Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-09.txt
Torsten Lodderstedt <torsten@lodderstedt.net> Fri, 09 November 2018 09:42 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D665C128DFD; Fri, 9 Nov 2018 01:42:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HXlaR1SN_AD5; Fri, 9 Nov 2018 01:42:26 -0800 (PST)
Received: from smtprelay04.ispgateway.de (smtprelay04.ispgateway.de [80.67.31.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C783F12777C; Fri, 9 Nov 2018 01:42:25 -0800 (PST)
Received: from [91.13.153.47] (helo=[192.168.71.123]) by smtprelay04.ispgateway.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from <torsten@lodderstedt.net>) id 1gL3J1-0001XC-9B; Fri, 09 Nov 2018 10:42:23 +0100
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <399248B5-A485-456E-B57C-FCD91FE77AC2@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_56FBE047-8C50-4B68-BDCB-0655C6C00116"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
Date: Fri, 09 Nov 2018 10:42:19 +0100
In-Reply-To: <154175237636.14370.2795740097592534192@ietfa.amsl.com>
Cc: i-d-announce@ietf.org
To: oauth <oauth@ietf.org>
References: <154175237636.14370.2795740097592534192@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3445.101.1)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Xkjjy36vz1Oa9mVI9ZoJfKgwwDQ>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-09.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Nov 2018 09:42:29 -0000
Hi all, the new revision incorporates the recommendation to use more secure grant types instead of implicit we agreed to add during the WG session on Monday. It also has more text around justifications for our recommendation. Especially, there is a new section 3.6 on access token injection. I also posted about this topic on LinkedIn (https://www.linkedin.com/pulse/why-you-should-stop-using-oauth-implicit-grant-torsten-lodderstedt/) and Medium (https://medium.com/@torsten_lodderstedt/why-you-should-stop-using-the-oauth-implicit-grant-2436ced1c926) kind regards, Torsten. > Am 09.11.2018 um 09:32 schrieb internet-drafts@ietf.org: > > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Web Authorization Protocol WG of the IETF. > > Title : OAuth 2.0 Security Best Current Practice > Authors : Torsten Lodderstedt > John Bradley > Andrey Labunets > Daniel Fett > Filename : draft-ietf-oauth-security-topics-09.txt > Pages : 35 > Date : 2018-11-09 > > Abstract: > This document describes best current security practice for OAuth 2.0. > It updates and extends the OAuth 2.0 Security Threat Model to > incorporate practical experiences gathered since OAuth 2.0 was > published and covers new threats relevant due to the broader > application of OAuth 2.0. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-09 > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-09 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-security-topics-09 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] I-D Action: draft-ietf-oauth-security-… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Torsten Lodderstedt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Joseph Heenan
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Torsten Lodderstedt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Daniel Fett
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Torsten Lodderstedt