Re: [OAUTH-WG] review draft-ietf-oauth-security-topics-13 [3/3]
Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 19 November 2019 02:38 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB4E0120810 for <oauth@ietfa.amsl.com>; Mon, 18 Nov 2019 18:38:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P2Ic0Lc4dahj for <oauth@ietfa.amsl.com>; Mon, 18 Nov 2019 18:38:39 -0800 (PST)
Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CB88120236 for <oauth@ietf.org>; Mon, 18 Nov 2019 18:38:39 -0800 (PST)
Received: by mail-pf1-x432.google.com with SMTP id s5so11348330pfh.9 for <oauth@ietf.org>; Mon, 18 Nov 2019 18:38:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=It5sTY5ETNVWyBruuHA62W4ylh3MnLB2wWaaiVzRoTk=; b=KkSPuuUBpE62AvpoEr6SjB/wXnQCzJLuKRxhXwWEL66hh9gnbxfvWS1gSkni+z3bG6 1t0Z/Xjcrxuir/r5whPYRAAQP5CkE/AodFUeswqO4tYRY22xB+vicXFXEBfhNIfvtaHU QtW2B2vZ+/p7iY4SEYcJFccgZ8sQt8yQDrDhAaWNg3V1J0xA7BlUR7ekVYyKDGldb6lW wJRiUsaRQuq3z0EvxCSwGbFcy5EYo5nVPQoOxcGmqIIujqo35WItwfDHIvdYAK9rlpvc XT+LScsh0k1zaChpgYt3A0NYmxYA8mDACFnMN6CP4QQ4TA9w6Kuor4ti0HDIAbF1WHnA KSYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=It5sTY5ETNVWyBruuHA62W4ylh3MnLB2wWaaiVzRoTk=; b=m0fE6FnoJtT5r+aDNfbmyiUDk8Bymt5U83zueNgUBxZXgCuxKU8CsxdFfjNq9AiynO H3dspJXbSmuCN9vBaN/jC5pFen5uEl3ZNa7jFsCddIg8+hJTrEuXBpxQ8fH683xFixxI D1lfND8lHYdhpOgRV6+4oN3AKD/LFCSJazGNv/MpMlVFm3TvrGd5TIB3EtmE8LvGH5oy JRIeKF6QiCZVpbKoFo31b4PrnQNAVs6ra2WJpRSRl+vy1xxg7hCFT72OtaDM99SDlcRp QuKq6c1Mi3XqLAHSK8GJk0DXV4kdREegpfnfB2pVVWFzVLtKTwL3KRzThOVGRPDUIawQ m4NQ==
X-Gm-Message-State: APjAAAXbz1EMAUBy+8UYTtUSBMjWQ7LCVR3Y4IGL7iWxPe8xGdi/67kU lgMBdJyvh4q90JObNenva3n4uKLR1w4IRuJJ
X-Google-Smtp-Source: APXvYqxHf6KAAAVRHgp6Vnr6ddEe0IQLSpJh4MTMd+xhn71cnkFf+kLaVA9BpSD/ry7tuWHACfsMfw==
X-Received: by 2002:a63:5406:: with SMTP id i6mr2620043pgb.1.1574131118266; Mon, 18 Nov 2019 18:38:38 -0800 (PST)
Received: from [192.168.20.53] ([118.200.165.182]) by smtp.gmail.com with ESMTPSA id e17sm22116089pgg.5.2019.11.18.18.38.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 18 Nov 2019 18:38:37 -0800 (PST)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <769719DC-33A3-4911-8322-9F1C9F235469@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_740158B9-A57F-49F3-A80D-189E3A8CD3DB"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3601.0.10\))
Date: Tue, 19 Nov 2019 10:38:31 +0800
In-Reply-To: <CA+iA6ui1TDn1LuQeOCXxh7gkt=CPwuQf5CCBqYUR0OZ2iOXwuQ@mail.gmail.com>
Cc: "oauth@ietf.org" <oauth@ietf.org>
To: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
References: <CA+iA6ui1TDn1LuQeOCXxh7gkt=CPwuQf5CCBqYUR0OZ2iOXwuQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3601.0.10)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/nnF6FXHz_uiPVXCBl1iDztMH2YE>
Subject: Re: [OAUTH-WG] review draft-ietf-oauth-security-topics-13 [3/3]
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2019 02:38:45 -0000
Hi Hans, > On 18. Nov 2019, at 04:11, Hans Zandbelt <hans.zandbelt@zmartzone.eu> wrote: > > Hi, > > Please find my feedback from page 21 onwards below. > > Hans. > > Overall I would argue there's room for a very concise guidance section that says: do this, don't do that, without explanation, just as a reference for developers; the current text provides in depth analysis but that is perhaps not suitable for developers who just want to know what to do (or not to do) and don't really care about the background/reasoning While section 4 gives the raw security threat analysis, we tried to summarise the actionable guidance in section 3. What do you miss there? > > P21 > first bullet > "the client has bound this data to this particular instance." -> particular instance of what? This bullet refers to the note above. "Note: this check could also detect attempts to inject a code which had been obtained from another instance of the same client on another device, if certain conditions are fulfilled:" > > 3rd paragraph: > "call to the tokens endpoint." -> "call to the token endpoint." Fixed > > last paragraph could forward point to the next section by adding something like > "using one of the mechanisms described in the next section." Incorporated > > P22 > 3rd paragraph: > is the token binding guidance still accurate? it seems to be overestimating the adoption You mean this statement? "Token binding is promising as a secure and convenient mechanism (due to its browser integration). As a challenge, it requires broad browser support and use with native apps is still under discussion.” Thanks, Torsten. > > -- > hans.zandbelt@zmartzone.eu > ZmartZone IAM - www.zmartzone.eu > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] review draft-ietf-oauth-security-topic… Hans Zandbelt
- Re: [OAUTH-WG] review draft-ietf-oauth-security-t… Torsten Lodderstedt
- Re: [OAUTH-WG] review draft-ietf-oauth-security-t… Hans Zandbelt
- Re: [OAUTH-WG] review draft-ietf-oauth-security-t… Torsten Lodderstedt
- Re: [OAUTH-WG] review draft-ietf-oauth-security-t… Hans Zandbelt
- Re: [OAUTH-WG] review draft-ietf-oauth-security-t… Torsten Lodderstedt
- Re: [OAUTH-WG] review draft-ietf-oauth-security-t… Rob Otto