Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23
Daniel Fett <mail@danielfett.de> Thu, 04 January 2024 07:40 UTC
Return-Path: <mail@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BED51C14F6FF for <oauth@ietfa.amsl.com>; Wed, 3 Jan 2024 23:40:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.806
X-Spam-Level:
X-Spam-Status: No, score=-2.806 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2HBmHEq7ij7Y for <oauth@ietfa.amsl.com>; Wed, 3 Jan 2024 23:40:24 -0800 (PST)
Received: from mout-p-202.mailbox.org (mout-p-202.mailbox.org [IPv6:2001:67c:2050:0:465::202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEDC0C14F6F2 for <oauth@ietf.org>; Wed, 3 Jan 2024 23:40:22 -0800 (PST)
Received: from smtp202.mailbox.org (smtp202.mailbox.org [10.196.197.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4T5JQm6Gd8z9spy for <oauth@ietf.org>; Thu, 4 Jan 2024 08:40:16 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=MBO0001; t=1704354016; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=DiAy11bZThyyE4uj1BDrl8Q+3gvrklPj9ZpRpNthzxQ=; b=nDCnObVbnpuNRWyDymmqiZZhkSHtjc9i33+YEeM7VlRrTcK8JIEJKTmPJo2FoMHzGGWh2j ltTjxo7IdcCcR7vhk4T+lZQi0oyuAHWpG7z6aI3qi5UcxDywmmo34oJplOFilXq3oYKgeS B7xpNQLyCpVtPiNQLg0Hp3QVuAyRaZfMlw+04CqBdiqCNLyfPqQtiW/3uL4absmrpo87/y rAimBvcUhHYy7cXuU98f05JlH+qcss+RZq2ZN3T2vpX31arQebNdT9vjz+IpasZYyCtFmj jXY+sS7Tbn246gyXz2WBSd6j5VWq/abM2SLW81ZmkHm8OXPOI/AJ4nHYueYF2Q==
Content-Type: multipart/alternative; boundary="------------dJJkUuEvDxI5vxTL1wcrJJKr"
Message-ID: <a429db26-71dd-4df6-b9cd-3032d9a7e4c0@danielfett.de>
Date: Thu, 04 Jan 2024 08:40:15 +0100
MIME-Version: 1.0
Content-Language: de-DE
To: oauth@ietf.org
References: <AS8PR10MB74277A2DAC89D987531F7F74EECBA@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM> <6bdfa6d8-594c-40b2-a5ed-4a8ca9943929@danielfett.de> <BE1P281MB20977CD398EB9C1C4A18150EED61A@BE1P281MB2097.DEUP281.PROD.OUTLOOK.COM> <60861607-c450-4b62-8155-f9012a6565f2@danielfett.de> <BE1P281MB2097707E4E61A1DCF7A03500ED602@BE1P281MB2097.DEUP281.PROD.OUTLOOK.COM> <e6ea482f-2984-4aca-92c7-479836064dd3@danielfett.de> <BE1P281MB20971C3BF0ECBF6F46BEB220ED602@BE1P281MB2097.DEUP281.PROD.OUTLOOK.COM> <CDD28A99-05F0-4534-98EE-B086BF786E58@mit.edu> <BE1P281MB209791393882B1DFA919CBA4ED602@BE1P281MB2097.DEUP281.PROD.OUTLOOK.COM>
From: Daniel Fett <mail@danielfett.de>
Autocrypt: addr=mail@danielfett.de; keydata= xjMEZVtP1hYJKwYBBAHaRw8BAQdAnfQRnVGKVUpdbc4qBhwIfryncOMAa1XjIFTAysHFgmXN IERhbmllbCBGZXR0IDxtYWlsQGRhbmllbGZldHQuZGU+wo8EExYIADcWIQTZQBZqxnGfR0Z5 iv7gQ6HKpmkhyAUCZVtP1gUJBaOagAIbAwQLCQgHBRUICQoLBRYCAwEAAAoJEOBDocqmaSHI NzcA/iNXFgwxZqvdaCDTRNib4iq82zFwXl3KwKYgL06xityzAQDIe7hIw6KnGaztTZsRXSvi +9srzbMJdDqVtC1n4A+YCs44BGVbT9cSCisGAQQBl1UBBQEBB0AwPb4iR2rn5k5DT4vAbYNK Oe4CMgQnwWexMYZFlAL0MwMBCAfCfgQYFggAJhYhBNlAFmrGcZ9HRnmK/uBDocqmaSHIBQJl W0/XBQkFo5qAAhsMAAoJEOBDocqmaSHI0Z8A/jd8Id2bvz6/D71d6HPvXZ+2z2BXzOd7MemE 9hHN+y6kAP44pe/GY97tvIZQa8aSinFJzDfbIVph6cUDlnPiwLjJDg==
In-Reply-To: <BE1P281MB209791393882B1DFA919CBA4ED602@BE1P281MB2097.DEUP281.PROD.OUTLOOK.COM>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/oqEvsg0ujAtawiRWa8cQo5E4ybk>
Subject: Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jan 2024 07:40:29 -0000
Am 03.01.24 um 20:10 schrieb Axel.Nennker@telekom.de: > > Why not RECOMMEND PKCE for CSRF protection, instead of that "MAY"? > That's the case already, PKCE is RECOMMENDED/REQUIRED for clients (which includes the CSRF protection). It is just that omitting "state" is a MAY, because "(to) rely on the CSRF protection provided by PKCE" effectively means that. -Daniel > And in some cases MUST (verb) PKCE? > > //Axel > > *From: *Justin Richer <jricher@mit.edu> > *Date: *Wednesday, 3. January 2024 at 19:53 > *To: *Nennker, Axel <Axel.Nennker@telekom.de> > *Cc: *mail=40danielfett.de@dmarc.ietf.org > <mail=40danielfett.de@dmarc.ietf.org>, oauth@ietf.org <oauth@ietf.org> > *Subject: *Re: [OAUTH-WG] Shepherd Review of > draft-ietf-oauth-security-topics-23 > > On Jan 3, 2024, at 12:30 PM, Axel.Nennker@telekom.de wrote: > > The email discussion triggered me jumping into the discussion. > > Also, I am looking into this from a Camara PoV. > > https://github.com/camaraproject/IdentityAndConsentManagement > <https://github.com/camaraproject/IdentityAndConsentManagement> > > Camara is about to define what is a MUST for authorization servers > etc and we are taking FAPI and the OAuth2 security best practices > as input. > > So, when we write our own security profile in Camara, we are > probably going to copy the language"Authorization servers MUST > support PKCE [RFC7636 > <https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#RFC7636>]." > > We then have no