[OAUTH-WG] Protocol Action: 'Proof Key for Code Exchange by OAuth Public Clients' to Proposed Standard (draft-ietf-oauth-spop-15.txt)
The IESG <iesg-secretary@ietf.org> Fri, 10 July 2015 22:01 UTC
Return-Path: <iesg-secretary@ietf.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CB4A1A0399; Fri, 10 Jul 2015 15:01:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vwzqsf3RFLC2; Fri, 10 Jul 2015 15:01:27 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id E5FD91B2D1B; Fri, 10 Jul 2015 15:01:22 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.0.4.p3
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20150710220122.24087.51327.idtracker@ietfa.amsl.com>
Date: Fri, 10 Jul 2015 15:01:22 -0700
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/RPRsWqYe2TS2EdVTG2e5DsfAWgU>
Cc: oauth chair <oauth-chairs@tools.ietf.org>, oauth mailing list <oauth@ietf.org>, RFC Editor <rfc-editor@rfc-editor.org>
Subject: [OAUTH-WG] Protocol Action: 'Proof Key for Code Exchange by OAuth Public Clients' to Proposed Standard (draft-ietf-oauth-spop-15.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2015 22:01:28 -0000
The IESG has approved the following document: - 'Proof Key for Code Exchange by OAuth Public Clients' (draft-ietf-oauth-spop-15.txt) as Proposed Standard This document is the product of the Web Authorization Protocol Working Group. The IESG contact persons are Stephen Farrell and Kathleen Moriarty. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-spop/ Technical Summary OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. This specification describes the attack as well as a technique to mitigate against the threat. Working Group Summary The working group last call for this document was started soon after the document was adopted as a WG item. A substantial number of comments were received and the subsequent document versions addressed those comments. No difficult decisions had to be made by the chairs or the group. Document Quality PingIdentity, Google, and Deutsche Telekom have implementations of the plain code challenge method. Additional information on implementations can be found in the shepherd report. Review from an ABNF expert is requested. Specific questions are included in the shepherd writeup. Personnel Hannes Tschofenig is the document shepherd and the responsible area director is Kathleen Moriarty. IANA Note This document allocates three new parameters to the existing OAuth parameter registry (see Section 6.1) and creates a new registry called 'PKCE Code Challenge Method' registry, with expert review required, RFC5226. This document adds two values to the PKCE Code Challenge Method registry, as defined in Section 6.2.2.