[OAUTH-WG] Fwd: New Version Notification for draft-sakimura-oauth-tcse-00.txt
Nat Sakimura <sakimura@gmail.com> Tue, 30 July 2013 09:59 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBA0611E8137 for <oauth@ietfa.amsl.com>; Tue, 30 Jul 2013 02:59:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e5Rihwp8X3KD for <oauth@ietfa.amsl.com>; Tue, 30 Jul 2013 02:59:08 -0700 (PDT)
Received: from mail-la0-x232.google.com (mail-la0-x232.google.com [IPv6:2a00:1450:4010:c03::232]) by ietfa.amsl.com (Postfix) with ESMTP id 6ABBA11E80DF for <oauth@ietf.org>; Tue, 30 Jul 2013 02:59:00 -0700 (PDT)
Received: by mail-la0-f50.google.com with SMTP id fn20so872437lab.37 for <oauth@ietf.org>; Tue, 30 Jul 2013 02:58:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=NbvAV26hH2fVI+B8qSfrn/X/peA89Yc+WyRVFVMkh/M=; b=OH5VIEINbyTF7q6u8X1sx+93ITgmv8nqxGZZNND0NQMIyzEQInKvuMdYAlwM1Enf5q 5BFcBzfPyFBiM9WVHFN2y3QQRtGHkw/y5qp1XKSKYk+EdQvzqqnEcR2kvqXUe08wmkyA RGa+R8QPdglHMiH3FwECaNB3/rSdfAY0xbljHcPYV01O+ZHUdAKa2SRtRBamgaDu/hH0 8Ebz2IH3wgUq96O4zmbthvMJec5j7W9TGlxXSflUNHF9qxUgcjU1Ar6GrXmd6Zog51JH bJDkHt2gp2+WuW+TsopINcSw9AIraa9QfPjMXFPodCTqsFAqhQD07DM4B0d7/f+WpSF+ b1fg==
MIME-Version: 1.0
X-Received: by 10.112.200.9 with SMTP id jo9mr27506062lbc.54.1375178337975; Tue, 30 Jul 2013 02:58:57 -0700 (PDT)
Received: by 10.112.134.38 with HTTP; Tue, 30 Jul 2013 02:58:57 -0700 (PDT)
In-Reply-To: <20130730095129.29309.12243.idtracker@ietfa.amsl.com>
References: <20130730095129.29309.12243.idtracker@ietfa.amsl.com>
Date: Tue, 30 Jul 2013 18:58:57 +0900
Message-ID: <CABzCy2CC3Oi2J7GZJVBa07=xtjMXvy9ah_h_ZwwZQXDd4qtSzw@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c371c256841904e2b7a814"
Subject: [OAUTH-WG] Fwd: New Version Notification for draft-sakimura-oauth-tcse-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2013 09:59:09 -0000
As some of you know, passing the authorization code securely to a native app on iOS platform is next to impossible. Malicious application may register the same custom scheme as the victim application and hope to obtain the code, whose success rate is rather high. We have discussed about it during the OpenID Conenct Meeting at IETF 87 on Sunday, and over a lengthy thread on the OpenID AB/Connect work group list. I have captured the discussion in the form of I-D. It is pretty short and hopefully easy to read. IMHO, although it came up as an issue in OpenID Connect, this is a quite useful extension to OAuth 2.0 in general. Best, Nat Sakimura ---------- Forwarded message ---------- From: <internet-drafts@ietf.org> Date: 2013/7/30 Subject: New Version Notification for draft-sakimura-oauth-tcse-00.txt To: Nat Sakimura <sakimura@gmail.com>, John Bradley < jbradley@pingidentity.com>, Naveen Agarwal <naa@google.com> A new version of I-D, draft-sakimura-oauth-tcse-00.txt has been successfully submitted by Nat Sakimura and posted to the IETF repository. Filename: draft-sakimura-oauth-tcse Revision: 00 Title: OAuth Transient Client Secret Extension for Public Clients Creation date: 2013-07-29 Group: Individual Submission Number of pages: 7 URL: http://www.ietf.org/internet-drafts/draft-sakimura-oauth-tcse-00.txt Status: http://datatracker.ietf.org/doc/draft-sakimura-oauth-tcse Htmlized: http://tools.ietf.org/html/draft-sakimura-oauth-tcse-00 Abstract: The OAuth 2.0 public client utilizing code flow is susceptible to the code interception attack. This specification describe a mechanism that acts as a control against this threat. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en
- [OAUTH-WG] Fwd: New Version Notification for draf… Nat Sakimura
- Re: [OAUTH-WG] New Version Notification for draft… Nat Sakimura
- Re: [OAUTH-WG] Fwd: New Version Notification for … Morteza Ansari (moransar)
- Re: [OAUTH-WG] New Version Notification for draft… Sergey Beryozkin
- Re: [OAUTH-WG] New Version Notification for draft… John Bradley
- Re: [OAUTH-WG] New Version Notification for draft… Sergey Beryozkin
- Re: [OAUTH-WG] Fwd: New Version Notification for … Prateek Mishra
- Re: [OAUTH-WG] Fwd: New Version Notification for … John Bradley
- Re: [OAUTH-WG] Fwd: New Version Notification for … Phil Hunt
- Re: [OAUTH-WG] Fwd: New Version Notification for … John Bradley
- Re: [OAUTH-WG] Fwd: New Version Notification for … Nat Sakimura
- Re: [OAUTH-WG] Fwd: New Version Notification for … Phil Hunt
- Re: [OAUTH-WG] Fwd: New Version Notification for … Nat Sakimura
- Re: [OAUTH-WG] Fwd: New Version Notification for … John Bradley
- Re: [OAUTH-WG] Fwd: New Version Notification for … Axel.Nennker
- Re: [OAUTH-WG] Fwd: New Version Notification for … Sergey Beryozkin