IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit

Marius Scurtescu <marius.scurtescu@coinbase.com> Tue, 04 December 2018 00:42 UTC

Return-Path: <marius.scurtescu@coinbase.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86EAE130DCC for <oauth@ietfa.amsl.com>; Mon, 3 Dec 2018 16:42:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.459
X-Spam-Level:
X-Spam-Status: No, score=-3.459 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=coinbase.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YpWMl91DthZ0 for <oauth@ietfa.amsl.com>; Mon, 3 Dec 2018 16:42:33 -0800 (PST)
Received: from mail-pl1-x636.google.com (mail-pl1-x636.google.com [IPv6:2607:f8b0:4864:20::636]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4341E130DCD for <oauth@ietf.org>; Mon, 3 Dec 2018 16:42:33 -0800 (PST)
Received: by mail-pl1-x636.google.com with SMTP id 101so7350288pld.6 for <oauth@ietf.org>; Mon, 03 Dec 2018 16:42:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coinbase.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=Fi6kWLfSnw/b49nY/SFg4pLKJ/owrP1rHrsKDCUR5z4=; b=R0T5jpP7F9FksxVvpm+iH9Ihf9YtC5Rr5XfjlCXOnRWnR3HSR6A7ZWrjBG7vzCqdlC x3BLPN5WZ3PYNM7nZxmNaZBBYMsHz+YVu0GGJaYSWRhsukFSoAKGPEA4wEpp+whaJZZE 5a0qaDqfATFt7cSeB+HjajcMHhuIEmL1zbreY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=Fi6kWLfSnw/b49nY/SFg4pLKJ/owrP1rHrsKDCUR5z4=; b=BfL8DUBOwW7eBfX35SykDOu2TG/Yp7SGGjZRleLfu4DCdsh1MsHAE9z3h5XQDk/+eT Oqby1GBqAyTg/PVIMOuwiWKw6SvcqDnnmc+vE5CpbCeBR72VMFONs8oAQFvU75TJXf1C 0g7j1yfK+shvp8giMt1lWDjiEheHvS2RhNIN+v9DA0Nl8lpAHW5NwxvJiUd6JIshsYwB DcUB3Sr3zHZ4cDjA4L64yNmi6v5prRl3A3NzeYue2KarLxSzywbw+Y5dxSSAWKs64rfp MT/VrpI6/VxfS941yiN7GtNkGjoL40fMmAnoRzKD2xKGtIBLFhYy5FN/sTVv2kY5iSx2 qngA==
X-Gm-Message-State: AA+aEWayyZZqH7ch4FI2DZAjV/KtWU7f9OjrS+gy/nyayxV4YQS6ePF7 g5vZW4pHXYAIDGAljj/4Gc/alDObNdlwwcG3NX2fVOrzYOM=
X-Google-Smtp-Source: AFSGD/XBN3FIBVY5kAwB4uGpXya+/BWAQsa6F/ha5RD975KJy1hcUDVagT12mO0Xpmh407l0trf0XhjtDVPlER7wC10=
X-Received: by 2002:a17:902:280b:: with SMTP id e11mr18139655plb.269.1543884152377; Mon, 03 Dec 2018 16:42:32 -0800 (PST)
MIME-Version: 1.0
References: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAD9ie-v3onmKc498cg_-a0AD58ZV=aZANtz=UV+Q0f=9N3nSzQ@mail.gmail.com> <OSBPR01MB2869E83F37046C7FCD4463DDF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <9FF3F589-0423-4CBC-B323-481F771D097C@lodderstedt.net> <OSBPR01MB28690F77DFFB2A85BDB83FBAF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <D6C66E6A-687B-4997-B830-980BE25994C2@lodderstedt.net> <CAANoGhL9aD75AV9QQRdeGE1=4ynjTnULNVr0PXXvt20ipsb4Rw@mail.gmail.com> <FE51CE20-7A49-4A13-A180-6A7C481F3965@lodderstedt.net> <CAGBSGjrzeeR5QQ=nA=gTj0q7sRvRVc0DDacbxB+ED87ymHSOuA@mail.gmail.com> <VI1PR0801MB21120AA6CC9437E237F481A2FAAC0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <EA38C666-2325-430A-91B0-C02AAC65FCC8@lodderstedt.net> <CAO_FVe7j_79sPrRSFXvQJax3vDjT_0=ZaWHW9aan9rJnLUftkA@mail.gmail.com> <CAO7Ng+vsQ2i4=V0nq+ymO6aNCvurb02+Zt7HHwp4=FnWCO4pUQ@mail.gmail.com> <CAANoGhLx42Noqw4WN-THXbGYvS3t1Z2_EmPs+z641-cNovFNvw@mail.gmail.com> <B857DECA-5457-4E62-A720-437832850680@lodderstedt.net> <CAANoGh+1wRzz5x7jJrMy-KzCpeK0KN3fK2Qo62KEhz+9SE83=g@mail.gmail.com> <CA+k3eCRjET6gJjX+G7pq-kwFUDgppTK-mrXCAgMtYtW+gVrCbw@mail.gmail.com> <CAD9ie-t=wM6D_zwz0kuPkR19xGfFwfYP=0vjX8uGd4oKsukAOg@mail.gmail.com>
In-Reply-To: <CAD9ie-t=wM6D_zwz0kuPkR19xGfFwfYP=0vjX8uGd4oKsukAOg@mail.gmail.com>
From: Marius Scurtescu <marius.scurtescu@coinbase.com>
Date: Mon, 03 Dec 2018 16:42:21 -0800
Message-ID: <CABpvcNvrXq9uYE9rG5OnzY3b6j5hdzgk_+pbm2=cEtHjug6Beg@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="0000000000007a4750057c278a7b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/LC2YIz-3yTCKNzK8AVeqya9Ucfs>
Subject: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Dec 2018 00:46:44 -0000

+1 for the proposed change

Providing context around the change and to clarify that this is not a
reaction to some emergency would be useful IMO.

On Mon, Dec 3, 2018 at 1:50 PM Dick Hardt <dick.hardt@gmail.com> wrote:

> I disagree.
>
> Existing deployments that have not mitigated against the concerns with
> implicit should be ripped up and updated.
>
> For example, at one time, I think it was Instagram that had deployed
> implicit because it was easier to do. Once the understood the security
> implications, they changed the implementation.
>
> BCPs are rarely a response to a new threat, their are capturing Best
> Current Practices so that they become widely deployed.
>
>
>
>
> On Mon, Dec 3, 2018 at 10:41 AM Brian Campbell <bcampbell=
> 40pingidentity.com@dmarc.ietf.org> wrote:
>
>> FWIW I'm somewhat sympathetic to what Vittorio, Dominick, etc. are
>> saying here. And that was kind of behind the comment I made, or tired to
>> make, about this in Bangkok, which was (more or less) that I don't think
>> the WG should be killing implicit outright but rather that it should begin
>> to recommend against it.
>>
>> I'm not exactly sure what that looks like in this document but maybe
>> toning down some of the scarier language a bit, favoring SHOULDs vs. MUSTs,
>> and including language that helps a reader understand the recommendations
>> as being more considerations for new applications/deployments than as a
>> mandate to rip up existing ones.
>>
>>
>>
>> On Mon, Dec 3, 2018 at 8:39 AM John Bradley <ve7jtb@ve7jtb.com> wrote:
>>
>>>
>>> We just need to be sensitive to the spin on this.
>>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly
>> prohibited...  If you have received this communication in error, please
>> notify the sender immediately by e-mail and delete the message and any file
>> attachments from your computer. Thank you.*
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email