Re: [OAUTH-WG] Call for adoption: OAuth Security Topics
Justin Richer <jricher@mit.edu> Mon, 06 February 2017 15:27 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 339CB129E7B for <oauth@ietfa.amsl.com>; Mon, 6 Feb 2017 07:27:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S-xeDVSXqwsK for <oauth@ietfa.amsl.com>; Mon, 6 Feb 2017 07:27:37 -0800 (PST)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E02C2129E76 for <oauth@ietf.org>; Mon, 6 Feb 2017 07:27:36 -0800 (PST)
X-AuditID: 1209190e-1fbff70000001def-79-589895e6a410
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 99.E9.07663.6E598985; Mon, 6 Feb 2017 10:27:34 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v16FRXhM021357; Mon, 6 Feb 2017 10:27:34 -0500
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v16FRWDW018932 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 6 Feb 2017 10:27:33 -0500
From: Justin Richer <jricher@mit.edu>
Message-Id: <DEC6CD48-4EDB-46C5-917D-712BC826A8F4@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0BCDBF14-0F76-48B5-A8AA-8D10BA09BE12"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Mon, 06 Feb 2017 10:27:31 -0500
In-Reply-To: <0a8ab2ad-9f14-6915-464f-119a724422c7@free.fr>
To: Denis <denis.ietf@free.fr>
References: <ae7d8912-2a13-4d19-62b4-0b1d1106a555@gmx.net> <541A5105-B963-4FA4-94E4-D794A73B3358@ve7jtb.com> <CAB3ntOupmVPnW4D2QXfJ1rjbMnF-8T9hvcy5cC6EaTDawyuA_A@mail.gmail.com> <CAAP42hC-eM2twsZySvrw26-nL88QBpAU_3MLsztp7JFT=daC0Q@mail.gmail.com> <14c5b7d3-9faa-0e2f-1411-689ab13d4fad@manicode.com> <CABzCy2AxvPnj9tj9y=bGyu2vB1SaBn6UXVWwV+ckvf-SLHkPOA@mail.gmail.com> <0a8ab2ad-9f14-6915-464f-119a724422c7@free.fr>
X-Mailer: Apple Mail (2.3259)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprAKsWRmVeSWpSXmKPExsUixG6novts6owIg45nRhbru+wsTr59xebA 5NG/7jOrx5IlP5kCmKK4bFJSczLLUov07RK4Mo6vnsZS8GMLY8WiXb9YGxhfL2DsYuTkkBAw kbh65At7FyMXh5BAG5PEgXcHoZwNjBJ/N61ghXAeMEkcnPuaDaSFTUBVYvqaFiYQm1fASmL9 j/1ANgcHs0CSxJFHyRBhfYnZZy6xgNjCAg4S826eZAexWQRUJF4vWQG2mVPAWmLTiQ52iFZ1 ifaTLiBhEQE5iVX3rjFDrF3FLNF7ai0rxKWyEm9/LWGewMg/C2HbLCTbQGxmAW2JZQtfM0PY mhL7u5djEdeQ6Pw2kXUBI9sqRtmU3Crd3MTMnOLUZN3i5MS8vNQiXWO93MwSvdSU0k2MoMDm lOTbwTipwfsQowAHoxIPb0bHjAgh1sSy4srcQ4ySHExKoryGHlMjhPiS8lMqMxKLM+KLSnNS iw8xSnAwK4nwLpwEVM6bklhZlVqUD5OS5mBREucV12iMEBJITyxJzU5NLUgtgsnKcHAoSfA6 AyNYSLAoNT21Ii0zpwQhzcTBCTKcB2j4kSkgw4sLEnOLM9Mh8qcYdTmmTL34kkmIJS8/L1VK nPf/ZKAiAZCijNI8uDmghJTw9rDpK0ZxoLeEeTeCjOIBJjO4Sa+AljABLdl2ZRrIkpJEhJRU A6Pzl7JJq7OimF9aVH+9f3nW/YP+B7J/vTtkvk/tsq9dKe+vPZ1burbX3TaILtv1mLE8K+KQ v8DhuO4drhV17lb2bNrdi/8q79v80isnYcP2B/v03y+ZMpH/3PX45Zfdo66E+39hN1p+78hP dRXLlC1SH3sZ1z49W7TgnORH/juvpAv/erz9tFRZiaU4I9FQi7moOBEACIWxVyMDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/W6rkNQPiZD8TbMaTRtWUZKRB5S4>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Call for adoption: OAuth Security Topics
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Feb 2017 15:27:39 -0000
OpenID Connect is the intellectual property of the OpenID Foundation and it is discussed there. — Justin > On Feb 6, 2017, at 7:30 AM, Denis <denis.ietf@free.fr> wrote: > > > The scope of this draft is unclear. The title states: "OAuth Security Topics". > I have some questions: > Does this document intend to cover only the OAuth 2.0 delegation protocol (since Justin said that OAuth 2.0 is a delegation protocol) > or OpenId Connect as well which is not limited to a delegation protocol ? > Should we discuss OpenID Connect issues and/or solutions in an IETF RFC ? > If this document is going to be progressed, the threats should be clearly separated whether they relate to a delegation model or to > a client-server access control