[OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Wed, 06 November 2019 08:27 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2ED1112007A for <oauth@ietfa.amsl.com>; Wed, 6 Nov 2019 00:27:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=fV4Gkbo+; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=armh.onmicrosoft.com header.b=viRmvioC
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gyRPXr0VS9-z for <oauth@ietfa.amsl.com>; Wed, 6 Nov 2019 00:27:08 -0800 (PST)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30067.outbound.protection.outlook.com [40.107.3.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD857120013 for <oauth@ietf.org>; Wed, 6 Nov 2019 00:27:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FNWfqavKFd2qOSfZdI6c0mf50sH8qWllf6v2YUyLNiQ=; b=fV4Gkbo+zEXiiEsTwrkYDcpAZUY83DNIIF6Yz8pIeza8aOHb3NdrDU0gfQThu8Mc2V++GcJOvKChhg3akp1b2I9gtTvX0+xyr2dZBIFDTL0RGZAtdlC12Lp0f9QnwdLEdFZ1c22CfJf4LrOv6B/91QVYI9nh6IEmiZJEWpf8Oyc=
Received: from AM4PR08CA0049.eurprd08.prod.outlook.com (2603:10a6:205:2::20) by AM0PR08MB4467.eurprd08.prod.outlook.com (2603:10a6:208:138::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2408.24; Wed, 6 Nov 2019 08:26:56 +0000
Received: from DB5EUR03FT026.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::208) by AM4PR08CA0049.outlook.office365.com (2603:10a6:205:2::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2430.20 via Frontend Transport; Wed, 6 Nov 2019 08:26:56 +0000
Authentication-Results: spf=fail (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=none action=none header.from=arm.com;
Received-SPF: Fail (protection.outlook.com: domain of arm.com does not designate 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT026.mail.protection.outlook.com (10.152.20.159) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2387.20 via Frontend Transport; Wed, 6 Nov 2019 08:26:56 +0000
Received: ("Tessian outbound 851a1162fca7:v33"); Wed, 06 Nov 2019 08:26:55 +0000
X-CR-MTA-TID: 64aa7808
Received: from 9d55b21a45dc.1 (cr-mta-lb-1.cr-mta-net [104.47.13.53]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id 27285694-F4EA-4D92-B4C9-1D73D72F3B63.1; Wed, 06 Nov 2019 08:26:50 +0000
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04lp2053.outbound.protection.outlook.com [104.47.13.53]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 9d55b21a45dc.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Wed, 06 Nov 2019 08:26:50 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oVjMwspTQQhEGXu17wqDuHQm/2dc0HbP7OkxTgwtauS4wel2tpsRGGlxOX90qh25H3354PhzxEXQGrnDFzyW+HPnC/wAn/pK2sAMPUogAREpN6YG5T51zZrdP9sOYBjwcQaCPb0TXW71uXOopgS7aauvBBS2OwpO4P3FRD7wDTwg6LmnyZqLC4ISl2wP2m1kYgPGdprqBjgTjicAlHYDkgv8Ar5jQe2g5tXmerpNZh7BWlmop8jhY7Ip9x4dbVegVJHfNWxSty3ZjHfTAMEIzwP3nnS9vaAUMb6nQogjEorb29D5Opnvw5yd32OZoRmxDTqMRYgWky527Fc7AySJQA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Oi+qEOsJRT9jroD9ds2pnIOo3POjcHyw4q7nhf6dYng=; b=W37Gg32fqXPKuHjl4SxjxQBwXN1Ox/mwq92+pY3CZGtA81PVy4RvcbMypwCoKfRsnnWJXeUvS/ywyL4b+bVUIseH7U3b41WtRTrrpBQmM++8B9WW/64yNXGtUx3/yKc8+AbQMv/8QlCgVo+7ypKAQ8QGmz1Vid+XPOoVWk3jIV10UhyXUtZIj1Ynt5356Foxa6BljvH+0dD3HhEWzGXMhQIrLaY484wh17JxLTvL+16wV0dFpSjpgY/ccXGtuKPLXQZ5GJmzwJXoKQJx4HKXOcr5SN/rjzYJGPLBL/IpSeof6TGDeWsrAt5mVhUQ1fbSRBRj4CW/y3iMLKMLhLY9jg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Oi+qEOsJRT9jroD9ds2pnIOo3POjcHyw4q7nhf6dYng=; b=viRmvioCjiJUY/9trvkfG0QvhZ9bjO+AvJaA5TZ+WYPJ0z6RVh7749FQ7kDGO00ZvO5hE/1WpyikTiVHNfJ5NKwaHi9D625Yu9oILj03+6MxHh/q+7U41rPY95Jr6ljue/0hpOANCW2zStSCa/5REoMZTXWP/tmho326DzQ0PsI=
Received: from VI1PR08MB5360.eurprd08.prod.outlook.com (52.133.245.74) by VI1PR08MB4000.eurprd08.prod.outlook.com (20.178.125.94) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2408.24; Wed, 6 Nov 2019 08:26:49 +0000
Received: from VI1PR08MB5360.eurprd08.prod.outlook.com ([fe80::21b9:aacd:ea36:92ee]) by VI1PR08MB5360.eurprd08.prod.outlook.com ([fe80::21b9:aacd:ea36:92ee%5]) with mapi id 15.20.2408.024; Wed, 6 Nov 2019 08:26:49 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: WGLC for "OAuth 2.0 Security Best Current Practice"
Thread-Index: AdWUe7vJeyT5tvxoSSGfe7d18Ckk5Q==
Date: Wed, 6 Nov 2019 08:26:49 +0000
