[OAUTH-WG] Protocol Action: 'Proof Key for Code Exchange by OAuth Public Clients' to Proposed Standard (draft-ietf-oauth-spop-15.txt)

The IESG <iesg-secretary@ietf.org> Fri, 10 July 2015 22:01 UTC

Return-Path: <iesg-secretary@ietf.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 7CB4A1A0399; Fri, 10 Jul 2015 15:01:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Vwzqsf3RFLC2; Fri, 10 Jul 2015 15:01:27 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id E5FD91B2D1B; Fri, 10 Jul 2015 15:01:22 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: The IESG <iesg-secretary@ietf.org>
To: "IETF-Announce" <ietf-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.0.4.p3
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20150710220122.24087.51327.idtracker@ietfa.amsl.com>
Date: Fri, 10 Jul 2015 15:01:22 -0700
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/RPRsWqYe2TS2EdVTG2e5DsfAWgU>
Cc: oauth chair <oauth-chairs@tools.ietf.org>, oauth mailing list <oauth@ietf.org>, RFC Editor <rfc-editor@rfc-editor.org>
Subject: [OAUTH-WG] Protocol Action: 'Proof Key for Code Exchange by OAuth Public Clients' to Proposed Standard (draft-ietf-oauth-spop-15.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2015 22:01:28 -0000

The IESG has approved the following document:
- 'Proof Key for Code Exchange by OAuth Public Clients'
  (draft-ietf-oauth-spop-15.txt) as Proposed Standard

This document is the product of the Web Authorization Protocol Working

The IESG contact persons are Stephen Farrell and Kathleen Moriarty.

A URL of this Internet Draft is:

Technical Summary

   OAuth 2.0 public clients utilizing the Authorization Code Grant 
   are susceptible to the authorization code interception attack.  
   This specification describes the attack as well as a technique 
   to mitigate against the threat.

Working Group Summary

  The working group last call for this document was started 
  soon after the document was adopted as a WG item. A substantial
  number of comments were received and the subsequent document 
  versions addressed those comments. No difficult decisions
  had to be made by the chairs or the group. 

Document Quality

PingIdentity, Google, and Deutsche Telekom have implementations 
of the plain code challenge method.  Additional information on 
implementations can be found in the shepherd report.

Review from an ABNF expert is requested.  Specific questions are 
included in the shepherd writeup.


Hannes Tschofenig is the document shepherd and the responsible area 
director is Kathleen Moriarty. 


This document allocates three new parameters to the existing OAuth 
parameter registry (see Section 6.1) and creates a new registry 
called 'PKCE Code Challenge Method' registry, with expert review required, RFC5226. 
This document adds two values to the PKCE Code Challenge Method registry, as defined 
in Section 6.2.2.