Re: [OAUTH-WG] Call for adoption: OAuth Security Topics

Justin Richer <jricher@mit.edu> Mon, 06 February 2017 15:27 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 339CB129E7B for <oauth@ietfa.amsl.com>; Mon, 6 Feb 2017 07:27:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S-xeDVSXqwsK for <oauth@ietfa.amsl.com>; Mon, 6 Feb 2017 07:27:37 -0800 (PST)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E02C2129E76 for <oauth@ietf.org>; Mon, 6 Feb 2017 07:27:36 -0800 (PST)
X-AuditID: 1209190e-1fbff70000001def-79-589895e6a410
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 99.E9.07663.6E598985; Mon, 6 Feb 2017 10:27:34 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v16FRXhM021357; Mon, 6 Feb 2017 10:27:34 -0500
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v16FRWDW018932 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 6 Feb 2017 10:27:33 -0500
From: Justin Richer <jricher@mit.edu>
Message-Id: <DEC6CD48-4EDB-46C5-917D-712BC826A8F4@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0BCDBF14-0F76-48B5-A8AA-8D10BA09BE12"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Mon, 6 Feb 2017 10:27:31 -0500
In-Reply-To: <0a8ab2ad-9f14-6915-464f-119a724422c7@free.fr>
To: Denis <denis.ietf@free.fr>
References: <ae7d8912-2a13-4d19-62b4-0b1d1106a555@gmx.net> <541A5105-B963-4FA4-94E4-D794A73B3358@ve7jtb.com> <CAB3ntOupmVPnW4D2QXfJ1rjbMnF-8T9hvcy5cC6EaTDawyuA_A@mail.gmail.com> <CAAP42hC-eM2twsZySvrw26-nL88QBpAU_3MLsztp7JFT=daC0Q@mail.gmail.com> <14c5b7d3-9faa-0e2f-1411-689ab13d4fad@manicode.com> <CABzCy2AxvPnj9tj9y=bGyu2vB1SaBn6UXVWwV+ckvf-SLHkPOA@mail.gmail.com> <0a8ab2ad-9f14-6915-464f-119a724422c7@free.fr>
X-Mailer: Apple Mail (2.3259)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprAKsWRmVeSWpSXmKPExsUixG6novts6owIg45nRhbru+wsTr59xebA 5NG/7jOrx5IlP5kCmKK4bFJSczLLUov07RK4Mo6vnsZS8GMLY8WiXb9YGxhfL2DsYuTkkBAw kbh65At7FyMXh5BAG5PEgXcHoZwNjBJ/N61ghXAeMEkcnPuaDaSFTUBVYvqaFiYQm1fASmL9 j/1ANgcHs0CSxJFHyRBhfYnZZy6xgNjCAg4S826eZAexWQRUJF4vWQG2mVPAWmLTiQ52iFZ1 ifaTLiBhEQE5iVX3rjFDrF3FLNF7ai0rxKWyEm9/LWGewMg/C2HbLCTbQGxmAW2JZQtfM0PY mhL7u5djEdeQ6Pw2kXUBI9sqRtmU3Crd3MTMnOLUZN3i5MS8vNQiXWO93MwSvdSU0k2MoMDm lOTbwTipwfsQowAHoxIPb0bHjAgh1sSy4srcQ4ySHExKoryGHlMjhPiS8lMqMxKLM+KLSnNS iw8xSnAwK4nwLpwEVM6bklhZlVqUD5OS5mBREucV12iMEBJITyxJzU5NLUgtgsnKcHAoSfA6 AyNYSLAoNT21Ii0zpwQhzcTBCTKcB2j4kSkgw4sLEnOLM9Mh8qcYdTmmTL34kkmIJS8/L1VK nPf/ZKAiAZCijNI8uDmghJTw9rDpK0ZxoLeEeTeCjOIBJjO4Sa+AljABLdl2ZRrIkpJEhJRU A6Pzl7JJq7OimF9aVH+9f3nW/YP+B7J/vTtkvk/tsq9dKe+vPZ1burbX3TaILtv1mLE8K+KQ v8DhuO4drhV17lb2bNrdi/8q79v80isnYcP2B/v03y+ZMpH/3PX45Zfdo66E+39hN1p+78hP dRXLlC1SH3sZ1z49W7TgnORH/juvpAv/erz9tFRZiaU4I9FQi7moOBEACIWxVyMDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/W6rkNQPiZD8TbMaTRtWUZKRB5S4>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Call for adoption: OAuth Security Topics
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Feb 2017 15:27:39 -0000

