-ietf-oauth-v2-threatmodel-08)
> --------------------------------------
> Title               : OAuth 2.0 Threat Model and Security Considerations
> Publication Date    : January 2013
> Author(s)           : T. Lodderstedt, Ed., M. McGloin, P. Hunt
> Category            : INFORMATIONAL
> Source              : Web Authorization Protocol
> Area                : Security
> Stream              : IETF
> Verifying Party     : IESG