[OAUTH-WG] Security BCP Review
Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> Mon, 14 February 2022 21:26 UTC
Return-Path: <rifaat.s.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D4193A10A3 for <oauth@ietfa.amsl.com>; Mon, 14 Feb 2022 13:26:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.387
X-Spam-Level:
X-Spam-Status: No, score=-4.387 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9U8EYfebotf0 for <oauth@ietfa.amsl.com>; Mon, 14 Feb 2022 13:26:20 -0800 (PST)
Received: from mail-il1-x135.google.com (mail-il1-x135.google.com [IPv6:2607:f8b0:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E84543A1080 for <oauth@ietf.org>; Mon, 14 Feb 2022 13:26:19 -0800 (PST)
Received: by mail-il1-x135.google.com with SMTP id e11so12433091ils.3 for <oauth@ietf.org>; Mon, 14 Feb 2022 13:26:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to:cc; bh=aqLFsHETFyjHycIFbvkdCR3wEEaR+9YUnYY7JlJmFLY=; b=EcYrijm+yKZ6EXqMfEP0Js8/aUyZs1p+4X+g8/NF7VPgaDlfL7oe/usVbkWnAuge1F zH2zI5WT6tUS9whongwxo3SOATAzKguXE0QOmRiJLHoOmCntgGPMSxcqJhc2Ls1vRJPu VfdjH5uuPepl4oChgbH5ph99eiyPwamQ7VbN9LAVh071CE/u1IeZo8H331iIcQ1Asb66 Evr179TatcOdep6esKQgXU0izOiHfobIKid2WuwLsLT0bIMaKJ9nfYs1QokEfBHrWMhk Dg9U4r7BVFVGXhwm8fPNqDS95gzyZmFO27XAjMYKND3toIy6q/lzSGNiCl0xT7g1U7XG hrzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=aqLFsHETFyjHycIFbvkdCR3wEEaR+9YUnYY7JlJmFLY=; b=2akxefBFH/rjVKNhp2D2GN/aRtAccW9NAqT9PZ9vJIKf35WZyp2wb6v53AOiHSet9+ Z/tzFMBkiNZu83hpiPbiGbJJyYht7sCrqc4eHFDdpty2bIl5aTFSJthsZO3yjwHBh6ke X0my3f/uhfI3tyOgAmOM0VZ1a8gpYcmhcc1CXlpuNkfZOADeRuuOssaj4QRDBPYWFXu0 n073woD5Zo4j70LsZ1ymM1B923uc30FWjy+aAmIPXam8YLEl8S1cVn4e4Ddr65R5QndQ wpBcrP11oBSs/d5xyUjhH0ICmHBWV3Rhtyak/SpQxr1bCNEsLpILyfZMq/7g2sTKzGLl e0EQ==
X-Gm-Message-State: AOAM5329XJcQl4cSiy8k3ogYXiGS+p99ahXo/UwKhmzyYygJ5FEcKW4m oHcKcCKKH11OUt6H+YKgbCpIa4CDzPAuwnNbt9LvZuWFSAA=
X-Google-Smtp-Source: ABdhPJyBUkFK7Qb27hEn1j954V9X1RPxq/2J28ekC6gJHXlTCk3MxnlCYOhFaH2MT/mWVAokZwjVdTWTDq9HDqW2nSI=
X-Received: by 2002:a05:6e02:20ee:: with SMTP id q14mr520747ilv.38.1644873978745; Mon, 14 Feb 2022 13:26:18 -0800 (PST)
MIME-Version: 1.0
From: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Date: Mon, 14 Feb 2022 16:26:07 -0500
Message-ID: <CADNypP-4tzcRxj6MUjQ_XPASXyvKt8nKOXUaqG2j87rt2VS03A@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003416c405d8011183"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/j-_0ittS96qFvIvcweqodGDldFk>
Subject: [OAUTH-WG] Security BCP Review
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Feb 2022 21:26:23 -0000
As part of the preparation for the shepherd write-up, I reviewed the document and have the following comments: https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-19.html General comment The document refers to a number of drafts that are not active anymore, e.g., token binding, pop key distribution, signing http requests, etc. What is the reason behind including these in this document? Section 4.5.4 I am not clear on how the attacker can do that. Let’s take the code_challenge example. Wouldn’t the AS be able to detect this attack because it gets the *code verifier* associated with the *original code challenge* from the Client? Nits Section 2.1, 3rd paragraph, 3rd sentence: “MAY rely the” to “, MAY rely on the” Section 2.3, second paragraph: replace ietf-oauth-resource-indicators with RFC8707 Section 4.1.3. Last paragraph: replace the jwsreq and PAR draft references with rfc9101 and rfc9126 respectively. Who might want to sweep through the document and update the various references, as there seem to be too many old references Regards, Rifaat
- [OAUTH-WG] Security BCP Review Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Security BCP Review Daniel Fett
- Re: [OAUTH-WG] Security BCP Review Rifaat Shekh-Yusef