Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-04.txt
Pieter Kasselman <pieter.kasselman@microsoft.com> Mon, 23 October 2023 11:36 UTC
Return-Path: <pieter.kasselman@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 344C3C151545; Mon, 23 Oct 2023 04:36:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.11
X-Spam-Level:
X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z3XWug_BFLsX; Mon, 23 Oct 2023 04:36:23 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04on2104.outbound.protection.outlook.com [40.107.6.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E76EC151551; Mon, 23 Oct 2023 04:36:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DFTlIcNo7D9iZ/7PBj57uCiXRVEM6IKKX7QCiCK/YF8x8yC80jpruTs5MLEnvygRlqcmBkQXWiXapodtcp2CtpexB63/fBeqaaaiF5INwFGSSFy5m1U2BJLJbiwzZCfWXDm4V/141y5hfCI+qo1S/0h+2MgucsSoEw7S6FtxCptcf8uoJEdAClAuMIkKjwlG4nk5OJ9YLns3AG2uy6wsU0idZBypUfVJJ9EUXj5rFD5qB55b4wZs8ScVucv30Ec8sidimJjy190EoZLntP20jFZrzCqbFREwMe/4WIOgNlHfJ8ICSaVc2TH+bU7XeEY15aqvLjDiHjdvyH8xVNKHpQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XIeqmHN4B/aUfc5KiDYKIxA9nGSrPnRruPTMyVPmxU8=; b=hNyGt/A2fA+qOiO9EyRm7X4EcG2z4olSjuR6LTpfsXNrsYzIubbEaA2rRpB3j2VhTbhI8tBlT5s0UsMw3XLKO8rku7ML0zGxYCf1HU3L6/quOp8QSy72CApYxOVklMA3KmBCj7SV/R0Dmc3MY3lapU/gs9cqnso90gdlPf63yP4r2RQTzDe3urOv9XDmc87ZMwsG3KZbhmZXi1vs0jJzGgJE/eZGWnVNJkVLrgs+ZcYIXtoFq6cyoWXVUfnW2zGrxPTzujal3iv7nBBb0MnB6Uh/7KJAnCXO+7TWmpT+mMXmlettSYW1zR5dGnyiPbCYFAaxyZHsYRwOWLKdo7KKJw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XIeqmHN4B/aUfc5KiDYKIxA9nGSrPnRruPTMyVPmxU8=; b=bgzpOwnu+sCtzXlGzamwvmTWMDjz2/lIhTzQjkMeMIfTbmNIXKUVr9Ra4o05pjVXJ3Y8gPzy/yqv9+dOUqnPNTPX0FWx6ED/DCHKhtkNW5IVA/92Md8smho8MzX/kOlBEXtpo8tuJDmYeuh3pZamd6PrxiHTxSj1BEX1LFJjGqY=
Received: from DBAPR83MB0422.EURPRD83.prod.outlook.com (2603:10a6:10:195::11) by AM9PR83MB0482.EURPRD83.prod.outlook.com (2603:10a6:20b:281::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6933.14; Mon, 23 Oct 2023 11:36:19 +0000
Received: from DBAPR83MB0422.EURPRD83.prod.outlook.com ([fe80::4e1f:409a:72f:2062]) by DBAPR83MB0422.EURPRD83.prod.outlook.com ([fe80::4e1f:409a:72f:2062%4]) with mapi id 15.20.6954.003; Mon, 23 Oct 2023 11:36:19 +0000
From: Pieter Kasselman <pieter.kasselman@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>, "i-d-announce@ietf.org" <i-d-announce@ietf.org>
Thread-Topic: [OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-04.txt
Thread-Index: AQHaBSJl3beDGinaY0K7zg7QipCEJLBXPJ/Q
Date: Mon, 23 Oct 2023 11:36:18 +0000
Message-ID: <DBAPR83MB04223A51077BAC3788022E3791D8A@DBAPR83MB0422.EURPRD83.prod.outlook.com>
References: <169800477582.10389.4771388527236821968@ietfa.amsl.com>
In-Reply-To: <169800477582.10389.4771388527236821968@ietfa.amsl.com>
Accept-Language: en-IE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DBAPR83MB0422:EE_|AM9PR83MB0482:EE_
x-ms-office365-filtering-correlation-id: cccb9dfa-2b3a-4c34-516d-08dbd3bc4628
