Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-Up Mitigation

"Phil Hunt (IDM)" <phil.hunt@oracle.com> Thu, 21 January 2016 01:26 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7416F1B2C84 for <oauth@ietfa.amsl.com>; Wed, 20 Jan 2016 17:26:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BfYJbxOv7ao9 for <oauth@ietfa.amsl.com>; Wed, 20 Jan 2016 17:26:15 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB7F01B2C7C for <oauth@ietf.org>; Wed, 20 Jan 2016 17:26:14 -0800 (PST)
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u0L1QCrP027103 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 21 Jan 2016 01:26:12 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by aserv0021.oracle.com (8.13.8/8.13.8) with ESMTP id u0L1QC8a015593 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 21 Jan 2016 01:26:12 GMT
Received: from abhmp0015.oracle.com (abhmp0015.oracle.com [141.146.116.21]) by aserv0122.oracle.com (8.13.8/8.13.8) with ESMTP id u0L1QC7i019678; Thu, 21 Jan 2016 01:26:12 GMT
Received: from [192.168.3.132] (/96.44.121.42) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 20 Jan 2016 17:26:12 -0800
Content-Type: multipart/alternative; boundary="Apple-Mail-E8DB684A-F4BC-484A-8E5D-CA7066F8456F"
Mime-Version: 1.0 (1.0)
From: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (13C75)
In-Reply-To: <CA+k3eCRj9xc-jb_kAub0ZodvVCo1NckHq-wq+xPof+9k4gBw3Q@mail.gmail.com>
Date: Wed, 20 Jan 2016 17:26:00 -0800
Content-Transfer-Encoding: 7bit
Message-Id: <A5BAEAE0-A2C8-49A9-A7BE-CB89CDDC2600@oracle.com>
References: <569E22E1.5010402@gmx.net> <CA+k3eCRj9xc-jb_kAub0ZodvVCo1NckHq-wq+xPof+9k4gBw3Q@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
X-Source-IP: aserv0021.oracle.com [141.146.126.233]
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/YaYZBRz5JqrYu6dEmrOZWgKO_7c>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-Up Mitigation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jan 2016 01:26:16 -0000

+1 for adoption

+1 for Brian's comments

Phil

> On Jan 20, 2016, at 14:42, Brian Campbell <bcampbell@pingidentity.com> wrote:
> 
> I conditionally accept this document as a starting point for work in the OAuth working group on the assumption that the considerable simplifications discussed and accepted at http://www.ietf.org/mail-archive/web/oauth/current/msg15351.html will be incorporated.
> 
> This document is (should be) intended to provide a mitigation to a security problem. As such, it would be nice to see it progress a little faster than the typical WG document. The more quickly the document can progress and/or be perceived as stable, the better.
> 
>> On Tue, Jan 19, 2016 at 4:49 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>> Hi all,
>> 
>> this is the call for adoption of OAuth 2.0 Mix-Up Mitigation, see
>> https://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-00
>> 
>> Please let us know by Feb 9th whether you accept / object to the
>> adoption of this document as a starting point for work in the OAuth
>> working group.
>> 
>> Note: This call is related to the announcement made on the list earlier
>> this month, see
>> http://www.ietf.org/mail-archive/web/oauth/current/msg15336.html. More
>> time for analysis is provided due to the complexity of the topic.
>> 
>> Ciao
>> Hannes & Derek
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth