Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00

Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> Sat, 01 May 2021 20:47 UTC

Return-Path: <rifaat.s.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5722D3A0E82 for <oauth@ietfa.amsl.com>; Sat, 1 May 2021 13:47:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xwl2vOrAJafF for <oauth@ietfa.amsl.com>; Sat, 1 May 2021 13:47:11 -0700 (PDT)
Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82D293A0E81 for <oauth@ietf.org>; Sat, 1 May 2021 13:47:11 -0700 (PDT)
Received: by mail-lf1-x134.google.com with SMTP id j10so2284953lfb.12 for <oauth@ietf.org>; Sat, 01 May 2021 13:47:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CBS/aKJvwsiryLZyRcKV1O41qP4gfIcRHQnFDNnn6uQ=; b=rssepAubDBZkmX7ZypQ5YxS3RTF78hdL1M5OqS0HFuFmf9dqGiZ+F8ti9WWYbRIQK2 k1/KDQE2HtAuvY2tAvenp8Yr2Rh0NPJF+yZdPAQyi+0f64S0xuXxg1odHPhO9WP2cXlW kgl62M9HjPHYc2P5CSEp+vvNFioTfOXJ/PePElT26tpOrDpo1dHXiDQ2EOct/K53V1CA +itDZO3c2zmD0Zuo+XzLtYrs7+OvPOSjFa2sqOO5v6tm+k13he6bMajHd4cyHU428x5n CNLCEqto9m2omlSvPbOrpJafS69kFMoVt83ObrSkcRY6ubwbTb+a6xLW3vtagvkxtZEQ suEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CBS/aKJvwsiryLZyRcKV1O41qP4gfIcRHQnFDNnn6uQ=; b=FkwjEQQPctZ3gGpmX9g9HZCaGp9kOLSRBsoMnhKzxENOGxeQ84sjbOxgRc141ky4Ym qEMRnM/cyJAMNP91UF44ggogQgAPJ8HcOXnHq4iGwS0wjnMOAxDHEwPrRKaJqgDBTmRv n2IvElTfYax6z5okH0GK6r7NLunin9+DgPHdimep01U4Jg8wCFWkAKrS4bHcoD0XgEl+ 8anPLk4dwTimk56mBwJnJk6FLQvcwHF4UhEDhf7v4wdY4mq/vvGlA0NWzUp0deb+mkZh Poa/qi5/wCzvEAxW3U7wvqeZ1YbSSOxzIqlwnJKEdm82RnCzR25RXUOPt/s4TLQTpA/t WM+g==
X-Gm-Message-State: AOAM533N8kXfMedckZ6CmwthJFWen32atoB3jKMza1/kMDprTv4qjR2n 5zOLHKUIFGwaZgsCu44AXHVl/RcxzDjyfIjsn4Q=
X-Google-Smtp-Source: ABdhPJyHfaC0cZIX7odEShLECZeyjUJiy+0MZwB7mrGFQ9olSQVs7idldrs7NkjO3d4xvRQyXlHNqaqpnuhVmdTZKHE=
X-Received: by 2002:a19:9152:: with SMTP id y18mr7929330lfj.436.1619902028422; Sat, 01 May 2021 13:47:08 -0700 (PDT)
MIME-Version: 1.0
References: <634f7b10-bb26-e05c-7d79-566c893c32b6@hackmanit.de>
In-Reply-To: <634f7b10-bb26-e05c-7d79-566c893c32b6@hackmanit.de>
From: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Date: Sat, 1 May 2021 16:46:57 -0400
Message-ID: <CADNypP_P=bdtSHmX0aM4eK4yw+8n9HYnnS6ERVdOC_x7U3spZw@mail.gmail.com>
To: Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f9a0f005c14ad457"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TYzDxhybOjfcP_VklRfSxmD5qA8>
Subject: Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 May 2021 20:47:16 -0000

All,

We have not seen any comments on this document.
Can you please review the document and provide feedback, or indicate that
you have reviewed the document and have no concerns.

Regards,
 Rifaat & Hannes


On Thu, Apr 15, 2021 at 3:04 AM Karsten Meyer zu Selhausen <
karsten.meyerzuselhausen@hackmanit.de> wrote:

> Hi all,
>
> the latest version of the security BCP references
> draft-ietf-oauth-iss-auth-resp-00 as a countermeasures to mix-up attacks.
>
> There have not been any concerns with the first WG draft version so far:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/
>
> I would like to ask the WG if there are any comments on or concerns with
> the current draft version.
>
> Otherwise I hope we can move forward with the next steps and hopefully
> finish the draft before/with the security BCP.
>
> Best regards,
> Karsten
>
> --
> Karsten Meyer zu Selhausen
> Senior IT Security Consultant
> Phone:	+49 (0)234 / 54456499
> Web:	https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training
>
> Is your OAuth or OpenID Connect client vulnerable to the severe impacts of mix-up attacks? Learn how to protect your client in our latest blog post on single sign-on:https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks
>
> Hackmanit GmbH
> Universitätsstraße 60 (Exzenterhaus)
> 44789 Bochum
>
> Registergericht: Amtsgericht Bochum, HRB 14896
> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Dr. Marcus Niemietz
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>