Re: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-security-topics-23.txt

[Denis <denis.ietf@free.fr>]

Hi Daniel,

I have two issues/questions:

*Question 1*

Section 2.3.is about "Access Token Privilege Restriction"

The privileges associated with an access token SHOULD be restricted
to the minimum required for the particular application or use case.

The question is the following. Is it possible to use OAuth to 
demonstrate that some one is over 18 ?

If the answer is no, then the draft should mention it.
If the answer is yes, what would be the "minimum privileges required for 
this particular use case" ?

Note: An additional section called "Privacy Considerations" might be 
adequate to answer to the last question.


*Question 2*

Section 4.10.1 is about "Sender-Constrained Access Tokens"

On page 36, the text states:

    "Note that the security of sender-constrained tokens is undermined
    when an attacker gets access to the token and the key material".

It should be mentioned that this scenario also happens when there is no 
"attacker" but a collaboration/collusion between users.

If OAuth is able to demonstrate that some one is over 18, then the 
question is the following: Can the resource server detect the 
collaboration ?

If the answer is no, then the draft should mention it.
If the answer is yes, how can the resource server detect the collaboration ?

Denis

> Hi all,
>
> for this new version of the Security BCP, we added what we understood 
> was the minimal consensus from the discussion on the usage of CORS 
> here on this mailing list (see 
> https://mailarchive.ietf.org/arch/msg/oauth/7Uv00hN8StKczOtNmFA0KvteFTw/).
>
> We further aligned Section 4.15.1 with OAuth 2.1 to account for cases 
> where client_ids are created by clients themselves.
>
> On the non-normative side of things, we also updated references (e.g., 
> RAR), fixed some typos and mistakes, clarified things (e.g., to ensure 
> that the precise redirect URIs check is unambiguous), and I updated my 
> affiliation.
>
> @Hannes, Rifaat: Please start the Shepherd's Writeup on this version.
>
> -Daniel
>
>
>
> -------- Weitergeleitete Nachricht --------
> Betreff: 	New Version Notification for 
> draft-ietf-oauth-security-topics-23.txt
> Datum: 	Mon, 05 Jun 2023 23:34:06 -0700
> Von: 	internet-drafts@ietf.org
> An: 	Andrey Labunets <isciurus@gmail.com>, Daniel Fett 
> <mail@danielfett.de>, John Bradley <ve7jtb@ve7jtb.com>, Torsten 
> Lodderstedt <torsten@lodderstedt.net>
>
>
>
>
> A new version of I-D, draft-ietf-oauth-security-topics-23.txt
> has been successfully submitted by Torsten Lodderstedt and posted to the
> IETF repository.
>
> Name: draft-ietf-oauth-security-topics
> Revision: 23
> Title: OAuth 2.0 Security Best Current Practice
> Document date: 2023-06-05
> Group: oauth
> Pages: 62
> URL: 
> https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-23.txt
> Status: https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/
> Html: 
> https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-23.html
> Htmlized: 
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics
> Diff: 
> https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-security-topics-23
>
> Abstract:
> This document describes best current security practice for OAuth 2.0.
> It updates and extends the OAuth 2.0 Security Threat Model to
> incorporate practical experiences gathered since OAuth 2.0 was
> published and covers new threats relevant due to the broader
> application of OAuth 2.0.
>
>
>
> The IETF Secretariat
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth