Re: [OAUTH-WG] Secdir last call review of draft-ietf-oauth-iss-auth-resp-02
Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de> Mon, 15 November 2021 15:00 UTC
Return-Path: <karsten.meyerzuselhausen@hackmanit.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B55E3A0DCE for <oauth@ietfa.amsl.com>; Mon, 15 Nov 2021 07:00:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.95
X-Spam-Level:
X-Spam-Status: No, score=-3.95 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-1.852, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hackmanit.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lp7YR3cCb5tO for <oauth@ietfa.amsl.com>; Mon, 15 Nov 2021 07:00:24 -0800 (PST)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C647F3A0FE5 for <oauth@ietf.org>; Mon, 15 Nov 2021 07:00:03 -0800 (PST)
Received: by mail-ed1-x52d.google.com with SMTP id z5so13327517edd.3 for <oauth@ietf.org>; Mon, 15 Nov 2021 07:00:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hackmanit.de; s=google; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to; bh=a5MNx1HQ3iIZwnVAD8+fk+au55T8VD8VFiN9WjVuud4=; b=nVTgCCZUP64/ezxc8onmdYpo7tTPhKHd/Kw9lzuHMyuVVUgoDZjaPZuo1rLIi8qzL6 Kv01ByN8tZaQVJLdFzoNQTYGn+03wEl44O2hfvDiRB+xzEKlMXqUUpHJO9+li/7M/dtm dH7IGroZhHE0Pr0i2cOtdJt/PmQa/ecFRATD0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to; bh=a5MNx1HQ3iIZwnVAD8+fk+au55T8VD8VFiN9WjVuud4=; b=FBF622W6Sp0DdQNDUF5P4T0mFr5WkdjE7L+2hR9YuMCGNCAdqItQG2EzSEagQHOU7T TbDpJN7DidLDGjfl5ErzbpllyoyvoJpg9M8ZzljsPMG7nQbHI9uffEvVsehZFGOlMjaa 9zBEW/pelJAGbzyfIrh0OEOWSTsU/nrlyn4fUCqvmGBaejnipRfJCJxukEQoUBXnmUMP sOfCe3nTBEzglcfpLkHX02YYY0zidalHBOf+FZuj94etxuXuCcC+NQvj9Z9L4rJmCCCC y1GPHehFmt0wF9VTyj6VBfkCHE6JtoWQB80f7h5Y+BREjivPxGy+1C7FfCbgnsF2bFpp Gesg==
X-Gm-Message-State: AOAM532Vt4MhUJouJ5NnOexr295eaXDfSSnebx57CVxakVIxWLkRr+6b rcBlNqPK6zbehGF6QX5RUJHmZg==
X-Google-Smtp-Source: ABdhPJwXsFqsgHB5tIKNIYF1pZOfri8f5nyWPdomrrjuPTIKwxxodbtfWoAYfIACVGtmosGKKC1+ZA==
X-Received: by 2002:a17:906:270e:: with SMTP id z14mr50425727ejc.414.1636988400552; Mon, 15 Nov 2021 07:00:00 -0800 (PST)
Received: from [10.10.11.6] (b2b-37-24-87-133.unitymedia.biz. [37.24.87.133]) by smtp.gmail.com with ESMTPSA id m25sm5756706edj.80.2021.11.15.06.59.59 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 15 Nov 2021 06:59:59 -0800 (PST)
Message-ID: <31c1d296-b53a-4480-9ea4-2293e8b31410@hackmanit.de>
Date: Mon, 15 Nov 2021 15:59:59 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.3.0
Content-Language: en-US
To: Yoav Nir <ynir.ietf@gmail.com>, secdir@ietf.org
Cc: draft-ietf-oauth-iss-auth-resp.all@ietf.org, last-call@ietf.org, oauth@ietf.org
References: <163623641036.23265.3678140155645804989@ietfa.amsl.com>
From: Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de>
In-Reply-To: <163623641036.23265.3678140155645804989@ietfa.amsl.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------YKuBJaS0bhNCFV6aSZ3n7EBR"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/fkr0rPVlzw31hHgkCzGi0wt8mJk>
Subject: Re: [OAUTH-WG] Secdir last call review of draft-ietf-oauth-iss-auth-resp-02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Nov 2021 15:00:33 -0000
Hi Yoav, thank you for your suggestion. We think its a valid point and followed it in a local branch. Best regards, Karsten On 06.11.2021 23:06, Yoav Nir via Datatracker wrote: > Reviewer: Yoav Nir > Review result: Ready > > I have reviewed this document as part of the security directorate's ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written primarily for the benefit of the security area directors. > Document editors and WG chairs should treat these comments just like any other > last call comments. > > The draft is clear and well-written. The Security Considerations section > specifically is comprehensive and clear. > > My one suggestion would be to move the first paragraph in the Security > Considerations section to the Introduction. It is about the attack and about > the protocol in the document being effective against the attack. It's not > really a consideration in the way that the rest of the section is. > > -- Karsten Meyer zu Selhausen Senior IT Security Consultant Phone: +49 (0)234 / 54456499 Web: https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training Is your OAuth or OpenID Connect application vulnerable to mix-up attacks? Find out more on our blog: https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks Hackmanit GmbH Universitätsstraße 60 (Exzenterhaus) 44789 Bochum Registergericht: Amtsgericht Bochum, HRB 14896 Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Prof. Dr. Marcus Niemietz
- [OAUTH-WG] Secdir last call review of draft-ietf-… Yoav Nir via Datatracker
- Re: [OAUTH-WG] Secdir last call review of draft-i… Karsten Meyer zu Selhausen