[OAUTH-WG] New Draft: OAuth 2.0 Security BCP Update - Request for Early Feedback
Tim Würtele <tim.wuertele@sec.uni-stuttgart.de> Tue, 17 June 2025 04:40 UTC
Return-Path: <tim.wuertele@sec.uni-stuttgart.de>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 79E7C35C7672 for <oauth@mail2.ietf.org>; Mon, 16 Jun 2025 21:40:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.995
X-Spam-Level:
X-Spam-Status: No, score=-1.995 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=uni-stuttgart.de
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LB3_bc2ENHKM for <oauth@mail2.ietf.org>; Mon, 16 Jun 2025 21:40:11 -0700 (PDT)
Received: from mxex2.tik.uni-stuttgart.de (mxex2.tik.uni-stuttgart.de [129.69.192.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 70EF235C766C for <oauth@ietf.org>; Mon, 16 Jun 2025 21:40:11 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mxex2.tik.uni-stuttgart.de (Postfix) with ESMTP id 75C4960BE7; Tue, 17 Jun 2025 06:40:10 +0200 (CEST)
Authentication-Results: mxex2.tik.uni-stuttgart.de (amavis); dkim=pass (2048-bit key) reason="pass (just generated, assumed good)" header.d=uni-stuttgart.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=uni-stuttgart.de; h=content-transfer-encoding:content-type:content-type :organization:subject:subject:from:from:content-language :user-agent:mime-version:date:date:message-id; s=dkim; i= @sec.uni-stuttgart.de; t=1750135208; x=1751874009; bh=4hOkdpHND/ soACETWNhjqyINSJDn0sCV1gSfr1LBwQY=; b=bfr2QrXRFX0qFiXSymh/ufx9Q8 64kCgk3gxZAYRVL91mJmhUVzQMVRijgudncPY3yMD4ePIvcj1us2Ao+pzzdrGQl8 IiBsn3ShNxPmc7eLGYtuH7cZ0dcUS1RU0EdBET8xI81K+sgS7YoE8jAWtP8CDqh0 9xwd9FEX1D3sMHk0q18Ghp/ZkLU36fWV3XxFs5/TFvM2VzwOUjqUMQxnEFQGbUHC 0QRV68kV4k5s6EBTtmmveWjePVfZu6tXNF6B71ovtU+pOw1kmwWh4opGRYgTMgYI nU1tr0b0gGBDANfACtAMXu5ao6saBjfyeBWSfL4F+wqsDZESyiY3t3GqKSBg==
X-Virus-Scanned: USTUTT mailrelay AV services at mxex2.tik.uni-stuttgart.de
Received: from mxex2.tik.uni-stuttgart.de ([127.0.0.1]) by localhost (mxex2.tik.uni-stuttgart.de [127.0.0.1]) (amavis, port 10031) with ESMTP id DudGqVc8UFDm; Tue, 17 Jun 2025 06:40:08 +0200 (CEST)
Received: from authenticated client (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mxex2.tik.uni-stuttgart.de (Postfix) with ESMTPSA
Message-ID: <a5efe7a9-5902-4ab8-81c5-d0837138a606@sec.uni-stuttgart.de>
Date: Tue, 17 Jun 2025 06:40:05 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: de-DE, en-US
From: Tim Würtele <tim.wuertele@sec.uni-stuttgart.de>
