[OAUTH-WG] postmessage communication in -security-topics-13
Brian Campbell <bcampbell@pingidentity.com> Mon, 23 December 2019 23:27 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95526120D20 for <oauth@ietfa.amsl.com>; Mon, 23 Dec 2019 15:27:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AJ_yJyWKvmvb for <oauth@ietfa.amsl.com>; Mon, 23 Dec 2019 15:27:36 -0800 (PST)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B6AB1200C5 for <oauth@ietf.org>; Mon, 23 Dec 2019 15:27:36 -0800 (PST)
Received: by mail-lf1-x132.google.com with SMTP id r14so13817219lfm.5 for <oauth@ietf.org>; Mon, 23 Dec 2019 15:27:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=iRlhmNsMdt/iJKb1LQG9MgSLm9j5sYhMxE2guqvb/Bc=; b=ZWYV9rYSJ8hbpVHBDAC5HzhYCWUQ7wAuA65gd7AaHj6q0R7QgS4XCLee+BjzPXWLiN hgLAk1chyLIiqPB5ms7It9tBWpBYEF1MehDgA9o6F/LuAQEbxHyWnXQtEVSHAGCtzMGH udXTIDWA20edP4icZeXLe6Ueo4L/eqo51pz2N7bF7Rb4n6Bv2PNfxYc7U3YSTowm4sFB gvN7nMZis/JhqMVNX9Sbxi7bHtGCULvbJtn9c1eJl/gwVAFl5kcUJXTbcySEoM6u7Cyw 73k8xLq9iD8OnD8gaN/vUVP8jvLOmlQPL9A4wWMEZncMzk4Hndp9vkszrfuP3lNkobt9 jg8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=iRlhmNsMdt/iJKb1LQG9MgSLm9j5sYhMxE2guqvb/Bc=; b=P23oe60liPULot4ioEWKvhzMd03OmAAHzHG6IrUTFz3GTIp3gTTVRpzyLWz9+mYMla kuLoWSazo681k6DTJf07O1PJyKc5lO+oJ6XkugbgU840Fzu2n1x1y5/cDLP+4wmHyeEa ubAagD1iRelJSkxAr25GfFKXF5iqCRvcGDZgjlOapkKY9hAmSr76L83DdcNz30XOtC6+ 4hEcpqpyHOXi8tvdZidlulIkqDAEzaemWzrpdDvI5NyWO1n6NR5Hm2MZ9cxAuVbRAspx +hGSOFCBgDLpBIdwPmOh+7HODrlQltpH9plmRbzS9cefL8ql4M1iDrtu1qKekSurWcLx Ay9g==
X-Gm-Message-State: APjAAAULXLm9Z5Es9DgG/Fpmrvcx818lYK2tDJ5xRty2zfz5/DJYkeAT /RItkL5lOakQx7PqbE+jPdXidbsTiJZOQx2PbO/FofIY1sQf+3zVEbtbEcd59w1MMBThyDCxyOy 4bgrN7WRvHlL2xlpvLU8=
X-Google-Smtp-Source: APXvYqxO5XO2k0LyT9y1JCOO1kr2YrU8FK4ZAsyI9Yui4/wHu9Osq5mI71tdKPCKMLXKB9loUcBW3t+Tp61dHN/dhpg=
X-Received: by 2002:ac2:5592:: with SMTP id v18mr16942938lfg.17.1577143654071; Mon, 23 Dec 2019 15:27:34 -0800 (PST)
MIME-Version: 1.0
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 23 Dec 2019 16:27:08 -0700
Message-ID: <CA+k3eCTVJeTYHWp5uOd7QFB9-f_7WqotewfULAYFLtE3WuhcGg@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000042d8cb059a675f66"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/kCf5KyJW-4YwGjg0CAWHkYfw2cU>
Subject: [OAUTH-WG] postmessage communication in -security-topics-13
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Dec 2019 23:27:38 -0000
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-4.3.2 has "Replace implicit flow with postmessage communication or ..." but without a defined and interoperable way of using postmessage communication in place of the implicit flow that "proposed countermeasure" seems a problematic suggestion. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] postmessage communication in -security… Brian Campbell
- Re: [OAUTH-WG] postmessage communication in -secu… Travis Spencer