problem requiring clients to use PKCE. > > Coming back to draft-ietf-oauth-security-topics-23. That > document's language feels like it would really, really likes to > require PKCE support, but then it does not go there. > > "Public clients MUST use PKCE" > > "For confidential clients, the use of PKCE [RFC7636 > <https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#RFC7636>] > is RECOMMENDED" > > "Authorization servers MUST support PKCE [RFC7636 > <https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#RFC7636>]." > > "Although PKCE was designed as a mechanism to protect native apps, > this advice applies to all kinds of OAuth clients, including web > applications." > > I read this as pretty clear advice — the AS has to support it, but > doesn’t universally require it. Public clients have to use it, so an > AS could reasonably require it automatically for public clients. > Confidential clients can use it, and it’s a good idea, but it would be > surprising for an AS to enforce it on a confidential client. Of > course, even today, an AS can decide that any particular client has to > use PKCE for whatever reason, so we’re not that different in the > "maybe" space than we are now. > > The following two lines are talking about different things: > > > > I still think that the MAY in 2.1 > > "Clients that have ensured that the authorization server supports > Proof Key for Code Exchange (PKCE, [RFC7636 > <https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#RFC7636>]) > MAY rely on the CSRF protection provided by PKCE." > > This is not about the client using or not using PKCE — it’s about the > client relying on PKCE for CSRF protection, which was previously > relegated to state and nonce parameters alone. > > > > and the MUST in 2.1.1 > > "Authorization servers MUST support PKCE [RFC7636 > <https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#RFC7636>]." > > This just means it has to be available at the AS for anyone to use, > and, as above, possibly required for some circumstances. > > > > do not go well together. > > //Axel > > — Justin > > > > *From:*OAuth <oauth-bounces@ietf.org > <mailto:oauth-bounces@ietf.org>> on behalf of Daniel Fett > <mail=40danielfett.de@dmarc.ietf.org > <mailto:mail=40danielfett.de@dmarc.ietf.org>> > *Date:*Wednesday, 3. January 2024 at 17:48 > *To:*oauth@ietf.org <mailto:oauth@ietf.org><oauth@ietf.org > <mailto:oauth@ietf.org>> > *Subject:*Re: [OAUTH-WG] Shepherd Review of > draft-ietf-oauth-security-topics-23 > > Hi Axel, > > It is to be expected that not all AS will immediately upgrade to > adhere to the security BCP after its release. So a client who > wants to use PKCE may encounter AS that don't support it. > > See also the discussion > inhttps://mailarchive.ietf.org/arch/msg/oauth/ZiwEfenZZlboikXxBLes5ebPmBw/ > <https://mailarchive.ietf.org/arch/msg/oauth/ZiwEfenZZlboikXxBLes5ebPmBw/> > > -Daniel > > Am 03.01.24 um 17:39 schriebAxel.Nennker@telekom.de > <mailto:Axel.Nennker@telekom.de>: > > Hi Daniel, > > there is also this sentence in this > sectionhttps://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#name-authorization-code-grant > <https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#name-authorization-code-grant>in > a paragraph on it own. > > "Authorization servers MUST support PKCE [RFC7636 > <https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#RFC7636>]." > > Why must a client "ensure" that the AS supports PKCE if the > security best practices say the AS MUST support PKCE? > > //Axel > > *From:*OAuth<oauth-bounces@ietf.org> > <mailto:oauth-bounces@ietf.org>on behalf of Daniel > Fett<mail=40danielfett.de@dmarc.ietf.org> > <mailto:mail=40danielfett.de@dmarc.ietf.org> > *Date:*Wednesday, 3. January 2024 at 14:01 > *To:*oauth@ietf.org <mailto:oauth@ietf.org><oauth@ietf.org> > <mailto:oauth@ietf.org> > *Subject:*Re: [OAUTH-WG] Shepherd Review of > draft-ietf-oauth-security-topics-23 > > Hi Axel, > > I would be happy to see OAuth move away from state as a CSRF > protection mechanism in the future, but there is not too much > to be gained from relying solely on PKCE right now. The main > advantage is that relying on PKCE incentivizes clients to > properly manage the session state in a cookie instead of > relying on a parameter. Beyond that, there's a small reduction > in effort required by the client, messages will be smaller > messages, etc.. The disadvantage is that a client puts CSRF > protection in the hands of the AS. Therefore, we chose the > wording "ensure" to say that the client has be sure that the > AS actually implements PKCE correctly before relying on it. > What that means in the concrete instance is up to the client. > > Likewise, to your second point, I do not see enough of an > advantage to RECOMMEND relying solely on PKCE for CSRF protection. > > The main intention here is to open the door to rely on PKCE, > e.g., in closed ecosystems, ecosystems with in-depth > conformance testing, first-party applications and similar. > This also helps to avoid a lot of convoluted language telling > client developers how to properly choose, track, and check > state values in profiles such as FAPI (and the pitfalls when > interpreting that language). > > -Daniel > > Am 02.01.24 um 10:31 schriebAxel.Nennker@telekom.de > <mailto:Axel.Nennker@telekom.de>: > > Hi, > > sorry for being late in the game. > > I am not too happy with this section: > > "Clients that have ensured that the authorization server > supports Proof Key for Code Exchange (PKCE, [RFC7636 > <https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#RFC7636>]) > MAY rely on the CSRF protection provided by PKCE." > > 1. Maybe a minor point that is due to not being a native > speaker, but the verb "ensure" seems too strong. > If the AZ states in its metadata, that it supports > PKCE than this is "ensurance" enough, right? The > client does not have to "ensure" the support by > actually testing compliance, right? > I suggest rephrasing that to "*If****the authorization > server**states in its meta-data support for****Proof > Key for Code Exchange*(PKCE, [RFC7636 > <https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#RFC7636>])the > clientMAY rely on the CSRF protection provided by PKCE." > 2. I suggest changing the "MAY" into a recommendation for > all OAuth2-based protocols. OIDC flows can easily > support PKCE, and new clients SHOULD use PKCE, I think. > Suggestion: > "Ifthe authorization serverstates in its meta-data > support forProof Key for Code Exchange (PKCE, [RFC7636 > <https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#RFC7636>]), > it is RECOMMENDED the client relieson the CSRF > protection provided by PKCE." > > Kind regards > > Axel > > *From:*OAuth<oauth-bounces@ietf.org> > <mailto:oauth-bounces@ietf.org>on behalf of Daniel > Fett<fett=40danielfett.de@dmarc.ietf.org> > <mailto:fett=40danielfett.de@dmarc.ietf.org> > *Date:*Thursday, 28. December 2023 at 14:38 > *To:*oauth@ietf.org > <mailto:oauth@ietf.org><oauth@ietf.org> > <mailto:oauth@ietf.org> > *Subject:*Re: [OAUTH-WG] Shepherd Review of > draft-ietf-oauth-security-topics-23 > > Hi Hannes, > > thanks again for your feedback! It is incorporated in the > editor's copy now. > > -https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html > <https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html> > > - Diff to published > version:https://author-tools.ietf.org/api/iddiff?doc_1=draft-ietf-oauth-security-topics&url_2=https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.txt > <https://author-tools.ietf.org/api/iddiff?doc_1=draft-ietf-oauth-security-topics&url_2=https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.txt> > > I plan to publish the next version once we have resolved > the discussion points from Roman's AD review. > > -Daniel > > Am 04.10.23 um 15:41 schrieb Tschofenig, Hannes: > > Hi all, > > here are some comments as part of my shepherd review > of the OAuth Security BCP. > > First, I want to send a big "Thanks" to everyone in > the group for the work on this document and to the > authors in particular. It has taken us a while to come > up with such an impressive list of security > recommendations for OAuth 2.0. > > At this point in time my review comments can only be > minor given the amount of feedback this documents has > already received. > > Here are a few remarks. > > I believe we should indicate that the specification > updates other OAuth RFCs. The obvious documents it > updates are RFC 6749, RFC 6750 and RFC 6819. > > You can set these "updates" in the template you are using. > > In Section 1 you say: > > " > > It does not supplant the security advice given in > > [RFC6749], [RFC6750], and [RFC6819], but > complements those documents. > > " > > In the subsequent paragraph you state that you > "depreciate some modes of operation". > > I believe you are need to be clear about what you are > doing in relationship to these prior documents. It > might also be useful to say something about OAuth 2.1. > > Expand abbreviations on first use. Example: "AS" and > "PKCE" in Section 2.1. The AS abbreviation is only > expanded later in Section 3. Decide whether you want > to use abbreviations or not. You mix them throughout > the document without no reasons. > > Listing the abbreviations in Section 1.2 may also be > useful. There are not that many