Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-Up Mitigation

Nat Sakimura <sakimura@gmail.com> Thu, 21 January 2016 04:12 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D21E21B2E71 for <oauth@ietfa.amsl.com>; Wed, 20 Jan 2016 20:12:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P9d_8tLoUmpA for <oauth@ietfa.amsl.com>; Wed, 20 Jan 2016 20:12:47 -0800 (PST)
Received: from mail-qg0-x234.google.com (mail-qg0-x234.google.com [IPv6:2607:f8b0:400d:c04::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3956D1B2E43 for <oauth@ietf.org>; Wed, 20 Jan 2016 20:12:47 -0800 (PST)
Received: by mail-qg0-x234.google.com with SMTP id 6so23307870qgy.1 for <oauth@ietf.org>; Wed, 20 Jan 2016 20:12:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=PPFTUFimfZ6c0ZciKTGaSVTsmno53UfAdiKQxSUtwB0=; b=abWx6xTNJ4j6v2DY0JcQ/F6tFCWOsES4yi6l0ll2ltrmDmt+Sq9x/fdPWG4cdrmdVX s5g/IIYfMe5VrUnYPu7vikHYaFI0SkLxvOF9/bOOpNtPufj7DPGW+41AXTKOKOQxyliH 7ZjIxnwD3pKXqisYc9btK4PV6zu4IJhqVB+AaOXIMnWMs7fYRGrvifp32jAegrfk/BKE cajioRLsptsrdk9f2KLtMO/ZW8dWVIXQbxXIypYprqEObVS0XkwuBpdgbLxSN17p9qx0 ENMXxylE+W/JGM3Iw36/qpsKpzQSny7P9PSZD06mn0b8KI1XW+6u42Sl1nzFCBbBfW20 lLiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-type; bh=PPFTUFimfZ6c0ZciKTGaSVTsmno53UfAdiKQxSUtwB0=; b=XDJ54hI8itKi0K/Bm8tLIuL5xPOszBD0bBAjQ5TPA94ccykA7MVsiDjtqTqTu9BjtN AJhKZWAUoXYhL/WUJ58SWMgNKFVCKLcOoXPu4Fg4cJbeQEomynJPtSvuoWyv4rLk2vRq VD8VMlpPgk6dt3NnfWWYZIIFAFAjsGMWDBlPqIwNkTTa4YDVBKJZrb+jyTRMJuDtr59x ebDf6uFWriGpIkqSoVIhgvbCXNIxI+WuLKZN3zXZPYJgK+ZaZzTNzftN7pZa8mV/e7Dy zemN035HHX+6DvJXuylYsl+VR3Wm+t4osIuu1Uw4Fh02V4Zb01GnGnXtDIQEfN2AVwrB wgjQ==
X-Gm-Message-State: AG10YORDKQKeT/C/Z/wk3gKRJLEckbrV3Os4WcMPH4CCAsOphZfyiy/Ev3utCOH+S/lj55iu4ynojdt0ZAzTRg==
X-Received: by 10.140.144.16 with SMTP id 16mr7160052qhq.81.1453349566335; Wed, 20 Jan 2016 20:12:46 -0800 (PST)
MIME-Version: 1.0
References: <569E22E1.5010402@gmx.net> <CA+k3eCRj9xc-jb_kAub0ZodvVCo1NckHq-wq+xPof+9k4gBw3Q@mail.gmail.com> <A5BAEAE0-A2C8-49A9-A7BE-CB89CDDC2600@oracle.com> <24B75197-1E94-4EE2-B51A-E5928D62BF3A@ve7jtb.com> <CAAP42hBw5hbzDiKJH39z8APMSbL2RvWEz65pzsx070j_wbTUNg@mail.gmail.com> <BN3PR0301MB1234F6D1E61154DBD11C4A3EA6C30@BN3PR0301MB1234.namprd03.prod.outlook.com>
In-Reply-To: <BN3PR0301MB1234F6D1E61154DBD11C4A3EA6C30@BN3PR0301MB1234.namprd03.prod.outlook.com>
From: Nat Sakimura <sakimura@gmail.com>
Date: Thu, 21 Jan 2016 04:12:37 +0000
Message-ID: <CABzCy2Ann-3n7Yw1OPZSz337_XV87W81zUzDsg+hi_WZYeC+gA@mail.gmail.com>
To: Anthony Nadalin <tonynad@microsoft.com>, William Denniss <wdenniss@google.com>, John Bradley <ve7jtb@ve7jtb.com>, "Phil Hunt (IDM)" <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="001a11355ee2a2d18a0529d050e6"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/DYzQ2V6OttRw3SruwgJtOsVi7WY>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-Up Mitigation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jan 2016 04:12:50 -0000

Thought I did, but apparently not. A belated +1.

