IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit

Brian Campbell <bcampbell@pingidentity.com> Mon, 03 December 2018 18:41 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C11A130E0C for <oauth@ietfa.amsl.com>; Mon, 3 Dec 2018 10:41:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ub3rf3tR2g_r for <oauth@ietfa.amsl.com>; Mon, 3 Dec 2018 10:41:36 -0800 (PST)
Received: from mail-it1-x12b.google.com (mail-it1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 702C81277BB for <oauth@ietf.org>; Mon, 3 Dec 2018 10:41:36 -0800 (PST)
Received: by mail-it1-x12b.google.com with SMTP id x19so10999419itl.1 for <oauth@ietf.org>; Mon, 03 Dec 2018 10:41:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0YQlEqPprFhIMBMRFT7+TDNCWcEBh3G7F1pfLaiZ2cE=; b=bs/yL1194e4wvKtOb27rL4rn9zKAzuK0zUSJYi9l4j+E1oegmAnquGKYb4uh13AjMe /XOImBA/Qq8RW0gtmTfEUyczYUTdZINd0rGWVcKdyBc6DSKdIXPA6hQXPiBHl5S9Uuxc LTNUWEGdzJSyfr9jXnq6+x2bkqUg/KBvkaRE4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0YQlEqPprFhIMBMRFT7+TDNCWcEBh3G7F1pfLaiZ2cE=; b=Q9w6NWy6MCXpdWlGtgYFYRgBkxu89ydxL6Fn8gCWXyCbf6cN2iADpU2752pEBAQwfi Xs7lLEuc0ECe8eByTch8RKIb1haNqLMPRw7EZzCxqKXvbGznHQf2UKcQ54HhesccEZB3 rEKuVBBg4lsiyvLH6m0yMcMMq+Ap5wtolRwlmlK/wy5ofTHDyAPyZBT3QuMDHvgzUdoo 6tjfJW7LCrCI17y6K1OrMKILf3fUl04OSWNUgsSjPp3SHznhdsHMRLIipmk1Qb9KuYnn 8mTX6EducHsRyCDGjbMS6FkA2xu/uIeRwnJ6Xe1moaOqMx3e3OWLTXZmjTLNCgreHRz7 ctFQ==
X-Gm-Message-State: AA+aEWZyGfjAgDoM3o1u7Humh0xfuhDXRrciDh4wyOAB2RiUeRCUo6Nw r1xPm47syCmyLpRHasZ/z3bSZFWrRTyKj4Hlolx8SqMhATPgop5kWwIZGlAwws9jNQDAo5VDsXO 34KRn+Nd5kztjj7dJ
X-Google-Smtp-Source: AFSGD/W7HlmA1mc7J9aP80Dewc74xOErCsKk4xDvTFZMLieKuTwXMgEWuAjEXXTj4LpnaddTpt+04D7/wdjUwS0rjw8=
X-Received: by 2002:a02:946e:: with SMTP id a101mr15897577jai.90.1543862495564; Mon, 03 Dec 2018 10:41:35 -0800 (PST)
MIME-Version: 1.0
References: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAD9ie-v3onmKc498cg_-a0AD58ZV=aZANtz=UV+Q0f=9N3nSzQ@mail.gmail.com> <OSBPR01MB2869E83F37046C7FCD4463DDF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <9FF3F589-0423-4CBC-B323-481F771D097C@lodderstedt.net> <OSBPR01MB28690F77DFFB2A85BDB83FBAF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <D6C66E6A-687B-4997-B830-980BE25994C2@lodderstedt.net> <CAANoGhL9aD75AV9QQRdeGE1=4ynjTnULNVr0PXXvt20ipsb4Rw@mail.gmail.com> <FE51CE20-7A49-4A13-A180-6A7C481F3965@lodderstedt.net> <CAGBSGjrzeeR5QQ=nA=gTj0q7sRvRVc0DDacbxB+ED87ymHSOuA@mail.gmail.com> <VI1PR0801MB21120AA6CC9437E237F481A2FAAC0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <EA38C666-2325-430A-91B0-C02AAC65FCC8@lodderstedt.net> <CAO_FVe7j_79sPrRSFXvQJax3vDjT_0=ZaWHW9aan9rJnLUftkA@mail.gmail.com> <CAO7Ng+vsQ2i4=V0nq+ymO6aNCvurb02+Zt7HHwp4=FnWCO4pUQ@mail.gmail.com> <CAANoGhLx42Noqw4WN-THXbGYvS3t1Z2_EmPs+z641-cNovFNvw@mail.gmail.com> <B857DECA-5457-4E62-A720-437832850680@lodderstedt.net> <CAANoGh+1wRzz5x7jJrMy-KzCpeK0KN3fK2Qo62KEhz+9SE83=g@mail.gmail.com>
In-Reply-To: <CAANoGh+1wRzz5x7jJrMy-KzCpeK0KN3fK2Qo62KEhz+9SE83=g@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 03 Dec 2018 11:41:08 -0700
Message-ID: <CA+k3eCRjET6gJjX+G7pq-kwFUDgppTK-mrXCAgMtYtW+gVrCbw@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, fett@danielfett.de, vittorio.bertocci=40auth0.com@dmarc.ietf.org, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a183b7057c227fed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/XQ-DZBf80ukQRV5iZ7bxxc3QH7U>
Subject: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Dec 2018 18:41:38 -0000

FWIW I'm somewhat sympathetic to what Vittorio, Dominick, etc. are saying
here. And that was kind of behind the comment I made, or tired to make,
about this in Bangkok, which was (more or less) that I don't think the WG
should be killing implicit outright but rather that it should begin to
recommend against it.

I'm not exactly sure what that looks like in this document but maybe toning
down some of the scarier language a bit, favoring SHOULDs vs. MUSTs, and
including language that helps a reader understand the recommendations as
being more considerations for new applications/deployments than as a
mandate to rip up existing ones.



On Mon, Dec 3, 2018 at 8:39 AM John Bradley <ve7jtb@ve7jtb.com> wrote:

>
> We just need to be sensitive to the spin on this.
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email