Autocrypt: addr=tim.wuertele@sec.uni-stuttgart.de; keydata= xsFNBF0u4tYBEACjIH1nnCBd8lZiZtJ0UBWpJJzKmOaiJdv268jkdt20EdrzoAjmlvIZuOWh 16J8fkMLy3/Msehgd9RI+P0fmDa4AIp0slpAhLfAAqMjQWjx4SUnYdmOO8FI6XCSDb1vNGuh XOhNHIZAG0D8OHiQGZDC9GYYL/ZBe7WOMJvfqpoy2kvfX2xc3jWsNSzr/Kpl2UL/CvpyVP4S Wq4RKjy+xEWcHrWYKpjPbvTcftB/f6wqop257aGGU3PgEsP2QUgQv9pTJLeClWwzlrQ0CAcO puIR8YnF1fNvkpPimslrIQH5M4tc/uczwXgwSLFDdkW7pUVxokRblCXDOm+17g2OEotqN4h9 LEcUEkpLe57RVVU/HuONCUZnFktqmR7Ld2ZRdOMytirS21Zou61GXDAjdwW2EU1fv1vVI1Bk 8J+fAht0HwHcT/hRcpD5orDAXYwlpYqQmUL4i5fj2tSAR8YO8oNBhBZhm3O3iWD8sp9QMWPk tD1rEJb5EdW8aRi/g22QqG91NG2+apSCUIwxJ1g+XCJDB7zU5Mrs4ScBstaHI4cmGLXIgcMZ m24lrEkN/Tj/KiDyslWQfKziTNAc2i3hNZPoP+h2ykE0QWRTzN3RRSNjC82KpcgbBRkGBVCY hVUMBHFG1dyn6c/bfiojO35xynpZmvt29dRwdksGJAu+A5bNfwARAQABzTBUaW0gV8O8cnRl bGUgPHRpbS53dWVydGVsZUBzZWMudW5pLXN0dXR0Z2FydC5kZT7CwZQEEwEIAD4WIQRglwh7 cst2TwXzN+i+Pjz9/xP60QUCZeGhDwIbIwUJDHSQmgULCQgHAgYVCgkICwIEFgIDAQIeAQIX gAAKCRC+Pjz9/xP60YIWD/9ZKZfU4jRglw5hc9I7BYIZ6QmGLEPS9+DirFsRAxKW9fNk6mWT aX5qBKC/GL3lMRyYLYWAZb2PiKDHsaaN/qKNVrDdQgxOKyT1xz/nAKHtPPySmSU3diO94ZD8 T7vKBw6WkUzZTiw7P6/BDF34FvJ84LNiRDaJmHITkoG/STmXzFXZ+OCtorWgk5Jm1z52P57M +/9o1grlHJuVxXMhdf291ynxtC+JzKUCkSACOrkbRAiCMCN+PawboJAqMelX63O+xLR9Q2mg Q8TMr3mYFXfuDTX4cZuSN+hJRfFntCFJ5i79DOks5HJC6o5rMPVrF4tamxCpORwGUPyZmF+8 RcMYS3DT0XvIC3YfBaj9zvFDizSMahb+gbNiULXUHwBhsGJPlrGv74TYe0U2lGgnrjFPGOBd 2/4bd3EQmhvLA1v7NdzujoVIToWX46SYM4he8lvU37c/3sq4IUhOimBbAMg5o5oZnopnHGFi K10g4k2qTGqfCKUspc+iifL4vKQxkG421GTg31Q1N0WaCC7o72N3gnFYuw/adWYs3t3+Igd7 Ic11659J1LTYwEhPx6P8uIntZ2AptucBaVLtZUnmxSi0U8iom+6Jo093HFKqjQJKm4h3U0wc rZVOermhvNV96tPwGIf7co0N4Oor24JQAMpe0e3VqdQc8y2R+2CX1W81Ec7BTQRdLuLWARAA 2UJZNJAN8d/eCvCbHIQ98Wq0ZjjT+X5vKrZ0CPtr6qkKxTVtM/pznRCQLlfBA7Aw75304Tk0 mQxcjc48Yvrlow0G1vWAiBAEXqY0DTF19WnrUTWomiQZ2xXC099viaEqD6dNmzElTUbQjQkv FPz7U0YU9JHsT3/tdwmoRqGUT8qzx6lFNXiscN6hTrxnLvVSlgZcLw7jk6cVIoe/U7sS8FPq RhqBW2K+9Lhz2vNqGgzUZHhk+ACtOTioHQeiUc8I/tbtzmIOSix1LfkNoBR7eNQZN+kj5RPh KZkRbwKz7PT//N01gWCHv3MdTKMFpPP0mSvCp9AhnMxpUMm29MdFsXb1U+DFPTerssbUlssU fe2qJP4/khOvYrOH17hiWPt8axUKlpoTIAvs9ZoEj9rI5+ReCn1Kty2kqeIaiGASkGXVmVmD VDhYS5JaGjpSRDtyLM96ra106BOr20kFWjbgBPOzEQm/YduWutbaE2vkI8Nzm4d4ESgyCNHa SKvm4YHkxzQib2iflWZV3+siC3StFmNS6i56DKcpQ5LdsUpHkZp7kw27BeGXyWzw5Y2Hh4px Hg+igMNGRxBZHkqvKJ/lur1k302jBHwhJN6m4BSLNiEP/UXaC44RtEIKZmFrKuNmkV0IqSO/ jbS8VFRwf7Ga4CGgVFSxOgKe9ulyEJnwAcsAEQEAAcLBfAQYAQgAJhYhBGCXCHtyy3ZPBfM3 6L4+PP3/E/rRBQJl4aEPAhsMBQkMdJCaAAoJEL4+PP3/E/rRb0MP/2UYLFFNRbpxG7lBg9LE fLdhqKneE/N3iSBA4yApZ2i/VC183DiTjS8nIy7ESh4ABLpw8MKDCvKW2uGB2NOk+sRlKg74 PpvjiQ4fZoBLUBOLFlQLB63AlFyyezefu27xP8IzhjpJWj0X+4RoeAi2PDKJpYZxa/pDLiAe 8mr5MXiU1mdKUSW7nA0F/8TaRPKrZCxdlrLVHxTLfiZUftB7PBFtULcTZMgYAr/bRGiw2bVt MZDCq0jvmNp7p40kzmGGegjgqtiDW8TaLX11ZKnZQY6ik1OzwprofZQt08Da8sPxlqsBTM87 x2BDr/w0m0WqPB8PQTsXZb+R2is0bz6oyP+oEL/hCAOdfuYoCOLrmVz7DOTxe0O9pqVbqblQ bjDScHSIk2Ndjbf47v5rpOuI2zLhwOyMlQOlbiNA0dbSyysoc1Azh09n+CJX+f0tygEyvxpB EIEFNPYTtyi4WfSEm9Nt8xfrIYYRcOdiVl5S/9xqDvsGFcoexVLzgXHqx93Lr6wvI2dd+jE/ yOuoGvjIf+6SIkQtUkxjTaFT4q5N28J9v9ufxQUZMWWNzDegEU8EkVHkg8tJeExHud26olOg ptQIJ8NUDjvXWqGg2NBIFqPKU23GWf/82GMvi2sp4uAsSKezpLzhc/+c3WnqxsRNyCqkqzdj chTyaNgszjljYMd4
