Re: [OAUTH-WG] [oauth] #23: Auth Code Swap Attack (CSRF)

"oauth issue tracker" <trac+oauth@trac.tools.ietf.org> Wed, 24 August 2011 15:36 UTC

Return-Path: <trac+oauth@trac.tools.ietf.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96EFB21F8B91 for <oauth@ietfa.amsl.com>; Wed, 24 Aug 2011 08:36:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a8uv-Vs6fTVh for <oauth@ietfa.amsl.com>; Wed, 24 Aug 2011 08:36:46 -0700 (PDT)
Received: from zinfandel.tools.ietf.org (unknown [IPv6:2001:1890:123a::1:2a]) by ietfa.amsl.com (Postfix) with ESMTP id 2E31721F8B85 for <oauth@ietf.org>; Wed, 24 Aug 2011 08:36:46 -0700 (PDT)
Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.76) (envelope-from <trac+oauth@trac.tools.ietf.org>) id 1QwFWd-00076q-Qq; Wed, 24 Aug 2011 08:37:55 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: oauth issue tracker <trac+oauth@trac.tools.ietf.org>
X-Trac-Version: 0.11.7
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.11.7, by Edgewall Software
To: barryleiba@computer.org
X-Trac-Project: oauth
Date: Wed, 24 Aug 2011 15:37:55 -0000
X-URL: http://tools.ietf.org/oauth/
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/oauth/trac/ticket/23#comment:1
Message-ID: <072.4a441e5c1fff65845e98e929d32066cc@trac.tools.ietf.org>
References: <063.7f8c809279a65936aee8fa160f5f16a8@trac.tools.ietf.org>
X-Trac-Ticket-ID: 23
In-Reply-To: <063.7f8c809279a65936aee8fa160f5f16a8@trac.tools.ietf.org>
X-SA-Exim-Connect-IP: ::1
X-SA-Exim-Rcpt-To: barryleiba@computer.org, oauth@ietf.org
X-SA-Exim-Mail-From: trac+oauth@trac.tools.ietf.org
X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] [oauth] #23: Auth Code Swap Attack (CSRF)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Aug 2011 15:36:46 -0000

#23: Auth Code Swap Attack (CSRF)

Changes (by barryleiba@…):

  * status:  new => closed
  * resolution:  => fixed


Comment:

 Consensus is to make CSRF prevention a MUST and to recommend the state
 parameter as an implementation mechanism.  Text will go into version -21.

-- 
-------------------------------------+--------------------------------------
 Reporter:  barryleiba@…             |        Owner:                        
     Type:  defect                   |       Status:  closed                
 Priority:  major                    |    Milestone:  Deliver OAuth 2.0 spec
Component:  v2                       |      Version:                        
 Severity:  In WG Last Call          |   Resolution:  fixed                 
 Keywords:                           |  
-------------------------------------+--------------------------------------

Ticket URL: <http://trac.tools.ietf.org/wg/oauth/trac/ticket/23#comment:1>
oauth <http://tools.ietf.org/oauth/>