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: g6+7Y5eS2M+sq53AVz7xDLv7aJHoe/QuDgsVMUbw3cEiykR8Q/doy2FnGsicpKT87xaYcnhMV6RdumxR9VNpF2DZztqRgAS+9KdfwPbsCqpVmwwMwddM/jQQQz+EzO5lmLJKFHVsjsMAvMOw3SjedxRGCP7X2SYlRTMOP79EJJ9N6rxOzc2fHE2ps4D+Ts3Et7bQtLzkdFFEaaBMfX/JDrUBaVx0g+rZokYlTE0lnSdU5Se3ke8fou5Y1R10j0Dcbly84UuUXZ9Kn7hbNvimrO04Zw8CzRwXJrBxfAYm6MXyTZMvJH72HSwTxtaZQxrHfTTecDgWXM1iys5vZk+tOzikIKkEpazu/j2vKC6me74kPuFB710O3/nY7jeZefu8EO3l47mEgWR7RzUWSICHowf/+4xsKD+jslWAWdXQPKNJ0JYEnt8QpnY+wKPn/L30/rVSAd72lXebznOaeaq2AeWeWQoWxUs0dJ/2bSpQvSLUYgx1nWs0fXxndRN0qQjrO70/q20N5jaZfxR1iOgFKwsSlPttdRsSSfCKEM70d0BPHdB169/IG9k1Rycv9fLItUQF6WpuFMijm7xze4/uaaJGpBDataJwFcXPh8/JpyQDXt/X+3crqgTWrqwpcrQ6c5MPXtV4CXV261ecLipk/w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBAPR83MB0422.EURPRD83.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(396003)(376002)(136003)(346002)(39860400002)(366004)(230922051799003)(186009)(1800799009)(451199024)(64100799003)(4001150100001)(15650500001)(55016003)(2906002)(44832011)(450100002)(5660300002)(52536014)(8990500004)(316002)(76116006)(64756008)(66476007)(66556008)(66946007)(66446008)(8936002)(8676002)(41300700001)(110136005)(82960400001)(82950400001)(38100700002)(122000001)(83380400001)(66574015)(53546011)(6506007)(7696005)(9686003)(86362001)(966005)(38070700009)(33656002)(26005)(478600001)(10290500003)(71200400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: yrSDvCI1qu/9lvM0H86S/Jx0Gnp4HwTis829IF8n4V9+idzYKTeI29xbDW0mutXb09DCGkdyDkuQHNZezXRh/pt4lRO7lKpwhflThU5Y4sZ2RjcSEC2Xyx35Xid3hfulnMY3fgeoa+chkmybnnm2apUcn+Sr+mf5br0Q6sPE/8iy9x/xm0owNJpMOinUmd1S01E1D/8kNdjBT1ZNp4g28OWxokXHA8klW40hXIRkAWADTauYVQZN81imLo2Xb1cq9u0ymElyJfw1jbnAx1Nf/EuCryhMO24+xIAsNbX6wassa6UpMCzYz14FpqEy6dwYf7V09RHKqzCtAYhYaO5VbjuHJD6tQL4NFEN/B48rv3p63XnkbIzHAgZCzPXZvIr9Uke96K5rBmTCJsOiUKd2Eh98AVZMJvbKA2o5ObzTEjFBSG3Xj7utEpNj7tEl1QmsdN3UkOSq5eof2APW1qn0We6/fxff1RHJeW5WBPchm4A8x30Feovpc9OrwiyzkZ9X0gTvwm9//MPm1X1A+UjPB1YleI5HLTTY8OmPi3zQkYws8oV8MRJXVIMN0/NG8O1aKzdC7R8KUFiai4u6z+zjFTri8TDsXcXVkmjVQiuSUm3f3X60l+aN/hjJ5p/eJzK+ct1Oxka/cRsjNoZKcwh4RaHuamu++Dls6BZjhFAUAYT8o2xkzjzH54+k2ulONNJ4c8TzIxIqp+cecJR/aqRFQU+CKdb8Yp82JIlsfgsJtdmWuaM/pzYDtSKAfds3FS/kzPgDL9pgo1Mw4FRblXkBVB5+KeoyBpL+L98A6zfdMHmU3uVoNa8oiUOh30fjlH5W66U8coKq2j+NeYppTbj8ckvfvzRbPAsqiGcEzouumNWwJCP6GP6wj6UYr0BcQ3NIxIqT4k7M38D0DmhdUU5XZKH3EfUNsK+hV4JuBmLfpJ1z0ic6w4L4If0zgMu0eIaXeabiNbBaxzpcfRU8/SFT5FhFyykw2KlPI9h8d083MicR7Ba3naQ5gl2NpZmpJekvB41zJX+D4txDJ0ds+07h14u29RTgMAvrtykysSVp6shXGjO1CgjGJyXG5BRTBrRI8zkAG9f2iJ42/sOkIjz2lX5UMOJJTuwGpiomTk8GV+Aoo63+/ov98Wp2NwOxTbcdWMnz1BrtaGskcT5YYhDfKPyR8qMIa0DxAuRKFluH45/bfAob0wxK3m6+893jfH4tbTlGRz8M1HkXmHk3uP6mTW9JE+Xqau341B5v7HnPSVnvaYzFGKC0lQ8AScgA9nSh8dtYs5TDO7IQPT553d7eD0g3mlVjeXM+s/fskfXmldkPdekaOPU1kB48ErdXtsjPju0I2/B/B2x8JhgekjFTcAXGDf585cHUYkBtwjCryoeH5zTYup+ItzWhlUWcGvPor0tLKO1BgzeBY40wlBLL/JxKGBwbl+q2+mzB2FvRk22jcXF3pk01rzj0JQrbCQUhAA7e72YGkXc/59To4nCcZ8x+cOmfOpseeo4YxJioeyx3cB5RH9a7n3vAjlmE17UF
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DBAPR83MB0422.EURPRD83.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cccb9dfa-2b3a-4c34-516d-08dbd3bc4628
