Re: [OAUTH-WG] Fwd: New Version Notification for draft-sakimura-oauth-tcse-00.txt
"Morteza Ansari (moransar)" <moransar@cisco.com> Tue, 30 July 2013 12:06 UTC
Return-Path: <moransar@cisco.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94F4011E810F for <oauth@ietfa.amsl.com>; Tue, 30 Jul 2013 05:06:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uR-knMCzEtym for <oauth@ietfa.amsl.com>; Tue, 30 Jul 2013 05:06:11 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by ietfa.amsl.com (Postfix) with ESMTP id 8A60521E80C3 for <oauth@ietf.org>; Tue, 30 Jul 2013 05:06:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8464; q=dns/txt; s=iport; t=1375185970; x=1376395570; h=from:to:subject:date:message-id:in-reply-to:mime-version; bh=OPIXVtU3GNUZzAVGN7XDRSmRKC8CSOaRD8ELHn5uknE=; b=hWqc76uFKDhHf5uUaPyYSZlh72YgClUftuI73lRjFJW4n5kvvOxv1xz/ 1BI/GME2FqfDtPxAe/uclidCRad6xDYSX1GhFmtbaHn6f6kRGaWUPXwkq p0PNJO5xIgfTePpTDWY41usfQe9u+yQKE3J9b7/5DFw9SttznRMkD+Xg+ Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ak0GALyr91GtJXG9/2dsb2JhbABbgkJENVCsH4k2iDqBHhZ0giQBAQEEdxQBCBEDAQILHSgRFAkIAgQBEggBh3UDDwywGg2IXo0NgkAgFwEGgxJvA5V2gxKKfYUmgVuBOYIq
X-IronPort-AV: E=Sophos; i="4.89,778,1367971200"; d="scan'208,217"; a="241243972"
Received: from rcdn-core2-2.cisco.com ([173.37.113.189]) by rcdn-iport-8.cisco.com with ESMTP; 30 Jul 2013 12:06:09 +0000
Received: from xhc-aln-x08.cisco.com (xhc-aln-x08.cisco.com [173.36.12.82]) by rcdn-core2-2.cisco.com (8.14.5/8.14.5) with ESMTP id r6UC690E020048 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 30 Jul 2013 12:06:09 GMT
Received: from xmb-rcd-x08.cisco.com ([169.254.8.40]) by xhc-aln-x08.cisco.com ([173.36.12.82]) with mapi id 14.02.0318.004; Tue, 30 Jul 2013 07:06:08 -0500
From: "Morteza Ansari (moransar)" <moransar@cisco.com>
To: Nat Sakimura <sakimura@gmail.com>, oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Fwd: New Version Notification for draft-sakimura-oauth-tcse-00.txt
Thread-Index: AQHOjR0szKw5Xncs6kOvJy5Xlryqlg==
Date: Tue, 30 Jul 2013 12:06:08 +0000
Message-ID: <CA3B67220D628A4780D6FEB31F18A3E32AB6F0AE@xmb-rcd-x08.cisco.com>
In-Reply-To: <CABzCy2CC3Oi2J7GZJVBa07=xtjMXvy9ah_h_ZwwZQXDd4qtSzw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.6.130613
x-originating-ip: [10.21.145.8]
Content-Type: multipart/alternative; boundary="_000_CA3B67220D628A4780D6FEB31F18A3E32AB6F0AExmbrcdx08ciscoc_"
MIME-Version: 1.0
X-Mailman-Approved-At: Thu, 01 Aug 2013 06:58:38 -0700
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-sakimura-oauth-tcse-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2013 12:06:17 -0000
This solves a real and common problem with public client implementations. I certainly would like to see it move forward. Thanks for publishing it Nat. Cheers, Morteza From: Nat Sakimura <sakimura@gmail.com<mailto:sakimura@gmail.com>> Date: Tuesday, July 30, 2013 11:58 AM To: oauth <oauth@ietf.org<mailto:oauth@ietf.org>> Subject: [OAUTH-WG] Fwd: New Version Notification for draft-sakimura-oauth-tcse-00.txt As some of you know, passing the authorization code securely to a native app on iOS platform is next to impossible. Malicious application may register the same custom scheme as the victim application and hope to obtain the code, whose success rate is rather high. We have discussed about it during the OpenID Conenct Meeting at IETF 87 on Sunday, and over a lengthy thread on the OpenID AB/Connect work group list. I have captured the discussion in the form of I-D. It is pretty short and hopefully easy to read. IMHO, although it came up as an issue in OpenID Connect, this is a quite useful extension to OAuth 2.0 in general. Best, Nat Sakimura ---------- Forwarded message ---------- From: <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>> Date: 2013/7/30 Subject: New Version Notification for draft-sakimura-oauth-tcse-00.txt To: Nat Sakimura <sakimura@gmail.com<mailto:sakimura@gmail.com>>, John Bradley <jbradley@pingidentity.com<mailto:jbradley@pingidentity.com>>, Naveen Agarwal <naa@google.com<mailto:naa@google.com>> A new version of I-D, draft-sakimura-oauth-tcse-00.txt has been successfully submitted by Nat Sakimura and posted to the IETF repository. Filename: draft-sakimura-oauth-tcse Revision: 00 Title: OAuth Transient Client Secret Extension for Public Clients Creation date: 2013-07-29 Group: Individual Submission Number of pages: 7 URL: http://www.ietf.org/internet-drafts/draft-sakimura-oauth-tcse-00.txt Status: http://datatracker.ietf.org/doc/draft-sakimura-oauth-tcse Htmlized: http://tools.ietf.org/html/draft-sakimura-oauth-tcse-00 Abstract: The OAuth 2.0 public client utilizing code flow is susceptible to the code interception attack. This specification describe a mechanism that acts as a control against this threat. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org>. The IETF Secretariat -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en
- [OAUTH-WG] Fwd: New Version Notification for draf… Nat Sakimura
- Re: [OAUTH-WG] New Version Notification for draft… Nat Sakimura
- Re: [OAUTH-WG] Fwd: New Version Notification for … Morteza Ansari (moransar)
- Re: [OAUTH-WG] New Version Notification for draft… Sergey Beryozkin
- Re: [OAUTH-WG] New Version Notification for draft… John Bradley
- Re: [OAUTH-WG] New Version Notification for draft… Sergey Beryozkin
- Re: [OAUTH-WG] Fwd: New Version Notification for … Prateek Mishra
- Re: [OAUTH-WG] Fwd: New Version Notification for … John Bradley
- Re: [OAUTH-WG] Fwd: New Version Notification for … Phil Hunt
- Re: [OAUTH-WG] Fwd: New Version Notification for … John Bradley
- Re: [OAUTH-WG] Fwd: New Version Notification for … Nat Sakimura
- Re: [OAUTH-WG] Fwd: New Version Notification for … Phil Hunt
- Re: [OAUTH-WG] Fwd: New Version Notification for … Nat Sakimura
- Re: [OAUTH-WG] Fwd: New Version Notification for … John Bradley
- Re: [OAUTH-WG] Fwd: New Version Notification for … Axel.Nennker
- Re: [OAUTH-WG] Fwd: New Version Notification for … Sergey Beryozkin