Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-08.txt
Hannes Tschofenig <hannes.tschofenig@gmx.net> Mon, 06 March 2017 19:41 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 20B041299AF;
Mon, 6 Mar 2017 11:41:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7,
RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id eQfJEQpvNeu7; Mon, 6 Mar 2017 11:41:10 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 311CD1294AF;
Mon, 6 Mar 2017 11:41:10 -0800 (PST)
Received: from [192.168.91.177] ([80.92.114.23]) by mail.gmx.com (mrgmx101
[212.227.17.168]) with ESMTPSA (Nemesis) id 0MFgxF-1cWLv400Pd-00Edo1; Mon, 06
Mar 2017 20:41:07 +0100
To: William Denniss <wdenniss@google.com>, internet-drafts@ietf.org
References: <148852246909.30907.6836735739794656654.idtracker@ietfa.amsl.com>
<CAAP42hArHN5cgLqnWKyPXBrcdYXDbYuft5BinNTFtm4LNaL3yg@mail.gmail.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <a6596083-6a19-e644-403c-4c1686eba492@gmx.net>
Date: Mon, 6 Mar 2017 20:41:05 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <CAAP42hArHN5cgLqnWKyPXBrcdYXDbYuft5BinNTFtm4LNaL3yg@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="fo9NmDLA1mMKtD424QQW8axIrJuGvgGsD"
X-Provags-ID: V03:K0:HvgVMfCJIQte8v5snZW9QcjvnrlKlBx0AtZ3eG43FKhUeN37lOm
cvrkI7WsdeXbgEEbOyfLzZeRfbQ/TOnvEbq+uanmZk6TTOL4s92Ks0auhhYrgc1znOVdeOX
uJeGkTPkuwycJSAJKCguHWLRhMmlveVxSfWHTr1uKdPh97ASt3RlD4xhXxlLTgRhqV3XNTw
LHbHqLgTuegSF6CU+FPpg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:tGsBmUoozAc=:0fA76di2yffippJXHPQg4K
zsDm/8jUP5RrB/M3oX95YsutdowNb358w4zJ0fde4eMm0rYsyXvqrhqfm/nOghKXHlre5/Oaa
kS4wSzXXDB+tztsVV6kgpHpGSJat6tI+SiiHPeACvaEFuUwvx4lb/btUKo9O4EZn8hS9zUMQI
xL9ADdhTv/H+WfxIlmjYKlvDpJhAxlHc112zvPn5TdpFCZwHnofhdsh4tiH2gzT9/cw94Sc3n
rRlxxq1lMe8NIL2WLciS0m/SQxNvamWc2eHwaA/WkLVyhjeTyr4mNkgakg/BRI6GbA5eyTxiH
kTXUmRac8HGyDB5QFN2Rk+pdLOuSg96u+yJW4+/vUHQRYKSjQAQ68h1J53zE9PywP6AaHYAPK
GAd2KbM+zF893U2buTpCU+cIonMhaxsiLxk5xU9+cVXVl31zIbBZmF/eEfc3GqswvMvYsY5SX
sW/YvhKNWH9LxYxiXBZNtxONYXND3uWl24XBMyLzsRyTPXtkvCagVrJfb4mUQJSlCz7TQcWx/
D2w+AM6t8Rld5L6hZhiOmWj5crqrTzdRqiNrzaU7dCrmac6Z8eZK0XMjuC+nu+30wE7RL0F51
hUKzVlXSZRaKrx0lfVyv6LPinxJ9jIKlBo+3wVgnimrFbA+KPpLXD9HQvaketYH5lzwk1ueov
wsLEX9LuJPF7wDC6nSMA6QXj4rPBj6uhYs4VjvbznXvYmdDqzwMufVC6HDv7QM8n1LnXFAx2n
+kWm3U5iL/817Wri4PFaU9c4TSnXjRLm2PTQxA+NtFuFcqY8q7+lqTEWRFI=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/AuzR86bJZcDCkInm-5q7O7aVx7I>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-08.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>,
<mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>,
<mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2017 19:41:12 -0000
Hi William, Hi John, I just re-read version -8 of the document again. Two minor remarks only. Editorial issue: Why do you need to introduce a single sub-section within Section 7.1. (namely Section 7.1.1)? Background question: You note that embedded user agents have the disadvantage that the app that hosts the embedded user-agent can access the user's full authentication credential. This is certainly true for password-based authentication mechanisms but I wonder whether this is also true for strong authentication techniques, such as those used by FIDO combined with token binding. Have you looked into more modern authentication techniques as well and their security implication? Ciao Hannes On 03/03/2017 07:39 AM, William Denniss wrote: > Changes: > > – Addresses feedback from the second round of WGLC. > – Reordered security consideration sections to better group related topics. > – Added complete URI examples to each of the 3 redirect types. > – Editorial pass. > > > > On Thu, Mar 2, 2017 at 10:27 PM, <internet-drafts@ietf.org > <mailto:internet-drafts@ietf.org>> wrote: > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Web Authorization Protocol of the IETF. > > Title : OAuth 2.0 for Native Apps > Authors : William Denniss > John Bradley > Filename : draft-ietf-oauth-native-apps-08.txt > Pages : 20 > Date : 2017-03-02 > > Abstract: > OAuth 2.0 authorization requests from native apps should only be made > through external user-agents, primarily the user's browser. This > specification details the security and usability reasons why this is > the case, and how native apps and authorization servers can implement > this best practice. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/ > <https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/> > > There's also a htmlized version available at: > https://tools.ietf.org/html/draft-ietf-oauth-native-apps-08 > <https://tools.ietf.org/html/draft-ietf-oauth-native-apps-08> > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-native-apps-08 > <https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-native-apps-08> > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org > <http://tools.ietf.org>. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > <ftp://ftp.ietf.org/internet-drafts/> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] I-D Action: draft-ietf-oauth-native-ap… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-nativ… William Denniss
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-nativ… Hannes Tschofenig
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-nativ… John Bradley
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-nativ… William Denniss
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-nativ… Anthony Nadalin
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-nativ… John Bradley
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-nativ… William Denniss
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-nativ… Axel.Nennker
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-nativ… William Denniss