[OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-security-topics-23.txt
Daniel Fett <mail@danielfett.de> Tue, 06 June 2023 06:46 UTC
Return-Path: <mail@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C42A4C151084; Mon, 5 Jun 2023 23:46:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.796
X-Spam-Level:
X-Spam-Status: No, score=-2.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 780BMIzMXUIe; Mon, 5 Jun 2023 23:46:30 -0700 (PDT)
Received: from mout-p-201.mailbox.org (mout-p-201.mailbox.org [80.241.56.171]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99CBDC151075; Mon, 5 Jun 2023 23:46:27 -0700 (PDT)
Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:b231:465::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4Qb1GQ4H4Pz9svS; Tue, 6 Jun 2023 08:46:22 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=MBO0001; t=1686033982; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=J4VRkeCIY3KDlrvq9AmrZak7uxcQsOBZbX9CW5/Xev8=; b=dJigHsyH/rM+q6urFNtbUkIgk2tXAkP5DPC/OD2ZcBNwi2RGDwg5vco5hpMLQjnrMjzHE2 sS4dpsWpcpkatJOGwEM2hoday97ArvctR0+Lk5NbWGQ3l3GjbZB4RUJ/7gEX7VtuzL5SmI fwhxJ7T+JR/auwEYcAIbOIKjZg5LNiGDbNjs+wXx33Lw6DbpbDeP4s11m5dxaeKUih6TIf XsQ4rE/DcAf1h1ubwa9/g68xKDruHp/xtLzY1NA26B0XI8X+jIksEcWp0mKhiRo9ewkYCk MvGno75fcQI1Jfibct50JviP6TyWaObo0XTF0yOgkXQX4Z23FxJuYKGoKGfICw==
Content-Type: multipart/alternative; boundary="------------4hjkABSEivIIQLPJP3ZsAXZI"
Message-ID: <8271bbc9-b571-7f21-fddc-3a4e694a6bc6@danielfett.de>
Date: Tue, 06 Jun 2023 08:46:21 +0200
MIME-Version: 1.0
References: <168603324657.34280.5588205604665416330@ietfa.amsl.com>
Content-Language: de-DE
From: Daniel Fett <mail@danielfett.de>
To: oauth@ietf.org, oauth-chairs@ietf.org
In-Reply-To: <168603324657.34280.5588205604665416330@ietfa.amsl.com>
X-Forwarded-Message-Id: <168603324657.34280.5588205604665416330@ietfa.amsl.com>
X-Rspamd-Queue-Id: 4Qb1GQ4H4Pz9svS
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/cW6cPuNhSQ6tk4dJ9_u3OLOU8BU>
Subject: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-security-topics-23.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jun 2023 06:46:34 -0000
Hi all, for this new version of the Security BCP, we added what we understood was the minimal consensus from the discussion on the usage of CORS here on this mailing list (see https://mailarchive.ietf.org/arch/msg/oauth/7Uv00hN8StKczOtNmFA0KvteFTw/). We further aligned Section 4.15.1 with OAuth 2.1 to account for cases where client_ids are created by clients themselves. On the non-normative side of things, we also updated references (e.g., RAR), fixed some typos and mistakes, clarified things (e.g., to ensure that the precise redirect URIs check is unambiguous), and I updated my affiliation. @Hannes, Rifaat: Please start the Shepherd's Writeup on this version. -Daniel -------- Weitergeleitete Nachricht -------- Betreff: New Version Notification for draft-ietf-oauth-security-topics-23.txt Datum: Mon, 05 Jun 2023 23:34:06 -0700 Von: internet-drafts@ietf.org An: Andrey Labunets <isciurus@gmail.com>, Daniel Fett <mail@danielfett.de>, John Bradley <ve7jtb@ve7jtb.com>, Torsten Lodderstedt <torsten@lodderstedt.net> A new version of I-D, draft-ietf-oauth-security-topics-23.txt has been successfully submitted by Torsten Lodderstedt and posted to the IETF repository. Name: draft-ietf-oauth-security-topics Revision: 23 Title: OAuth 2.0 Security Best Current Practice Document date: 2023-06-05 Group: oauth Pages: 62 URL: https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-23.txt Status: https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/ Html: https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-23.html Htmlized: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics Diff: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-security-topics-23 Abstract: This document describes best current security practice for OAuth 2.0. It updates and extends the OAuth 2.0 Security Threat Model to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0. The IETF Secretariat