abbreviations anyway. > > I have wording suggestions for this paragraph: > > FROM: > > " > > Authorization servers SHOULD use client > authentication if possible. > > It is RECOMMENDED to use asymmetric (public-key > based) methods for > > client authentication such as mTLS [RFC8705] or > using signed JWTs > > ("Private Key JWT") in accordance with [RFC7521] > and [RFC7523] (in > > [OpenID.Core] defined as the client authentication > method > > private_key_jwt). When such methods for client > authentication are > > used, authorization servers do not need to store > sensitive symmetric > > keys, making these methods more robust against a > number of attacks. > > " > > TO: > > " > > Authorization servers SHOULD enforce client > authentication, if possible. > > It is RECOMMENDED to use asymmetric cryptography for > > client authentication, such as mTLS [RFC8705] or > using signed JWTs > > ("Private Key JWT"), in accordance with [RFC7521] > and [RFC7523] (in > > [OpenID.Core] defined as the client authentication > method > > private_key_jwt). When asymmetric cryptography for > client authentication is > > used, authorization servers do not need to store > sensitive symmetric > > keys, making client authentication more robust > against leakage of keys. > > " > > (Note: For the reader it is always better if they are > told what attacks > > are prevented rather than saying "a number of > attacks". You don't want the reader > > to guess what you mean.) > > Section 2 is a summary of what follows in Section 4. > Maybe you can make this explicit > > either in the title of Section 2 or in the first > paragraph of Section 2. > > Section 3. > > You write: > > " > > These attackers conform to the attacker model that > was used in formal > > analysis efforts for OAuth [arXiv.1601.01229]. This > is a minimal > > attacker model. Implementers MUST take into > account all possible > > types of attackers in the environment in which > their OAuth > > implementations are expected to run. > > " > > When you say "these attackers" please clarify which > attackers you are talking about. > > Prior to this paragraph you have just spoken about > various forms of network attackers. > > Just before that you talked about network and web > attackers. > > Then, you introduce more attackers and you keep > talking about "this attacker model" and > > "these attackers". Make it easier for the reader by > referring explictly which attackers > > you are talking about in a specific paragraph. > > Then, you conclude the section with a hint that there > is an even stronger attacker model. > > As a reader I might want to know what this stronger > attacker model looks like and why you > > do not consider it in this document. > > Section 4.1.1: > > You write: > > " > > Note: Vulnerabilities of this kind can also exist if the > > authorization server handles wildcards properly. > > " > > I believe you are saying that the vulnerabilities > caused by incorrect redirect URI validation parsing > when you refer to "this kind". > > I would also remove the "note" > > Section 4.1.3: > > You write: > > " > > * Servers on which callbacks are hosted MUST NOT > expose open > > redirectors (see Section 4.11). > > " > > Are you talking about authorization servers (which is > what was referenced in the paragraph before)? > > Section 4.10.1: Sender-constrained Access Tokens > > The text gives the reader the impression that the > token binding would be an option for developers to use. > > I don't think that this is the case. I am particularly > referring to this sentence: > > " > > * *DPoP* ([I-D.ietf-oauth-dpop]): DPoP > (Demonstration of Proof-of- > > Possession at the Application Layer) outlines an > application-level > > sender-constraining for access and refresh > tokens that can be used > > in cases where neither mTLS nor OAuth Token > Binding (see below) > > are available. > > " > > I would change it to: > > " > > * *DPoP* ([I-D.ietf-oauth-dpop]): DPoP > (Demonstration of Proof-of- > > Possession at the Application Layer) outlines an > application-level > > sender-constraining for access and refresh > tokens that can be used > > in cases where mTLS is not available. > > " > > I would then remove the subsequent text talking about > old, expired drafts. > > Alternatively, you could move the text to the appendix. > > Section 4.10.2: Audience Restricted Access Tokens > > In the text you say: > > " > > Audience restriction essentially restricts access > tokens to a > > particular resource server. The authorization > server associates the > > access token with the particular resource server > and the resource > > server SHOULD verify the intended