2016年1月21日(木) 12:43 Anthony Nadalin <tonynad@microsoft.com>:

> +1
>
>
>
> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *William
> Denniss
> *Sent:* Wednesday, January 20, 2016 6:30 PM
> *To:* John Bradley <ve7jtb@ve7jtb.com>; Phil Hunt (IDM) <
> phil.hunt@oracle.com>
> *Cc:* oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-Up Mitigation
>
>
>
> +1 for adoption, this is important work.
>
>
>
> On Thu, Jan 21, 2016, 9:48 AM John Bradley <ve7jtb@ve7jtb.com> wrote:
>
> +1 for adoption
>
>
>
> Mike and I are working on addressing the comments in a new draft for your
> reading pleasure shortly.
>
>
>
> John B.
>
>
>
> On Jan 20, 2016, at 10:26 PM, Phil Hunt (IDM) <phil.hunt@oracle.com>
> wrote:
>
>
>
> +1 for adoption
>
>
>
> +1 for Brian's comments
>
> Phil
>
>
> On Jan 20, 2016, at 14:42, Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
> I conditionally accept this document as a starting point for work in the
> OAuth working group on the assumption that the considerable simplifications
> discussed and accepted at
> http://www.ietf.org/mail-archive/web/oauth/current/msg15351.html
> <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.ietf.org%2fmail-archive%2fweb%2foauth%2fcurrent%2fmsg15351.html&data=01%7c01%7ctonynad%40microsoft.com%7c57b5111a35fc43e3276208d3220ac8b6%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=sX563oe%2bghIV9OA6eZR2cYUMkZYzCI3asjExkNX6Xp0%3d>
> will be incorporated.
>
> This document is (should be) intended to provide a mitigation to a
> security problem. As such, it would be nice to see it progress a little
> faster than the typical WG document. The more quickly the document can
> progress and/or be perceived as stable, the better.
>
>
>
> On Tue, Jan 19, 2016 at 4:49 AM, Hannes Tschofenig <
> hannes.tschofenig@gmx.net> wrote:
>
> Hi all,
>
> this is the call for adoption of OAuth 2.0 Mix-Up Mitigation, see
> https://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-00
> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-mix-up-mitigation-00&data=01%7c01%7ctonynad%40microsoft.com%7c57b5111a35fc43e3276208d3220ac8b6%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=9Xrf3wL%2f7UfJ%2fdpWRT%2fCWSasgKTRcqsrSSMKLGwUtJ0%3d>
>
> Please let us know by Feb 9th whether you accept / object to the
> adoption of this document as a starting point for work in the OAuth
> working group.
>
> Note: This call is related to the announcement made on the list earlier
> this month, see
> http://www.ietf.org/mail-archive/web/oauth/current/msg15336.html
> <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.ietf.org%2fmail-archive%2fweb%2foauth%2fcurrent%2fmsg15336.html&data=01%7c01%7ctonynad%40microsoft.com%7c57b5111a35fc43e3276208d3220ac8b6%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=WPQQcD9G823Ab4osrjKwfqFlu5WxZGWzFvjQc3e4sF8%3d>.
> More
> time for analysis is provided due to the complexity of the topic.
>
> Ciao
> Hannes & Derek
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7c57b5111a35fc43e3276208d3220ac8b6%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=00hoXh2DlO9QyJrXMdarxQNiuSQIKaeL490qBrxCYFc%3d>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7c57b5111a35fc43e3276208d3220ac8b6%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=00hoXh2DlO9QyJrXMdarxQNiuSQIKaeL490qBrxCYFc%3d>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7c57b5111a35fc43e3276208d3220ac8b6%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=00hoXh2DlO9QyJrXMdarxQNiuSQIKaeL490qBrxCYFc%3d>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7c57b5111a35fc43e3276208d3220ac8b6%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=00hoXh2DlO9QyJrXMdarxQNiuSQIKaeL490qBrxCYFc%3d>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>