Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-08.txt

Hannes Tschofenig <hannes.tschofenig@gmx.net> Mon, 06 March 2017 19:41 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20B041299AF; Mon, 6 Mar 2017 11:41:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eQfJEQpvNeu7; Mon, 6 Mar 2017 11:41:10 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 311CD1294AF; Mon, 6 Mar 2017 11:41:10 -0800 (PST)
Received: from [192.168.91.177] ([80.92.114.23]) by mail.gmx.com (mrgmx101 [212.227.17.168]) with ESMTPSA (Nemesis) id 0MFgxF-1cWLv400Pd-00Edo1; Mon, 06 Mar 2017 20:41:07 +0100
To: William Denniss <wdenniss@google.com>, internet-drafts@ietf.org
References: <148852246909.30907.6836735739794656654.idtracker@ietfa.amsl.com> <CAAP42hArHN5cgLqnWKyPXBrcdYXDbYuft5BinNTFtm4LNaL3yg@mail.gmail.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <a6596083-6a19-e644-403c-4c1686eba492@gmx.net>
Date: Mon, 6 Mar 2017 20:41:05 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <CAAP42hArHN5cgLqnWKyPXBrcdYXDbYuft5BinNTFtm4LNaL3yg@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="fo9NmDLA1mMKtD424QQW8axIrJuGvgGsD"
X-Provags-ID: V03:K0:HvgVMfCJIQte8v5snZW9QcjvnrlKlBx0AtZ3eG43FKhUeN37lOm cvrkI7WsdeXbgEEbOyfLzZeRfbQ/TOnvEbq+uanmZk6TTOL4s92Ks0auhhYrgc1znOVdeOX uJeGkTPkuwycJSAJKCguHWLRhMmlveVxSfWHTr1uKdPh97ASt3RlD4xhXxlLTgRhqV3XNTw LHbHqLgTuegSF6CU+FPpg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:tGsBmUoozAc=:0fA76di2yffippJXHPQg4K zsDm/8jUP5RrB/M3oX95YsutdowNb358w4zJ0fde4eMm0rYsyXvqrhqfm/nOghKXHlre5/Oaa kS4wSzXXDB+tztsVV6kgpHpGSJat6tI+SiiHPeACvaEFuUwvx4lb/btUKo9O4EZn8hS9zUMQI xL9ADdhTv/H+WfxIlmjYKlvDpJhAxlHc112zvPn5TdpFCZwHnofhdsh4tiH2gzT9/cw94Sc3n rRlxxq1lMe8NIL2WLciS0m/SQxNvamWc2eHwaA/WkLVyhjeTyr4mNkgakg/BRI6GbA5eyTxiH kTXUmRac8HGyDB5QFN2Rk+pdLOuSg96u+yJW4+/vUHQRYKSjQAQ68h1J53zE9PywP6AaHYAPK GAd2KbM+zF893U2buTpCU+cIonMhaxsiLxk5xU9+cVXVl31zIbBZmF/eEfc3GqswvMvYsY5SX sW/YvhKNWH9LxYxiXBZNtxONYXND3uWl24XBMyLzsRyTPXtkvCagVrJfb4mUQJSlCz7TQcWx/ D2w+AM6t8Rld5L6hZhiOmWj5crqrTzdRqiNrzaU7dCrmac6Z8eZK0XMjuC+nu+30wE7RL0F51 hUKzVlXSZRaKrx0lfVyv6LPinxJ9jIKlBo+3wVgnimrFbA+KPpLXD9HQvaketYH5lzwk1ueov wsLEX9LuJPF7wDC6nSMA6QXj4rPBj6uhYs4VjvbznXvYmdDqzwMufVC6HDv7QM8n1LnXFAx2n +kWm3U5iL/817Wri4PFaU9c4TSnXjRLm2PTQxA+NtFuFcqY8q7+lqTEWRFI=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/AuzR86bJZcDCkInm-5q7O7aVx7I>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-08.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2017 19:41:12 -0000

Hi William, Hi John,

I just re-read version -8 of the document again.

Two minor remarks only.

Editorial issue: Why do you need to introduce a single sub-section
within Section 7.1. (namely Section 7.1.1)?

Background question: You note that embedded user agents have the
disadvantage that the app that hosts the embedded user-agent can access
the user's full authentication credential. This is certainly true for
password-based authentication mechanisms but I wonder whether this is
also true for strong authentication techniques, such as those used by
FIDO combined with token binding. Have you looked into more modern
authentication techniques as well and their security implication?

Ciao
Hannes

On 03/03/2017 07:39 AM, William Denniss wrote:
> Changes:
> 
> – Addresses feedback from the second round of WGLC.
> – Reordered security consideration sections to better group related topics.
> – Added complete URI examples to each of the 3 redirect types.
> – Editorial pass.
> 
> 
> 
> On Thu, Mar 2, 2017 at 10:27 PM, <internet-drafts@ietf.org
> <mailto:internet-drafts@ietf.org>> wrote:
> 
> 
>     A New Internet-Draft is available from the on-line Internet-Drafts
>     directories.
>     This draft is a work item of the Web Authorization Protocol of the IETF.
> 
>             Title           : OAuth 2.0 for Native Apps
>             Authors         : William Denniss
>                               John Bradley
>             Filename        : draft-ietf-oauth-native-apps-08.txt
>             Pages           : 20
>             Date            : 2017-03-02
> 
>     Abstract:
>        OAuth 2.0 authorization requests from native apps should only be made
>        through external user-agents, primarily the user's browser.  This
>        specification details the security and usability reasons why this is
>        the case, and how native apps and authorization servers can implement
>        this best practice.
> 
> 
>     The IETF datatracker status page for this draft is:
>     https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/
>     <https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/>
> 
>     There's also a htmlized version available at:
>     https://tools.ietf.org/html/draft-ietf-oauth-native-apps-08
>     <https://tools.ietf.org/html/draft-ietf-oauth-native-apps-08>
> 
>     A diff from the previous version is available at:
>     https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-native-apps-08
>     <https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-native-apps-08>
> 
> 
>     Please note that it may take a couple of minutes from the time of
>     submission
>     until the htmlized version and diff are available at tools.ietf.org
>     <http://tools.ietf.org>.
> 
>     Internet-Drafts are also available by anonymous FTP at:
>     ftp://ftp.ietf.org/internet-drafts/
>     <ftp://ftp.ietf.org/internet-drafts/>
> 
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>     <https://www.ietf.org/mailman/listinfo/oauth>
> 
> 
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>