Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Security: OAuth Open Redirector
George Fletcher <gffletch@aol.com> Mon, 25 January 2016 18:44 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59A491B38FA for <oauth@ietfa.amsl.com>; Mon, 25 Jan 2016 10:44:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6RbNnIxsvBYG for <oauth@ietfa.amsl.com>; Mon, 25 Jan 2016 10:44:54 -0800 (PST)
Received: from omr-m020e.mx.aol.com (omr-m020e.mx.aol.com [204.29.186.20]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 013E11B38F6 for <oauth@ietf.org>; Mon, 25 Jan 2016 10:44:53 -0800 (PST)
Received: from mtaout-aag01.mx.aol.com (mtaout-aag01.mx.aol.com [172.26.126.77]) by omr-m020e.mx.aol.com (Outbound Mail Relay) with ESMTP id 24A213800057; Mon, 25 Jan 2016 13:44:53 -0500 (EST)
Received: from [10.172.102.124] (unknown [10.172.102.124]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mtaout-aag01.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 43D063800012E; Mon, 25 Jan 2016 13:44:52 -0500 (EST)
To: Phil Hunt <phil.hunt@oracle.com>, Nat Sakimura <sakimura@gmail.com>
References: <569E2260.4080904@gmx.net> <CAAP42hCmVB0QzAqFaFa68j1FbjSgZ-xSWw+CHT+fa_EsL2W22w@mail.gmail.com> <B1D935B9-0716-4F68-8C6A-9538CEF021F3@ve7jtb.com> <CABzCy2AZ3ZNhgNxD8pZysvd6zHVhSte7m2+=HjPRxsO4WQW5dA@mail.gmail.com> <558BEED7-2716-4B63-9F0C-5E740D6839C8@oracle.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <56A66D23.7080906@aol.com>
Date: Mon, 25 Jan 2016 13:44:51 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <558BEED7-2716-4B63-9F0C-5E740D6839C8@oracle.com>
Content-Type: multipart/alternative; boundary="------------020007000508000602060303"
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20150623; t=1453747493; bh=aXITLoCzCTZsCffUpjG1nY3iyP55Ej/CVaYQwNLlTsk=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=K/QC4ml/Gpn/jPzBVq11VP28352AMG9ej32c9oD62MPswftGFZ55a4/EiVY5UbUQO K1dWMOhCGjW2dfbah+OSYg8R5ufOSJ5y3DC6VbUltaOrN9wpGAkGoUMzTIjydU8ZII qXICBhmyesuve1+STbGLfB5GHHJIlyBqf7YdkZhQ=
x-aol-sid: 3039ac1a7e4d56a66d240d03
X-AOL-IP: 10.172.102.124
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/W559-6E_V0p-yfd6wI0hOqIwTrM>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Security: OAuth Open Redirector
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jan 2016 18:44:56 -0000
+1 On 1/25/16 1:41 PM, Phil Hunt wrote: > Also, I would like to have a discussion in the WG around organization > of the docs. What can we amend as errata (to give some of this stuff > more prominence), and what new docs we should have? With PKCE, > mix-up, and this, we may end up causing more confusion or at the very > least by having multiple “point” issue specs. > > Phil > > @independentid > www.independentid.com <http://www.independentid.com> > phil.hunt@oracle.com <mailto:phil.hunt@oracle.com> > > > > > >> On Jan 21, 2016, at 6:28 AM, Nat Sakimura <sakimura@gmail.com >> <mailto:sakimura@gmail.com>> wrote: >> >> +1 apart from the title... It sounds like the spec is implementing >> OAuth Open Redirector... >> Something like "preventing OAuth open redirector" or so might be more >> descriptive. >> >> Nat >> >> 2016年1月21日(木) 23:08 John Bradley <ve7jtb@ve7jtb.com >> <mailto:ve7jtb@ve7jtb.com>>: >> >> +1 for adoption >> >>> On Jan 21, 2016, at 3:18 AM, William Denniss >>> <wdenniss@google.com <mailto:wdenniss@google.com>> wrote: >>> >>> +1 for adoption. >>> >>> On Tue, Jan 19, 2016 at 7:47 PM, Hannes Tschofenig >>> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> >>> wrote: >>> >>> Hi all, >>> >>> this is the call for adoption of OAuth 2.0 Security: OAuth Open >>> Redirector, see >>> https://tools.ietf.org/html/draft-bradley-oauth-open-redirector-02 >>> >>> Please let us know by Feb 2nd whether you accept / object to the >>> adoption of this document as a starting point for work in >>> the OAuth >>> working group. >>> >>> Note: At the IETF Yokohama we asked for generic feedback >>> about doing >>> security work in the OAuth working group and there was very >>> positive >>> feedback. However, for the adoption call we need to ask for >>> individual >>> documents. Hence, you need to state your view again. >>> >>> Ciao >>> Hannes & Derek >>> >>> >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- Chief Architect Identity Services Engineering Work: george.fletcher@teamaol.com AOL Inc. AIM: gffletch Mobile: +1-703-462-3494 Twitter: http://twitter.com/gffletch Office: +1-703-265-2544 Photos: http://georgefletcher.photography
- [OAUTH-WG] Call for Adoption: OAuth 2.0 Security:… Hannes Tschofenig
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Secur… Antonio Sanso
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Secur… William Denniss
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Secur… John Bradley
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Secur… Nat Sakimura
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Secur… John Bradley
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Secur… Brian Campbell
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Secur… George Fletcher
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Secur… Phil Hunt
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Secur… George Fletcher
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Secur… Mike Jones
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Secur… Roland Hedberg