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Oct 2023 11:36:18.7238 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: teTHn/cqzbzSyYa71MpaNqMbsJGYLwlZejfrHH1dfiLb1MzHN/lnHPgZNIxBjnBfUuFbqYBSKpBbtQYl7iLMTeePx5U0s0lvyuGMD7B8zuM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR83MB0482
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/KtFY7-2htKq5j44aHaEqvF4q0dQ>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-04.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Oct 2023 11:36:24 -0000
Hi all,
We updated the cross-device security BCP based on guidance received at IETF 117 as well as input during the OAuth Security Workshop (OSW) 2023. The additions include:
1. Introduction of normative SHOULD, RECOMMENDED and MAY when applied to actions the Authorization Server, Resource Server or Client may implement as discussed at IETF 117.
2. Added Cross-Device Session Transfer pattern based on input received at OSW 2023
3. Added two additional mitigations:
a) User Education as a standalone mitigation.
b) Request Binding with Out-of-Band Data
4. Added additional examples based on attacks observed in the wild.
5. Renamed "Authenticated Flow" to the more descriptive "Authenticate-then-Initiate"
6. Adopted OpenID Foundation terminology from CIBA, using Consumption Device instead of Initiating Device
7. Added acknowledgements to recognise contributions from Maryam Mehrnezhad, Marco Pernpruner and Giada Sciarretta.
8. Editorial updates.
Apologies for the two quick releases in succession. There was a formatting issue in the -03 version that resulted in the document history not showing correctly, prompting an update to the -04 version.
Cheers
Pieter
-----Original Message-----
From: OAuth <oauth-bounces@ietf.org> On Behalf Of internet-drafts@ietf.org
Sent: Sunday, October 22, 2023 9:00 PM
To: i-d-announce@ietf.org
Cc: oauth@ietf.org
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-04.txt
Internet-Draft draft-ietf-oauth-cross-device-security-04.txt is now available.
It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF.
Title: Cross-Device Flows: Security Best Current Practice
Authors: Pieter Kasselman
Daniel Fett
Filip Skokan
Name: draft-ietf-oauth-cross-device-security-04.txt
Pages: 53
Dates: 2023-10-22
Abstract:
This document describes threats against cross-device flows along with
near term mitigations, protocol selection guidance, and the
analytical tools needed to evaluate the effectiveness of these
mitigations. It serves as a security guide to system designers,
architects, product managers, security specialists, fraud analysts
and engineers implementing cross-device flows.
The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/
There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-04.html
A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-cross-device-security-04
Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] I-D Action: draft-ietf-oauth-cross-dev… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-cross… Pieter Kasselman