IETF Logo Mail Archive

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Security: OAuth Open Redirector

Phil Hunt <phil.hunt@oracle.com> Mon, 25 January 2016 18:42 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CD761B38F4 for <oauth@ietfa.amsl.com>; Mon, 25 Jan 2016 10:42:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ET8IJjl5l2UP for <oauth@ietfa.amsl.com>; Mon, 25 Jan 2016 10:42:04 -0800 (PST)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDBB61B38DA for <oauth@ietf.org>; Mon, 25 Jan 2016 10:42:03 -0800 (PST)
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u0PIfw1P009768 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 25 Jan 2016 18:41:58 GMT
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userv0022.oracle.com (8.14.4/8.13.8) with ESMTP id u0PIfvrk003552 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 25 Jan 2016 18:41:57 GMT
Received: from abhmp0015.oracle.com (abhmp0015.oracle.com [141.146.116.21]) by userv0122.oracle.com (8.14.4/8.13.8) with ESMTP id u0PIfvsL011509; Mon, 25 Jan 2016 18:41:57 GMT
Received: from [192.168.1.22] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 25 Jan 2016 10:41:57 -0800
Content-Type: multipart/alternative; boundary="Apple-Mail=_4617FC26-DBB8-4FD4-BFD5-F4D09D28887C"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <CABzCy2AZ3ZNhgNxD8pZysvd6zHVhSte7m2+=HjPRxsO4WQW5dA@mail.gmail.com>
Date: Mon, 25 Jan 2016 10:41:46 -0800
Message-Id: <558BEED7-2716-4B63-9F0C-5E740D6839C8@oracle.com>
References: <569E2260.4080904@gmx.net> <CAAP42hCmVB0QzAqFaFa68j1FbjSgZ-xSWw+CHT+fa_EsL2W22w@mail.gmail.com> <B1D935B9-0716-4F68-8C6A-9538CEF021F3@ve7jtb.com> <CABzCy2AZ3ZNhgNxD8pZysvd6zHVhSte7m2+=HjPRxsO4WQW5dA@mail.gmail.com>
To: Nat Sakimura <sakimura@gmail.com>
X-Mailer: Apple Mail (2.3112)
X-Source-IP: userv0022.oracle.com [156.151.31.74]
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/m2EDVKdcWNvkwXu82WVzhbQdEK8>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Security: OAuth Open Redirector
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jan 2016 18:42:06 -0000

+1.  I agree with Nat’s comment re the title.

Also, I would like to have a discussion in the WG around organization of the docs. What can we amend as errata (to give some of this stuff more prominence), and what new docs we should have?  With PKCE, mix-up, and this, we may end up causing more confusion or at the very least by having multiple “point” issue specs.

Phil

@independentid
www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>





> On Jan 21, 2016, at 6:28 AM, Nat Sakimura <sakimura@gmail.com> wrote:
> 
> +1 apart from the title... It sounds like the spec is implementing OAuth Open Redirector... 
> Something like "preventing OAuth open redirector" or so might be more descriptive. 
> 
> Nat
> 
> 2016年1月21日(木) 23:08 John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>>:
> +1 for adoption
> 
>> On Jan 21, 2016, at 3:18 AM, William Denniss <wdenniss@google.com <mailto:wdenniss@google.com>> wrote:
>> 
>> +1 for adoption.
>> 
>> On Tue, Jan 19, 2016 at 7:47 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
>> Hi all,
>> 
>> this is the call for adoption of OAuth 2.0 Security: OAuth Open
>> Redirector, see
>> https://tools.ietf.org/html/draft-bradley-oauth-open-redirector-02 <https://tools.ietf.org/html/draft-bradley-oauth-open-redirector-02>
>> 
>> Please let us know by Feb 2nd whether you accept / object to the
>> adoption of this document as a starting point for work in the OAuth
>> working group.
>> 
>> Note: At the IETF Yokohama we asked for generic feedback about doing
>> security work in the OAuth working group and there was very positive
>> feedback. However, for the adoption call we need to ask for individual
>> documents. Hence, you need to state your view again.
>> 
>> Ciao
>> Hannes & Derek
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email