IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"

Jared Jennings <jaredljennings@gmail.com> Wed, 06 November 2019 20:16 UTC

Return-Path: <jaredljennings@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DE741200A4 for <oauth@ietfa.amsl.com>; Wed, 6 Nov 2019 12:16:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O03fvLhMQaAZ for <oauth@ietfa.amsl.com>; Wed, 6 Nov 2019 12:16:32 -0800 (PST)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08C9912004A for <oauth@ietf.org>; Wed, 6 Nov 2019 12:16:32 -0800 (PST)
Received: by mail-ed1-x52c.google.com with SMTP id m13so14137728edv.9 for <oauth@ietf.org>; Wed, 06 Nov 2019 12:16:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=J6+mOTUQCwQpX68qLTaJ2JteyByl6pQuHQiRI+Y2hs8=; b=pmv+4eHYIsI+J+kRUOwKxeMWk0hzf69tS60+OFv5EBTn/Yal8Dx3u2pjKNOVpayP7s V/6DHYtiJXJ0VcbUBBcDNtmbW3Wv1y6HL6vaa3TUnuy12H4Nbnc82/fkB05+y7EgR4Gw e4ed9dxat9vgYoe8dIgvIQanfOyelbS0J/lTm3DGrqo+alw2jXEcMaavF6nQdAUCYU+L yRbE6BO8zufEJ5hyLzxgPHlgZHqXkl5mHYi6506Lq9p7YSoA9R+XUwObv5jiWD8UjrDC FW90pv2eCK/uKKi6G70BL3WntuWIO1CUzv7T2GZ/6fhWOeRvT7QThFCZSdX5Tz2zD7LA jmwg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=J6+mOTUQCwQpX68qLTaJ2JteyByl6pQuHQiRI+Y2hs8=; b=djJGC0TRvmRk9DSYuekTxYYUCNgqCwluLv4KoiNmojhXNMeKrOz96qXTY7bbpRtPee OH+jVxzHj8M4d9DsvCcZFoPjPlXIJOvCIMvsMve7BC931pNdY2LO+QgA/1JqL+XNrJ2t Os8pemh0BknVK9oQVrUL5BP+gNcKwShztRRLh6Y6ILYzC+Dn0T9kT+pKxoRaNEyKzNR/ hbS24jFTMtHCpVDX8xFiembF00zHE8VuyIOgDJj2IacaGgp/xEdRaCZ36eUf8FZKSAYc dMe+MO3FCbFYZWucUYwUSgc3OGRuMIMnQ+ZcMBlzMcvX1bNW/rxWOGvVnK8PviJjA9Wz 0N8g==
X-Gm-Message-State: APjAAAWMb0w7W5KkGBe8r1jo1v+LE75TzurGb3eh0FH3gYOgP/7ovsyz NBB3HbV895c6SvOfXAoANZvyhxABgQQw7dcT0u0=
X-Google-Smtp-Source: APXvYqxxYntwSamwkGs0s+sRwXi2kPn2EwDnHG6lay5x79AG3l1cHpPmhbN4LSKksIhNUANoOQ/SR5fjReC1CYuLqC8=
X-Received: by 2002:a17:906:cca:: with SMTP id l10mr15009842ejh.161.1573071390292; Wed, 06 Nov 2019 12:16:30 -0800 (PST)
MIME-Version: 1.0
References: <VI1PR08MB5360FBBAF0D3A38BDBED618BFA790@VI1PR08MB5360.eurprd08.prod.outlook.com>
In-Reply-To: <VI1PR08MB5360FBBAF0D3A38BDBED618BFA790@VI1PR08MB5360.eurprd08.prod.outlook.com>
From: Jared Jennings <jaredljennings@gmail.com>
Date: Wed, 06 Nov 2019 14:16:19 -0600
Message-ID: <CAMVRk++o2MdndK37FfADzEZJx988o=PvPWN_mhdgDK=OU1dtow@mail.gmail.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006cc87c0596b33972"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Ko2za6h418VzZzIhFBGCG4AqpWs>
Subject: Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Nov 2019 20:16:34 -0000

Hi,

This is my first time reviewing a document or responding to the group. So,
with that introduction feel free to guide me along the way.

Reading through the document, I had a few high-level questions first. I
will have more detailed comments later, once I know I'm on the right track
and I assume those comments I should just share with the mailing list?

1. Since the document is a "Best Practices" document, are the words "MUST"
and "REQUIRED" and other definitive terms? Would instead SHOULD and
RECOMMENDED be used?

2. Should other possible threats and vulnerabilities be included? Meaning,
is the list the definitive known list?

Thanks!
-Jared
Skype:jaredljennings
Signal:+1 816.730.9540
WhatsApp: +1 816.678.4152



On Wed, Nov 6, 2019 at 2:27 AM Hannes Tschofenig <Hannes.Tschofenig@arm.com>
wrote:

> Hi all,
>
> this is a working group last call for "OAuth 2.0 Security Best Current
> Practice".
>
> Here is the document:
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13
>
> Please send you comments to the OAuth mailing list by Nov. 27, 2019.
> (We use a three week WGLC because of the IETF meeting.)
>
> Ciao
> Hannes & Rifaat
>
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email