Re: [OAUTH-WG] review draft-ietf-oauth-security-topics-13 [3/3]
Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 19 November 2019 09:58 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD2CD12086A for <oauth@ietfa.amsl.com>; Tue, 19 Nov 2019 01:58:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gRpQTz2kCfcv for <oauth@ietfa.amsl.com>; Tue, 19 Nov 2019 01:58:41 -0800 (PST)
Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E257120BA7 for <oauth@ietf.org>; Tue, 19 Nov 2019 01:58:41 -0800 (PST)
Received: by mail-pj1-x1034.google.com with SMTP id bo14so2471086pjb.1 for <oauth@ietf.org>; Tue, 19 Nov 2019 01:58:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=JpQF98i74HFvWfj6Dk01+DRyzQU7I+DTcD0kHEwpggs=; b=cAbkPKYQx2S8kUNbuP4RKAo2wYFZCXig1DrYPprg/DsZgE/dGppAhcNz92yyltIRM1 Z9vj8vHETr4zblMXcSi4rwIhjbHf3EgnKTCwyVeEmXh0r+YB5H4aYNtT9LZ1KIeAJ2Vz Zg+waE7aOjGmAns3tvAoTCrIITor/ErMjJgG3S1ardr8s54Z2FchTUYUXPqPmb5fH5Pi 5WM0VK7Vb6IrboPcXIIjKGYpT2PbCkC0KexPDgUAv27lY3ogu+3u8azySai2ol0jvmTZ /1vqqfu5DDtTRCxIbBGt2EQHUF6362j0FkhPU3XMY3qsyE7IphXzqAhiHGPbze2HyxQS YY/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=JpQF98i74HFvWfj6Dk01+DRyzQU7I+DTcD0kHEwpggs=; b=muORZZ6fIbLVVDa3zkPLyetXQln17uXuUFbyqS5LZKEvo0H0dc0lQrwIC2KF1R838M r1I0cdeFa5v4aU9KDkjoa1a2SYyjf+3uTGAi2mTsrRQ7nWa3yQA4btZpV5DRK8GKN+RK P7RrfsodGP1q8z6MXuGNcpEntYnY3F2W9AR09yfiGQyBhPD0sSpNLuRTulzXJJtFrkWl Part9UExZ91RVRHF1wMICc9P14pnSuz3N3sW6EBmPibNlytq1l6IuoaJMgdB+OS0QHy+ /7qS/oL0CUl+GbK5tkt1hfSNp2apV0Fph/9PhjItCRhXOVh1ZpsO4AiTR/EbpUuvSo4U DzKg==
X-Gm-Message-State: APjAAAX5HxbMFzDuGjmxWYFWpTyTkGiQjA3U3qDqXuW9BJGeV1iYc6SQ uspWTTu3U7RUVdnuSvCaQhLxEc2cLnnGuIkN
X-Google-Smtp-Source: APXvYqwGDCIAyj3cG0/WpylHesW0BIsQ/EsZ9fL8vRH0s87nxEwi2IHxymMSpS8DtQyosSdJ+c1Cbg==
X-Received: by 2002:a17:902:ac98:: with SMTP id h24mr33109270plr.227.1574157520447; Tue, 19 Nov 2019 01:58:40 -0800 (PST)
Received: from [192.168.20.19] ([118.200.165.182]) by smtp.gmail.com with ESMTPSA id i123sm30122866pfe.145.2019.11.19.01.58.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 19 Nov 2019 01:58:39 -0800 (PST)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <1021C802-9AA1-40A6-B1ED-17649151070C@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_2B26D214-4D22-4009-B410-B8DD909FB541"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3601.0.10\))
Date: Tue, 19 Nov 2019 17:58:34 +0800
In-Reply-To: <CA+iA6ugWRAQYiMVuT2euwKgosy46FoTu_Oh0v-N_1k1arf16CQ@mail.gmail.com>
Cc: "oauth@ietf.org" <oauth@ietf.org>
To: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
References: <CA+iA6ui1TDn1LuQeOCXxh7gkt=CPwuQf5CCBqYUR0OZ2iOXwuQ@mail.gmail.com> <769719DC-33A3-4911-8322-9F1C9F235469@lodderstedt.net> <CA+iA6ugWRAQYiMVuT2euwKgosy46FoTu_Oh0v-N_1k1arf16CQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3601.0.10)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/CnJ1GLN0m_31_MNtBqv3q2E955E>
Subject: Re: [OAUTH-WG] review draft-ietf-oauth-security-topics-13 [3/3]
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2019 09:58:47 -0000
> On 19. Nov 2019, at 17:10, Hans Zandbelt <hans.zandbelt@zmartzone.eu> wrote: > > > > On Tue, Nov 19, 2019 at 10:38 AM Torsten Lodderstedt <torsten@lodderstedt.net> wrote: > Hi Hans, > > > On 18. Nov 2019, at 04:11, Hans Zandbelt <hans.zandbelt@zmartzone.eu> wrote: > > > > Hi, > > > > Please find my feedback from page 21 onwards below. > > > > Hans. > > > > Overall I would argue there's room for a very concise guidance section that says: do this, don't do that, without explanation, just as a reference for developers; the current text provides in depth analysis but that is perhaps not suitable for developers who just want to know what to do (or not to do) and don't really care about the background/reasoning > > While section 4 gives the raw security threat analysis, we tried to summarise the actionable guidance in section 3. What do you miss there? > > I'd rather see it even shorter and more concise, but I guess you're right, it is there Do you want to suggest some text? > > > > > P21 > > first bullet > > "the client has bound this data to this particular instance." -> particular instance of what? > > This bullet refers to the note above. > > "Note: this check could also detect attempts to inject a code which > had been obtained from another instance of the same client on another > device, if certain conditions are fulfilled:" > > ok, I see > > > > > 3rd paragraph: > > "call to the tokens endpoint." -> "call to the token endpoint." > > Fixed > > > > > last paragraph could forward point to the next section by adding something like > > "using one of the mechanisms described in the next section." > > Incorporated > > > > > P22 > > 3rd paragraph: > > is the token binding guidance still accurate? it seems to be overestimating the adoption > > You mean this statement? > > "Token binding is > promising as a secure and convenient mechanism (due to its browser > integration). As a challenge, it requires broad browser support > and use with native apps is still under discussion.” > > yeah, but after re-reading I guess this actually spells out the adoption conditions, so it is fine > > Hans. > > > Thanks, > Torsten. > > > > > -- > > hans.zandbelt@zmartzone.eu > > ZmartZone IAM - www.zmartzone.eu > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > -- > hans.zandbelt@zmartzone.eu > ZmartZone IAM - www.zmartzone.eu
- [OAUTH-WG] review draft-ietf-oauth-security-topic… Hans Zandbelt
- Re: [OAUTH-WG] review draft-ietf-oauth-security-t… Torsten Lodderstedt
- Re: [OAUTH-WG] review draft-ietf-oauth-security-t… Hans Zandbelt
- Re: [OAUTH-WG] review draft-ietf-oauth-security-t… Torsten Lodderstedt
- Re: [OAUTH-WG] review draft-ietf-oauth-security-t… Hans Zandbelt
- Re: [OAUTH-WG] review draft-ietf-oauth-security-t… Torsten Lodderstedt
- Re: [OAUTH-WG] review draft-ietf-oauth-security-t… Rob Otto