Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-iss-auth-resp-01.txt
Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de> Tue, 08 June 2021 09:16 UTC
Return-Path: <karsten.meyerzuselhausen@hackmanit.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B59993A2951 for <oauth@ietfa.amsl.com>; Tue, 8 Jun 2021 02:16:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hackmanit.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z-a8vDIG00nM for <oauth@ietfa.amsl.com>; Tue, 8 Jun 2021 02:16:25 -0700 (PDT)
Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 018823A294F for <oauth@ietf.org>; Tue, 8 Jun 2021 02:16:24 -0700 (PDT)
Received: by mail-wr1-x436.google.com with SMTP id m18so20749625wrv.2 for <oauth@ietf.org>; Tue, 08 Jun 2021 02:16:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hackmanit.de; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to; bh=3Bh13S5kurVzVViWwnoVE8wF70LI1dNFdxcPX0VOOsk=; b=bkVt77FkuHAabudJBXOj3GJPJukdIH7SdzRoIc2Gwctx/3RDsYbO3onAcIBIji6QY/ gps4DIdg9TGybgiuYIRsHyuxnWSW+irIM/9nNKrkqQJGUjclONRfmXaEJy4HQMovJ18i MrN3r4UpV4OE2uQrwwn9Jjv8Fd8jDjgmERsAw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=3Bh13S5kurVzVViWwnoVE8wF70LI1dNFdxcPX0VOOsk=; b=YeZGfrrPorHHLMs36F/7RyFZ6S7Ao+e4F2VmCNpNNiaX/hZ7lvPgDPr4lDnTgy8yyB TD4nCJGuIn11m6akDrX8Ref31A684VyECYGad88V+yJfpFTFS/w7V6h0GtXD2Y7+kWIe e8w8K6mhFMIBsYIPY+235BRbP6gMtlbs9n+YMdNwlTfpfOrspxKd+S8A5RXaOa6+VzJl GUzuKD6YG5EPiGKdwee8gHDwbyNuiCRgclkimo/8lGiO2TGc96hlSDfbG3vN73yG0BEL R00Nt39nw0VAJjdeni9GemzsCs127OatcejGXt0vqtfLnJMGlV9MK2OAxSLLdflR326f ctlQ==
X-Gm-Message-State: AOAM533N82I3P7rx+en9DkUQW4PVzfuI4UKemaLrBFHKoR2Wa2/7vIeN pw3ggIZyx96FRdr7MhmMkfmPdIZe763JXqBr
X-Google-Smtp-Source: ABdhPJzXjaaHXmz+c9RPL1HpitKPbGKi6vQQNdhAZ21hcKeMhBu2HlHlT67NcCvD+Z5RQPZPZuamzQ==
X-Received: by 2002:adf:f805:: with SMTP id s5mr21032176wrp.231.1623143781392; Tue, 08 Jun 2021 02:16:21 -0700 (PDT)
Received: from [10.10.11.10] (b2b-37-24-87-133.unitymedia.biz. [37.24.87.133]) by smtp.gmail.com with ESMTPSA id m65sm17470751wmm.19.2021.06.08.02.16.20 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 08 Jun 2021 02:16:20 -0700 (PDT)
To: oauth@ietf.org
References: <162314323386.24325.13195076892860417878@ietfa.amsl.com>
From: Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de>
Message-ID: <09d68452-2d88-b349-7668-ab439d662740@hackmanit.de>
Date: Tue, 08 Jun 2021 11:16:18 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <162314323386.24325.13195076892860417878@ietfa.amsl.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="kL0E2YUFDO0JtSuUmbpx1iAGAFSwKLgZO"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/FhnfGVbtO7B-XLUK-W43fc-qiIY>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-iss-auth-resp-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2021 09:16:32 -0000
Hi all, thank you for your feedback. In this version we addressed your comments on the JARM note and clarified the mix-up description. We also changed the title of the draft to make it a little shorter. Best regards, Karsten On 08.06.2021 11:07, internet-drafts@ietf.org wrote: > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Web Authorization Protocol WG of the IETF. > > Title : OAuth 2.0 Authorization Server Issuer Identification > Authors : Karsten Meyer zu Selhausen > Daniel Fett > Filename : draft-ietf-oauth-iss-auth-resp-01.txt > Pages : 10 > Date : 2021-06-08 > > Abstract: > This document specifies a new parameter "iss" that is used to > explicitly include the issuer identifier of the authorization server > in the authorization response of an OAuth authorization flow. The > "iss" parameter serves as an effective countermeasure to "mix-up > attacks". > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/ > > There is also an HTML version available at: > https://www.ietf.org/archive/id/draft-ietf-oauth-iss-auth-resp-01.html > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-iss-auth-resp-01 > > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- Karsten Meyer zu Selhausen Senior IT Security Consultant Phone: +49 (0)234 / 54456499 Web: https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training Möchten Sie sich für ein Projekt mit dem Thema Single Sign-On oder den Standards OAuth und OpenID Connect vertraut machen? Dann melden Sie sich jetzt an für Ihre Einführung in Single Sign-On, OAuth und OpenID Connect am Mittwoch, 09.06.2021, von 10:00 - 14:30 Uhr! https://www.hackmanit.de/de/schulungen/uebersicht/139-einfuehrung-in-single-sign-on-oauth-und-openid-connect Hackmanit GmbH Universitätsstraße 60 (Exzenterhaus) 44789 Bochum Registergericht: Amtsgericht Bochum, HRB 14896 Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Dr. Marcus Niemietz
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-iss-a… Karsten Meyer zu Selhausen
- [OAUTH-WG] I-D Action: draft-ietf-oauth-iss-auth-… internet-drafts