audience. > > " > > You have to put a MUST here. If the resource server > does not check the audience > > restriction when using audience restricted access > tokens then you obviously do not > > get the value from it. It is like using DPOP and not > using the proof-of-possession. > > Likewise the SHOULD language in this sentence is also > questionable: > > " > > The client SHOULD tell the authorization server the > intended resource > > server. The proposed mechanism [RFC8707] could be > used or by > > encoding the information in the scope value. > > " > > If the client does not tell the authorization server > what the intended resource server > > is then how should the authorization server know > (unless in a very limited setup). > > Also the reference to RFC 8707 is a bit weak. We > standardized resource indicators: why not > > recommend using it? > > Section 4.10.3: The section heading is "Discussion: > Preventing Leakage via Metadata". > > The content of the section is not really a discussion > but rather a description of why > > this path has not been taken. I wonder whether it > would be better to move this section > > to the appendix and then start the text by explaining > why other solutions have been used instead of this > approach. > > Section 4.11: I would put the definition about what an > "open redirector" is into the terminology section > since you > > are using the term already in earlier sections. Here > is the definition: > > " > > An open redirector is an endpoint that forwards a user’s > > browser to an arbitrary URI obtained from a query > parameter. > > " > > Typos/Wording: > > FROM: > > " > > Afterwards, the updated the OAuth attacker model is > presented. > > " > > TO: > > " > > Afterwards, the updated OAuth attacker model is presented. > > " > > Section 4.1: > > "... wild ." > > ^ > > Consider using the guidelines for inclusive language: > > https://www.rfc-editor.org/part2/#inclusive_language > <https://www.rfc-editor.org/part2/#inclusive_language> > > For example, "If the attacker is able to ... , **he** > will directly get access to ..." > > Another example is "whitelisted". > > Section 4.1.2: a wording suggestion. > > FROM: > > " > > The attack > > described here combines this behavior with the > client as an open > > redirector (see Section 4.11.1) in order to get > access to access > > tokens. > > " > > TO: > > " > > The attack > > described here combines this behavior with the > client as an open > > redirector (see Section 4.11.1) to obtain access > tokens. > > " > > Section 4.7.1: word missing > > FROM: > > " > > PKCE provides robust protection against CSRF attacks > even in presence > > of an that can read the authorization response (see > Attacker A3 in > > Section 3). > > " > > TO: > > " > > PKCE provides robust protection against CSRF attacks > even in presence > > of an attacker that can read the authorization > response (see Attacker A3 in > > Section 3). > > " > > Section 4.18.2: capitalization > > FROM: > > " > > Wildcard origins like "*" in postMessage MUST not be > used as > > attackers can use them to leak a victim's > in-browser message to > > malicious origins. > > " > > TO: > > " > > Wildcard origins like "*" in postMessage MUST NOT be > used as > > attackers can use them to leak a victim's > in-browser message to > > malicious origins. > > " > > You might also want to replace the short title > "oauth-security-topics" (which can be found on each > page) with something like "OAuth 2.0 Security BCP". > > Ciao > > Hanns > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org <mailto:OAuth@ietf.org> > > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > > -- > > Please use my new email address:mail@danielfett.de <mailto:mail@danielfett.de> > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org <mailto:OAuth@ietf.org> > > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org <mailto:OAuth@ietf.org> > > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Shepherd Review of draft-ietf-oauth-se… Tschofenig, Hannes
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Daniel Fett
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Axel.Nennker
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Daniel Fett
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Axel.Nennker
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Daniel Fett
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Axel.Nennker
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Axel.Nennker
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Daniel Fett
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Axel.Nennker
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Daniel Fett