OpenID Connect is the intellectual property of the OpenID Foundation and it is discussed there.

 — Justin

> On Feb 6, 2017, at 7:30 AM, Denis <denis.ietf@free.fr>; wrote:
> 
> 
> The scope of this draft is unclear. The title states: "OAuth Security Topics".
> I have some questions:
> Does this document intend to cover only the OAuth 2.0 delegation protocol (since Justin said that OAuth 2.0 is a delegation protocol) 
> or OpenId Connect as well which is not limited to a delegation protocol ?
> Should we discuss OpenID Connect issues and/or solutions in an IETF RFC ?
> If this document is going to be progressed, the threats should be clearly separated whether they relate to a delegation model or to 
> a client-server access control model. This is not currently the case.
> If this document is going to be progressed, the ABC attack (in the context of an access control model) should be mentioned even if there exits 
> no way to counter it given the current implicit assumptions made in OAuth 2.0, in particular the use of software only implementations.
> 
> Denis
> 
>> A belated +1
>> 
>> 
>> On Sat, Feb 4, 2017, 9:08 AM Jim Manico <jim@manicode.com <mailto:jim@manicode.com>> wrote:
>> I'm just some random idiot am an not in this working group but the work from https://tools.ietf.org/html/draft-lodderstedt-oauth-security-topics-00 <https://tools.ietf.org/html/draft-lodderstedt-oauth-security-topics-00> is one of the most up to date and useful OAuth security resources every published. I am thrilled to see more work put into it.
>> 
>> Aloha, Jim
>> 
>> 
>> On 2/3/17 1:57 PM, William Denniss wrote:
>>> I support the adoption of this document as a working group item.
>>> 
>>> On Thu, Feb 2, 2017 at 2:30 PM, Jim Willeke <jim@willeke.com <mailto:jim@willeke.com>> wrote:
>>> +! 
>>> I agree this is needed.
>>> 
>>> --
>>> -jim
>>> Jim Willeke
>>> 
>>> On Thu, Feb 2, 2017 at 4:33 PM, John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>> wrote:
>>> I am in favour of adoption.
>>> > On Feb 2, 2017, at 4:09 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
>>> >
>>> > Hi all,
>>> >
>>> > this is the call for adoption of the 'OAuth Security Topics' document
>>> > following the positive call for adoption at the last IETF
>>> > meeting in Seoul.
>>> >
>>> > Here is the document:
>>> > https://tools.ietf.org/html/draft-lodderstedt-oauth-security-topics-00 <https://tools.ietf.org/html/draft-lodderstedt-oauth-security-topics-00>
>>> >
>>> > The intention with this document is to have a place to collect
>>> > discussions and conclusions around OAuth 2.0 security and to reference
>>> > the actual solution specifications.
>>> >
>>> > Please let us know by Feb 16th whether you accept / object to the
>>> > adoption of this document as a starting point for work in the OAuth
>>> > working group.
>>> >
>>> > Ciao
>>> > Hannes & Derek
>>> >
>>> > _______________________________________________
>>> > OAuth mailing list
>>> > OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>> 
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> 
>> -- 
>> Jim Manico
>> Manicode Security
>> https://www.manicode.com <https://www.manicode.com/>_______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> -- 
>> Nat Sakimura
>> 
>> Chairman of the Board, OpenID Foundation
>> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>