[OAUTH-WG] Concluding the Call for Adoption of the Authorization Server Mix-Up Specification
Hannes Tschofenig <hannes.tschofenig@gmx.net> Fri, 11 March 2016 20:19 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 282F512DB09 for <oauth@ietfa.amsl.com>; Fri, 11 Mar 2016 12:19:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aVbpKbcYK2kE for <oauth@ietfa.amsl.com>; Fri, 11 Mar 2016 12:19:04 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6AE412DAE5 for <oauth@ietf.org>; Fri, 11 Mar 2016 12:19:03 -0800 (PST)
Received: from [192.168.10.140] ([195.149.223.22]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0M0gcI-1ZqdKN1Nd8-00usbS for <oauth@ietf.org>; Fri, 11 Mar 2016 21:19:01 +0100
To: "oauth@ietf.org" <oauth@ietf.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <56E32835.4090702@gmx.net>
Date: Fri, 11 Mar 2016 21:19:01 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="U0TvNnbJLlJvBsffsLO21qFRNwAwHJquU"
X-Provags-ID: V03:K0:AO2Lg7vwRzwUvKG7u0mIY9T1SUT4bfSEDly4RUiyu32CiP644Td QEbb5jJdvCIOBehj7Bf6aJ5P15JEYQU1SYwEld1wqUw5pPyS2pT3EVAikUarYiQ5LKp7EHa 1nLljfRCSawM/YJT6ScLM8p5G1iMYFlITGcUOFy+HZAZ+DF0K/MxTS5JI2yPSck8xXAM6bf TmbJwWHk+EhLfEBM7aLeg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:3qxkeHtZcN8=:Un99Z6++eM3LwjE7Oy1PBI 3F83jVSu+p46NFdktVYa0Z3BynElN2cNV2FUm2Qv3AwxFemuqIKWXYzKz+lDOuBW3iv+GlazE crGd1MKRrtKbZDPTWXBDJ+6IP2n5Ch3FL4+b19iN3HboPbaZDNj6nMoiqt+/jLDikLfgSG6vo Lvb5gh2Vr/0MP+VhcwotlIRHrc4V8gkyzOstPWwDDBoR7Ndl262poHJBNNFxkSxxC8KGhO2RO grXZxw1y93r9wmoMEKesicm+8sskjgDS1vhfNSkov4iPDjbT6vkVrGtK+K+BLHJRbkzcn8ZYY PxnFCDeJwked5ykw4/s45/rii+P2sOsXt5RVW9Fa58zG6ZQXPqJll72vqGOP79LjFZbWhFVOk O5PDgcNneDmF9qz3WmcSGojnePQE5fo7jn2cDAKJe+LeRuI4JFnnZ2aCkey8fCFFUOoeQgRqV KPjfmKiAPJZbCnEt8yFWQ0l2dX7hDdw7I7AAIAE9Uo6R16zTXsxeDNy5GHVyZWxpUHQtQLEbg I86bYxIGPl3yQPY/hX3zM2jQcU81sRTirsrGwI4N4N+o+hPM4eRw3HIKS8GQnNl9seiLoFdWs 4uqkVekEpBgsNag2nBV158s9/VUSUgzxLjJQASRBxxWFpM7NN8zDwNXz2tUusjr24h9YH9564 L5xa7W10mL21e6EAcWMYiPYigLJWIdRxhvlpyyI9WyWZzP4NHK+49E/RqIOSEa0bANM2TzT2x jveL1UtAQIOlHj+eD+8qc9uzhwJywo9CQ4Q+RPS1io0JQVXuufYWDsjt8E8=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/MXTxCf4fWNcZs5YiijL5_6EcRFQ>
Subject: [OAUTH-WG] Concluding the Call for Adoption of the Authorization Server Mix-Up Specification
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Mar 2016 20:19:07 -0000
Hi all, on February 19 I posted a note to the list asking the group to consider a call for adoption of either <draft-jones-oauth-mix-up-mitigation-01> or <draft-sakimura-oauth-meta-07>, see https://www.ietf.org/mail-archive/web/oauth/current/msg15829.html I gave time till early March to think about this topic and there was a lot of feedback on the mailing list. Here are key observations I made: (1) Most folks argued that they wanted <draft-jones-oauth-mix-up-mitigation-01> as a starting point for a solution (*). There are, however, various issues that surfaced: a) From the discussions I think the document needs to provide more information about the attack (in addition to the reference to the research paper). b) William furthermore suggested to change the title of the document to have a more positive tone, namely to focus on the use case it support rather than the attack it mitigates. I am open to suggestions to hear better document titles and abstracts. c) Torsten argued that the code injection/copy and paste attack should go into a separate document (instead of covering both type of issues in the same document). (2) There is some interest to explore a PKCE-based solution approach as well. I believe we should survey the landscape extensively and also consider this approach. To acknowledge the work Nat has put into this topic with the work on <draft-sakimura-oauth-meta-07> and the discussion feedback I would like to have him participate in the work of the working group item as a co-author. I would like to already now thank those who had spent time and energy in exploring this topic. Big thanks also go to Roland, Brian and Hans for their prototyping efforts. Ciao Hannes PS: During the discussion some other issues surface, such as associating the access tokens with a specific audience, and this is a topic we will have to cover separately.
- [OAUTH-WG] Concluding the Call for Adoption of th… Hannes Tschofenig