Message-ID: <VI1PR08MB5360FBBAF0D3A38BDBED618BFA790@VI1PR08MB5360.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: fd6510fb-b251-4f13-b307-c49ce42b5d25.0
x-checkrecipientchecked: true
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [195.149.223.216]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: e16f6be6-469e-4c57-b2fd-08d7629315c0
X-MS-TrafficTypeDiagnostic: VI1PR08MB4000:|AM0PR08MB4467:
X-MS-Exchange-PUrlCount: 1
X-Microsoft-Antispam-PRVS: <AM0PR08MB44675A6DE03CA077B5C15E3FFA790@AM0PR08MB4467.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
x-ms-oob-tlc-oobclassifiers: OLM:5236;OLM:5236;
x-forefront-prvs: 02135EB356
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(396003)(346002)(136003)(376002)(366004)(39860400002)(53754006)(199004)(189003)(8936002)(66946007)(4744005)(3846002)(6116002)(966005)(14454004)(66446008)(52536014)(1730700003)(81156014)(66556008)(66476007)(33656002)(86362001)(15650500001)(25786009)(64756008)(66066001)(478600001)(8676002)(81166006)(6436002)(76116006)(2906002)(55016002)(5640700003)(71200400001)(316002)(5660300002)(476003)(7736002)(305945005)(486006)(9686003)(6916009)(2501003)(71190400001)(186003)(102836004)(6506007)(26005)(256004)(14444005)(99286004)(74316002)(2351001)(6306002)(7696005); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR08MB4000; H:VI1PR08MB5360.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: C543xyGGZMXl9clFCnS3VwZCdx4cyhWwpBUv9HOjLgFDeMpIC4bNxIPaH0HMSW/NlliX3Hq8Sy1OdAWX88Zk9WJaJuEPHks/WkaKdvAEcw57a8cDGohYchRgmwhtOAbwSDlEJ3k65FAhk+2yPPXsJsQxZ59wImceON/ZpcI5UGafQ/xxqnxEDpAAWKvxHPljLjPWZduFbNoREIfCdSTCYdvmQovan9IClh1qHhKy4/Oblq1XR/DqET8SKWzm9jUU4mMpDdTJpqfOOZOLlgn96Z2TlO3Pc/w8gZ4Dmf6eFBm/495t0XEjrDsS1fJC0+0ZVRZaq+6fF4oDNoY6zTjKcCmTc64S9hrm4crXEKYxVVClN2YZSz6hPfXoH24Qq3UDuOQb1z6R6f0QZK0Oti8esrvy92YdcC7M/4J3IXNuMmJhUMdAyGgIVxciK1n80xxw6cPM6Wbiatgan5MJ+BQg8Wa+4oapfX+hbp5uoBI24Lo=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB4000
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT026.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(396003)(136003)(346002)(39860400002)(376002)(1110001)(339900001)(40434004)(199004)(189003)(53754006)(6306002)(6916009)(74316002)(15650500001)(81156014)(14454004)(8676002)(1730700003)(5640700003)(9686003)(14444005)(52536014)(76130400001)(81166006)(126002)(26826003)(476003)(86362001)(70206006)(33656002)(486006)(8936002)(305945005)(6506007)(26005)(102836004)(186003)(336012)(356004)(50466002)(316002)(7736002)(966005)(55016002)(23726003)(8746002)(47776003)(2906002)(22756006)(7696005)(99286004)(66066001)(25786009)(4744005)(2351001)(5660300002)(2501003)(70586007)(5024004)(478600001)(3846002)(6116002)(97756001)(46406003)(105606002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR08MB4467; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:Fail; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; A:1; MX:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: e4586a06-89f3-4005-b8d9-08d7629311e5
X-Forefront-PRVS: 02135EB356
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: uZofYzCIfsImPDu5DsUZp8lPzQOH++ZE+ZUqSh74wSG74NJD0WI2UGLF0bor/r5C/fAOh+9k5QJY6SAc//WdIZGox0ZyCPbQEoPxoBXAxmaC4za1k4GX59Nv/rNklJeAPnT9j9oupc2O+TPQJAPLxn51o6Fgrw4NIEkTH9XgSL8TTORxgpf+O38qb5tGladEke+iYdst+lM+We7NoNj22vCFsPO8lgGkqrpN4XhHb4kWY8XnXvmYaMGiyNt83AF14iKXYdR+77FHCzoipCaohgzvj/TQ2ZVAt0/uHVM3o+vp59Y+KcXYnkGgrrsSQoKVzyIK6L7XhqnxKn6cbIozJ1IOJ50OKgYFRxNzG5GWkYr9kBpGlj0D5EF5sZdPLA+oD5E/KNuVvUlQdD3tIcsVL3zemIFh1f7/lSHxoByWW9yG5RbLcBltyazHfW5DIhgMBNO58N46Bo4VXK9CnovUWlxX8VAAItShuOksS4G4Hdg=
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Nov 2019 08:26:56.0348 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: e16f6be6-469e-4c57-b2fd-08d7629315c0
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB4467
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/JxVkZoJrGvNeYdR6ZNzPuDB8Ycc>
Subject: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Nov 2019 08:27:12 -0000

Hi all,

this is a working group last call for "OAuth 2.0 Security Best Current Practice".

Here is the document:
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13

Please send you comments to the OAuth mailing list by Nov. 27, 2019.
(We use a three week WGLC because of the IETF meeting.)

Ciao
Hannes & Rifaat

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.