Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-Up Mitigation

"Phil Hunt (IDM)" <phil.hunt@oracle.com> Mon, 25 January 2016 18:58 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 246BC1B3918 for <oauth@ietfa.amsl.com>; Mon, 25 Jan 2016 10:58:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E-pcjhYmBTmZ for <oauth@ietfa.amsl.com>; Mon, 25 Jan 2016 10:58:28 -0800 (PST)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21AE21B38DE for <oauth@ietf.org>; Mon, 25 Jan 2016 10:58:28 -0800 (PST)
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u0PIwOrC032714 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 25 Jan 2016 18:58:25 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by aserv0021.oracle.com (8.13.8/8.13.8) with ESMTP id u0PIwOBl008191 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 25 Jan 2016 18:58:24 GMT
Received: from abhmp0006.oracle.com (abhmp0006.oracle.com [141.146.116.12]) by aserv0122.oracle.com (8.13.8/8.13.8) with ESMTP id u0PIwNEn013120; Mon, 25 Jan 2016 18:58:24 GMT
Received: from [192.168.1.23] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 25 Jan 2016 10:58:23 -0800
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (13D15)
In-Reply-To: <56A66BED.3090505@aol.com>
Date: Mon, 25 Jan 2016 10:58:21 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <8EBCD2DD-D9D8-4AFD-A12F-A8C5C9DC4C06@oracle.com>
References: <569E22E1.5010402@gmx.net> <CANSMLKHjAHr6rUZny5EkX0KBHnOcLuUOZBL0Wwf6V8Y3tt_kNw@mail.gmail.com> <CABzCy2C-_57dO5n6GN6wazA9ozuPivrQd95g_XvdkPWx6zDwAA@mail.gmail.com> <CANSMLKE98FVdDV-7bwW3wZ=-ao5=oXkn9LO5s_M1KmMAt7Drcw@mail.gmail.com> <537B9D13-1159-4B2D-9E1A-A245C9B3659C@ve7jtb.com> <CAAP42hDUciKpS51dyx7Zy-kSCB_JUZqooXiaGTopHaFr_QkF5Q@mail.gmail.com> <995474C5-62E7-4310-84AF-A5EF1CDEA4DB@ve7jtb.com> <56A63F82.40104@aol.com> <6D8FA56F-EA72-4509-90C1-DC33094FA695@ve7jtb.com> <56A66522.1090804@aol.com> <23E34900-5C05-4295-AFC5-7DEBA6449AA7@ve7jtb.com> <56A66BED.3090505@aol.com>
To: George Fletcher <gffletch@aol.com>
X-Source-IP: aserv0021.oracle.com [141.146.126.233]
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/QqwXHQ2jiwDEkMIx67v5XaNihd4>
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-Up Mitigation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jan 2016 18:58:29 -0000

I recall making this point in Germany. 99% of existing use is fine. OIDC is probably the largest community that *might* have an issue. 

I recall proposing a new security document that covers oauth security for dynamic scenarios. "Dynamic" being broadly defined to mean:
* clients who have configured at runtime or install time (including clients that do discovery)
* clients that communicate with more than one endpoint
* clients that are deployed in large volume and may update frequently (more discussion of "public" cases)
* clients that are script based (loaded into browser on the fly)
* others?

Phil

> On Jan 25, 2016, at 10:39, George Fletcher <gffletch@aol.com> wrote:
> 
> would