Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"

Torsten Lodderstedt <torsten@lodderstedt.net> Sat, 16 November 2019 07:51 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8184120104 for <oauth@ietfa.amsl.com>; Fri, 15 Nov 2019 23:51:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HZnS36mtpLpU for <oauth@ietfa.amsl.com>; Fri, 15 Nov 2019 23:51:20 -0800 (PST)
Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16D05120103 for <oauth@ietf.org>; Fri, 15 Nov 2019 23:51:19 -0800 (PST)
Received: by mail-wm1-x334.google.com with SMTP id b17so12797277wmj.2 for <oauth@ietf.org>; Fri, 15 Nov 2019 23:51:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=VmCDNE/WZPrJvDAJnqlSZ5EySavfPl1PGfpQXB2yojs=; b=lqd5g4uN1wCsHB5GnFwR5WXocf9xmr9zoZp2xvwpjZz0/lZ6sb/0IuRP684h+BUPPa o7C9tFhAziWkD5KspW+J3NiDgN3pMbf2qRppy7zl4TwiiTAgUzPACUMHPg4Hk4JcJXE/ Hg/ZjC0igxjtniyC0c4b3X9VgUfCattKVVl3c3rt6KTl0hbzaEZ10WbMcQSWGQnaW0cq E4XCdSWEhEIBbhNM1dn2sfcKld7dFX3/XQlIJbALG9vanUzkIJOeh4dhs8H4ilmbymAx MQlsX5wIzJKwoJjtYoVp/zPHAqqukW+dfIKN75WXuqQGt9YGX4y6EtWrOtRp6GhjjumK JLZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=VmCDNE/WZPrJvDAJnqlSZ5EySavfPl1PGfpQXB2yojs=; b=dzr7gF9MasD24/TN80ul87sZBXcQFYTd2ygPvLf9gZEdojOYKlN+KwJKsu9arD9Dqs iUKTohB8wfZ/bugo+h6tOav+0pE3OiB1vIBCVy9+pfFYoB162obU1zKE1poedpU+1L5b 5prouTL/0pn+xWZ5yKdGi2SplDPFljfhKnwafDNTNUvhBvI1aa51RlHBrYxcLz2oUV4T bif4ifAkM67quGtzrJxlbx/BEFkmV/WOXesnYp6ykDJHMj8jcZkfh7ws7BH3PaA93SUK 5H4oWlPcpz0PfPAUs3zZWYFsC7/9qZz/mdKJU98vdWZW3GjAnbYXnscOuYDGpTFTKbmV 48og==
X-Gm-Message-State: APjAAAWWmwuBr8Mo/cfLlBuwmLOXhzdVLzWc3h1GJzn1X1HK/edg0acT EKLfZpKqJp01HtWcFxaDKMcN1z237Ik5cg==
X-Google-Smtp-Source: APXvYqyBiCT9Unim/nDsj72LTE0UhvgHRH0YwB/aFzsWvlCzI1gYi//tSSDHEiOCbd7T1LGgvFqTXA==
X-Received: by 2002:a1c:2d49:: with SMTP id t70mr18902121wmt.131.1573890678177; Fri, 15 Nov 2019 23:51:18 -0800 (PST)
Received: from [192.168.71.123] (p549EE7F4.dip0.t-ipconnect.de. [84.158.231.244]) by smtp.gmail.com with ESMTPSA id j3sm14104924wrs.70.2019.11.15.23.51.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 15 Nov 2019 23:51:17 -0800 (PST)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <3FE840EE-9261-414E-8AB7-B75BD8BA6F86@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_F2045457-8280-4934-9AF9-B0ADA11251E1"; protocol="application/pkcs7-signature"; micalg=sha-256
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3601.0.10\))
Date: Sat, 16 Nov 2019 08:51:15 +0100
In-Reply-To: <CAPHqeLd4szopBOVFUyThhx5X7bW2izB+nPKCzZ+1b5efB3wF_g@mail.gmail.com>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "oauth@ietf.org" <oauth@ietf.org>
To: Vineet Banga <vineetbanga=40google.com@dmarc.ietf.org>
References: <VI1PR08MB5360FBBAF0D3A38BDBED618BFA790@VI1PR08MB5360.eurprd08.prod.outlook.com> <CAPHqeLd4szopBOVFUyThhx5X7bW2izB+nPKCzZ+1b5efB3wF_g@mail.gmail.com>
X-Mailer: Apple Mail (2.3601.0.10)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/G3_ZfznmjTdQwk4vo7X1weKe-vo>
Subject: Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Nov 2019 07:51:23 -0000


> On 16. Nov 2019, at 02:07, Vineet Banga <vineetbanga=40google.com@dmarc.ietf.org> wrote:
> 
> Just one comment/question at the moment:
> 3.1.1 - Is there any recommendation around leveraging state vs using multiple URIs (with exact match) to remember the application state of the client? I have seen exploding list of registered redirect URIs, but am not aware of any security issues around this usage. But would like to check if there are any opinions on this matter..

The BCP recommends transaction specific one time use state values for CSRF prevention. To achieve the same protection level with redirect URI’s and exact match, one would need to register per transaction redirect URI values. 

Do your redirect URIs meet those requirements?

> 
> 
> On Wed, Nov 6, 2019 at 12:27 AM Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote:
> Hi all,
> 
> this is a working group last call for "OAuth 2.0 Security Best Current Practice".
> 
> Here is the document:
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13
> 
> Please send you comments to the OAuth mailing list by Nov. 27, 2019.
> (We use a three week WGLC because of the IETF meeting.)
> 
> Ciao
> Hannes & Rifaat
> 
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth