[OAUTH-WG] Preventing use of a constant PKCE challenge value
Michael Jones <michael_b_jones@hotmail.com> Mon, 18 December 2023 23:24 UTC
Return-Path: <michael_b_jones@hotmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E707C14CE54 for <oauth@ietfa.amsl.com>; Mon, 18 Dec 2023 15:24:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.234
X-Spam-Level:
X-Spam-Status: No, score=-1.234 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R0W6u8jlguSH for <oauth@ietfa.amsl.com>; Mon, 18 Dec 2023 15:24:49 -0800 (PST)
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10olkn2048.outbound.protection.outlook.com [40.92.42.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9D9BC14CE53 for <oauth@ietf.org>; Mon, 18 Dec 2023 15:24:48 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HZDXbk8KrduzQvmrEvT0fqWZh1EZWHskgs64Csgr+D+iF7ZRYeDL4MSgbShx+QBDlVPcHayfJ+7TIibAwP9bVd2QZty+73vByGDIuJmqDL0psrSmok8hh4pMo7ZaEJYa7EJJI5E7zkeEQxHDTrpWnHjxKAJwAWyB2LER2+sckncsfaue78VuxhGuL7vjRwWjE634PKa+gIFPnWjGMf7x1Ut2bONGKkO8sAJNs+nRLZv6tBF4tSJmyNwQZ8M8qbKHsz0jOvWsnB8pWmV2v2CNp8BNiBx4tMj6T3zg7WS99qyL9ZKpyZAZs4bQkX3v7Pey/30ON4oHESPitmPg+V4IMQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=d5FhoA9I5LDEmUo8zOnNGtiBaMZzQWv5hbNGbo31jEo=; b=M1/CZZT6kEncL+G1Qx/bSU5t0/+mlIz90q3dtbbPIyyW29qhY0VsoWKr0yCm7zbE3hd6Sql72OR5NMDgzx22LkOKvl0EUSqCr//RlwjnfXVr6NLpee6S6KPdqKyPpLEtasXd2JjoW+/ZpoJ8j6wvsMRXTZtRfWBV3gvqvVi05WP84O19pc+KO197yEH5APna6yrieaGa7OdcFeOxaPY+HaaCNDhe1zvW0mBXOfHuyaHqkZlYAroMEQEYYMj5uBFbT0OwWrCR22Tn+yXk4g05nLMUFHsJL4DFCPfVgibslkcysE56Q+wGoPyj8vWhSID1PZ2xaSv/VdJFdS9Lhkb5Ng==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=d5FhoA9I5LDEmUo8zOnNGtiBaMZzQWv5hbNGbo31jEo=; b=bPfZyNstHFEi0o+2oMVkPL7i6YaiXRPehdGlnjhiQ9OPVE7gkK2phNwPSf3D/tdm3XNDLDK2Av0Gjxrjxqi9k21MJg7TNIS6SaIs1kaAZblYThqzn4Z8krB4OoPM/zrrK1iSAv7AzM4GbI5hxSKXH2g8R/BRJnzf6kveko//EKFbVPxTlUOvT6Q1qSerac3Arl2rCuseAEYdLIHubUiHpW3oJTe0Tq48vNs6xdCC/F6luxumJL4sAKIdLgPDvJb0kPU5JkcPspwyjFmgQtuWo4xKYRxdPgWQu+GWfJDfol8ACkW2S5y7XKyHcXLBQbDcAD43Ff5cKpq0E95TcUht7g==
Received: from PH0PR02MB7430.namprd02.prod.outlook.com (2603:10b6:510:b::9) by PH7PR02MB9027.namprd02.prod.outlook.com (2603:10b6:510:1f5::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7091.38; Mon, 18 Dec 2023 23:24:46 +0000
Received: from PH0PR02MB7430.namprd02.prod.outlook.com ([fe80::7e76:fcdf:56fd:6df9]) by PH0PR02MB7430.namprd02.prod.outlook.com ([fe80::7e76:fcdf:56fd:6df9%6]) with mapi id 15.20.7091.034; Mon, 18 Dec 2023 23:24:46 +0000
From: Michael Jones <michael_b_jones@hotmail.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Preventing use of a constant PKCE challenge value
Thread-Index: AdoyCVOreLhVSe9XTz2OD+VZf7y1ng==
Date: Mon, 18 Dec 2023 23:24:46 +0000
Message-ID: <PH0PR02MB74309076702D9EC34512FC34B790A@PH0PR02MB7430.namprd02.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-tmn: [PED/gVVuoC3Z5L1DJa5iJlD6s5JfIztR]
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH0PR02MB7430:EE_|PH7PR02MB9027:EE_
x-ms-office365-filtering-correlation-id: fd1b84c3-abb1-4f9c-9494-08dc002085c1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: sfz3aD4atiH5fNG2m6Tf/ea4k2BCD0Ji3ksEvI8Gk7yCd5x+Zssia8Y/xTd9sNOTI2ExQdtd+mnqXfqQh+cjz7N768HyljLjFGLGiVJ0YB0hIX19mUQ0raviGJVyG0b7Ww1oVZjOvyYlcncV8u5w/SM7gJgbbuuSrlWMc+utxUJv5FsZbzC1ZzCU7Qse/Xh7ptnpN36vx4rd8f+FYreJEpOma5ChsnmvjXZTQrP3Qlj3z1d3b1rCp50W/7BXXD2hJ149Ja4EV2+bGJ/Pp/lSOq8F+bvGqCuT3vyBSkR1Y0HbWILdHRjZqVJiG5tkLypTU4QrEOkWIjw5WSpSxDGRRDmwEnyERE//wrR/ir7R3ssuJVoQIORmit/TjS1pjuHWTKBRwYQy9LgXtRyJkzCvJLyMi1gqY/PDDZRxuwjGhNv7Ia9NpAbYdYxlT0ioZDVIl0DrN0SpHCUaQBePxJUgnAJQf/eT+RegSN2KOBzbrauW6aRCLyeRovIyHrgJ9iTD9JvaupwUgxpIpv0dB7f7KOBFa0bIm/wBz7Dczr7Ehxdtb99sgcHjPRUepTJIPB+Ejl6AWkRsZctBf6tdfBZS2vNmKxQ+SyCyYRdkQ0n6xDxzEFI2nC8R0RLLrMEcG/tc
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: GMNrbuFVaia5k+XYTi9DOYDm1EpbrpuBxtzPmfzviBBqlMlTk8lfjM041xcrIMaknRGYWAD45kUHP4pG44exMU+L4TKalHqz3Ekq0u1/G/sqFSLCqYjkm0oFRWncrb3gKalZQ+aEZaTHHldLWBoOUN2w9nm+VvAP4LoOLDwoyiFQ2v++PLizY9kupAm6kgae45DML7rBQtBHRue9TxegctE58fQOIcj0VmGrthGx4SUmXCkhVcEKwnm/SSN6rY5lfW2RwZU4nzpCoz3dMCjED75Ff45sxQhkhKShDc1ma3A8jLQ69FcCKKeLoOftlv95jgf9ocYcyTFkf5pOdRLr/d8Y860MsNd9D7GmOAReyRlj5i3I4SqoWlmNWIyFZOfyK33EDs/JxULN0CJMu/DZpwWBH+HZRagwW7mnUiA7eXidYrZH73nftWj0D4IBBlc6Rnfp04r+gFxX8dA68c8x88hxuV77x9LVTE6m7OWxse7+t97GUJpu+kp7Xy9KD60ho0Cy78cxgsZ83SkHHpObFnA+lyioFaAIphAK76ulkDSZzj3Ghdhoa5tFLUvz5JaBYBMUe3VWmtEv2ZPQYof1q65QOMTKVEp5jZ1JDBc1xXlE6NBBLCJcnxQrpiCBgTxJ2UREZzwE2HGPKL32MXLyi3yhMpfeZLpio+PI24b2swrHIX7JPOe7LTmTo1BXaq4f3lYs9DwOwCjzVwJjA/6oOHI/CWND3f1/P+0rDELtpVwSXB25l2M+B0miOyLJlP216nVzSrmIqPOzer+setU13BTZ5/ZzxXZlnPrJWFxynLunGOMnJUybaM+X97pPcQyu5AGfkvIww1+QEctEhNu1lKdSPYmwlRAjROmXp5+2MwDkZkF7z9bKEfiSFxNFg5NUmHQpmdJIpcKmgqUZretiFKO6HgXdW+jnbi/pKVy7srgkIlEBCP0vlA3Zw1UMT5QyGhvFjCHGL8jXvaAip/wNrxd2gVC091iirEpdTkD4/geJ4kDnqm3z52kyQdH3sEEto04uhLbkMRgnaNtgpmn98JaT4WvJq33er/doY2XV4qaG+oELyJ+q7P2aSfPAPI4KeGEKHAWb/4iWBcYxasqKdaczUfz8pj5M/2MSeuOMI6iDSCu16wfs950S0N8aiHFPxMr23B24B6id1pw9UGTBOhbxxC/GGiyA50WxOxWTYqZ+p6PjlOBUl9/E8ABHjhFsTGXAH5tnVTnrSo3HOAqPiedCZSHpIrwVK/ZweoLPGRM=
Content-Type: multipart/alternative; boundary="_000_PH0PR02MB74309076702D9EC34512FC34B790APH0PR02MB7430namp_"
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-3d941.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR02MB7430.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: fd1b84c3-abb1-4f9c-9494-08dc002085c1
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Dec 2023 23:24:46.2164 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR02MB9027
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/cV2iMfqICazl-lsZYQ_fa2nYWKI>
Subject: [OAUTH-WG] Preventing use of a constant PKCE challenge value
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Dec 2023 23:24:51 -0000
Hi all, I filed https://github.com/oauthstuff/draft-ietf-oauth-security-topics/pull/86 as a result of discussions at IETF in Prague but it seems to have stalled. What text are we going to add to draft-ietf-oauth-security-topics to prevent use of a constant PKCE challenge value, if not that proposed in the PR? We should address this before publication. Best wishes, -- Mike
- [OAUTH-WG] Preventing use of a constant PKCE chal… Michael Jones