Organization: SEC - Uni Stuttgart
To: oauth@ietf.org
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Message-ID-Hash: XDBKJPHO7VVNPZRMB56INKUUS3EQKDG7
X-Message-ID-Hash: XDBKJPHO7VVNPZRMB56INKUUS3EQKDG7
X-MailFrom: tim.wuertele@sec.uni-stuttgart.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: kaixuan@ie.cuhk.edu.hk, adonis.fung@samsung.com
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] New Draft: OAuth 2.0 Security BCP Update - Request for Early Feedback
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/IxJAbaM7qOePnf9UonwDoWEvmcs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Dear OAuth WG, We've just published a new I-D draft-wuertele-oauth-security-topics-update-01 to update RFC 9700 [1]. As briefly discussed and agreed upon at IETF 122 [2], since the publication of RFC 9700, two new classes of attacks have been discovered that warrant updates to the current best practices: - Audience Injection Attacks, which have been presented and discussed in the January interim meeting [3], and at OSW 2025. - New Mix-Up Variants, which were presented and discussed in depth at OSW 2025 [4], and with the original RFC 9700 authors. We would like to kindly invite the working group to review this draft and provide early feedback, especially on Section 2, which contains the newly identified attacks and corresponding defenses. The draft is still in an early state and not yet fully polished, but we are very interested in receiving any feedback at this stage, and in particular on the following points: - Does the structure of Section 2 make sense overall? - Are the attack descriptions in Section 2 clear and sufficient to understand the threats? - Are the defense descriptions understandable and actionable? - What should be the title of this document? There already is some discussion on this in issue #1 [5]. - Which existing RFCs should this document formally update (beyond RFC 9700)? See also issue #4 [6]. Feedback is very welcome both on the mailing list and as GitHub issues (including comments/thoughts on the existing issues). Looking forward to your thoughts and feedback! Best regards, Pedram, Kaixuan, Adonis, and Tim [1] https://datatracker.ietf.org/doc/draft-wuertele-oauth-security-topics-update [2] https://datatracker.ietf.org/doc/minutes-122-oauth-202503180600/#updating-security-bcp---pedram-hosseyni-10-min [3] https://datatracker.ietf.org/meeting/interim-2025-oauth-04/session/oauth [4] https://talks.secworkshop.events/osw2025/talk/WG9TEW [5] https://github.com/SECtim/draft-wuertele-oauth-security-topics-update/issues/1 [6] https://github.com/SECtim/draft-wuertele-oauth-security-topics-update/issues/4