model. This is not currently the case. > If this document is going to be progressed, the ABC attack (in the context of an access control model) should be mentioned even if there exits > no way to counter it given the current implicit assumptions made in OAuth 2.0, in particular the use of software only implementations. > > Denis > >> A belated +1 >> >> >> On Sat, Feb 4, 2017, 9:08 AM Jim Manico <jim@manicode.com <mailto:jim@manicode.com>> wrote: >> I'm just some random idiot am an not in this working group but the work from https://tools.ietf.org/html/draft-lodderstedt-oauth-security-topics-00 <https://tools.ietf.org/html/draft-lodderstedt-oauth-security-topics-00> is one of the most up to date and useful OAuth security resources every published. I am thrilled to see more work put into it. >> >> Aloha, Jim >> >> >> On 2/3/17 1:57 PM, William Denniss wrote: >>> I support the adoption of this document as a working group item. >>> >>> On Thu, Feb 2, 2017 at 2:30 PM, Jim Willeke <jim@willeke.com <mailto:jim@willeke.com>> wrote: >>> +! >>> I agree this is needed. >>> >>> -- >>> -jim >>> Jim Willeke >>> >>> On Thu, Feb 2, 2017 at 4:33 PM, John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>> wrote: >>> I am in favour of adoption. >>> > On Feb 2, 2017, at 4:09 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote: >>> > >>> > Hi all, >>> > >>> > this is the call for adoption of the 'OAuth Security Topics' document >>> > following the positive call for adoption at the last IETF >>> > meeting in Seoul. >>> > >>> > Here is the document: >>> > https://tools.ietf.org/html/draft-lodderstedt-oauth-security-topics-00 <https://tools.ietf.org/html/draft-lodderstedt-oauth-security-topics-00> >>> > >>> > The intention with this document is to have a place to collect >>> > discussions and conclusions around OAuth 2.0 security and to reference >>> > the actual solution specifications. >>> > >>> > Please let us know by Feb 16th whether you accept / object to the >>> > adoption of this document as a starting point for work in the OAuth >>> > working group. >>> > >>> > Ciao >>> > Hannes & Derek >>> > >>> > _______________________________________________ >>> > OAuth mailing list >>> > OAuth@ietf.org <mailto:OAuth@ietf.org> >>> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> >>> >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> >> >> -- >> Jim Manico >> Manicode Security >> https://www.manicode.com <https://www.manicode.com/>_______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> >> -- >> Nat Sakimura >> >> Chairman of the Board, OpenID Foundation >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
- [OAUTH-WG] Call for adoption: OAuth Security Topi… Hannes Tschofenig
- Re: [OAUTH-WG] Call for adoption: OAuth Security … Anthony Nadalin
- Re: [OAUTH-WG] Call for adoption: OAuth Security … Phil Hunt
- Re: [OAUTH-WG] Call for adoption: OAuth Security … Mike Jones
- Re: [OAUTH-WG] Call for adoption: OAuth Security … Justin Richer
- Re: [OAUTH-WG] Call for adoption: OAuth Security … George Fletcher
- Re: [OAUTH-WG] Call for adoption: OAuth Security … John Bradley
- Re: [OAUTH-WG] Call for adoption: OAuth Security … Brian Campbell
- Re: [OAUTH-WG] Call for adoption: OAuth Security … Jim Willeke
- Re: [OAUTH-WG] Call for adoption: OAuth Security … William Denniss
- Re: [OAUTH-WG] Call for adoption: OAuth Security … Jim Manico
- Re: [OAUTH-WG] Call for adoption: OAuth Security … Nat Sakimura
- Re: [OAUTH-WG] Call for adoption: OAuth Security … Denis
- Re: [OAUTH-WG] Call for adoption: OAuth Security … Justin Richer
- Re: [OAUTH-WG] Call for adoption: OAuth Security … Hannes Tschofenig