IETF Logo Mail Archive

[OAUTH-WG] I-D Action: draft-ietf-oauth-mix-up-mitigation-00.txt

internet-drafts@ietf.org Sun, 20 March 2016 15:00 UTC

Return-Path: <internet-drafts@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 080EC12D7B3; Sun, 20 Mar 2016 08:00:38 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: i-d-announce@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.17.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20160320150038.2290.23766.idtracker@ietfa.amsl.com>
Date: Sun, 20 Mar 2016 08:00:38 -0700
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/SAeWcHzJuhj0BPPEZjojermrRY0>
Cc: oauth@ietf.org
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-mix-up-mitigation-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Mar 2016 15:00:38 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.

        Title           : OAuth 2.0 Mix-Up Mitigation
        Authors         : Michael B. Jones
                          John Bradley
                          Nat Sakimura
	Filename        : draft-ietf-oauth-mix-up-mitigation-00.txt
	Pages           : 14
	Date            : 2016-03-18

Abstract:
   This specification defines an extension to The OAuth 2.0
   Authorization Framework that enables the authorization server to
   dynamically provide the client using it with additional information
   about the current protocol interaction that can be validated by the
   client and that enables the client to dynamically provide the
   authorization server with additional information about the current
   protocol interaction that can be validated by the authorization
   server.  This additional information can be used by the client and
   the authorization server to prevent classes of attacks in which the
   client might otherwise be tricked into using inconsistent sets of
   metadata from multiple authorization servers, including potentially
   using a token endpoint that does not belong to the same authorization
   server as the authorization endpoint used.  Recent research
   publications refer to these as "IdP Mix-Up" and "Malicious Endpoint"
   attacks.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-mix-up-mitigation/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-00


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

v2.23.0 | Report a Bug | By Email