IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit

Brian Campbell <bcampbell@pingidentity.com> Mon, 03 December 2018 18:03 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BFCE130DF5 for <oauth@ietfa.amsl.com>; Mon, 3 Dec 2018 10:03:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yMj-L-LSkK1H for <oauth@ietfa.amsl.com>; Mon, 3 Dec 2018 10:03:50 -0800 (PST)
Received: from mail-it1-x12e.google.com (mail-it1-x12e.google.com [IPv6:2607:f8b0:4864:20::12e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21F36124BE5 for <oauth@ietf.org>; Mon, 3 Dec 2018 10:03:50 -0800 (PST)
Received: by mail-it1-x12e.google.com with SMTP id i145so10747217ita.4 for <oauth@ietf.org>; Mon, 03 Dec 2018 10:03:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+eaGKozTJ5z7uDibctDY416dg4l56aQMAvucwnw+v8U=; b=WpamHamf2OOMHPs5XoxsRpkpb7xmnTKPWij+k4GuOjdGQ/NFz8jvdtWAE9WvDY/+3f CcgvE5F6DOSThBH92NxI+TT1B5m2OAEDk+gYQ9Ivay2Z6H9DtXcKfS5Sk5VfnmXAMHgX NLgTrzQ7cvJAMm9ybse50L9sdF0aBXm8K+Zmw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+eaGKozTJ5z7uDibctDY416dg4l56aQMAvucwnw+v8U=; b=GQKKyqWprDdngcJXu8MajgJNnk1Q96f0R5ZqdCVLG/w6orevEwZ/9/tpHnoCNu4Rp7 XbNmfhQFCpD7V6DTfrH+ccXihvS5uHlmSm9T1l4IbSXrkSBqdvvuJTwVbfaXes7/ybOQ 1ims1TPbe7sc7LPx3bEfqzMOgwnqP6BZ4Vtl0wIRVpKzJNObcDToRHEEUl/uGPkVjFLQ MEfmncbH8wIsxN5Si/JSp7VFyLXlSK6qnrlnNvJZn5Tu0M5zz5KMNY1xtAxBj/xnlFhS Gf20EmtYCFUrghafBz9oiX5sDW6wqvap3tgkiCGQgEfCqqZOiLaCwmcIGI6dsVG5+PfF xx6A==
X-Gm-Message-State: AA+aEWal3YwpR1fiMe80JghJUAtGKST/cHoOc3uiGPg7fQ6uDXOCPo39 8W0rN3TIrAih3ZhAbfk2oPCfpfL0NX4mDmO3uim/znaIv35p0glirz9iWB5+LQzSooUHc4h71RJ KPBjSDrQIfe1cYA==
X-Google-Smtp-Source: AFSGD/UWSQpQJtJ9vHiqr5G8UCkh49600e5YJSCFQxU3xEgKGaYtusRRRYTlaxA//Kcx+c/6WFDng5l0GRLRD78FJnE=
X-Received: by 2002:a05:660c:452:: with SMTP id d18mr1907826itl.124.1543860229361; Mon, 03 Dec 2018 10:03:49 -0800 (PST)
MIME-Version: 1.0
References: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAD9ie-v3onmKc498cg_-a0AD58ZV=aZANtz=UV+Q0f=9N3nSzQ@mail.gmail.com> <OSBPR01MB2869E83F37046C7FCD4463DDF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <9FF3F589-0423-4CBC-B323-481F771D097C@lodderstedt.net> <OSBPR01MB28690F77DFFB2A85BDB83FBAF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <D6C66E6A-687B-4997-B830-980BE25994C2@lodderstedt.net> <CAANoGhL9aD75AV9QQRdeGE1=4ynjTnULNVr0PXXvt20ipsb4Rw@mail.gmail.com> <FE51CE20-7A49-4A13-A180-6A7C481F3965@lodderstedt.net> <CAGBSGjrzeeR5QQ=nA=gTj0q7sRvRVc0DDacbxB+ED87ymHSOuA@mail.gmail.com> <VI1PR0801MB21120AA6CC9437E237F481A2FAAC0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <EA38C666-2325-430A-91B0-C02AAC65FCC8@lodderstedt.net>
In-Reply-To: <EA38C666-2325-430A-91B0-C02AAC65FCC8@lodderstedt.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 03 Dec 2018 11:03:22 -0700
Message-ID: <CA+k3eCS1OCQ6sF=DBJ=y3_cictzLLKDaXtX0qr6uPiip7Bk=pg@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, fett@danielfett.de, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008debf9057c21f8ab"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/pja-iaFr8_f-PBcyuX7qKgfBhgo>
Subject: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Dec 2018 18:03:52 -0000

On Sat, Dec 1, 2018 at 5:01 AM Torsten Lodderstedt <torsten@lodderstedt.net>
wrote:

>
> my proposal is to add the following definition (based on 3.8.1.2) to a new
> „Terminology" section or to section 2.1.2:
>
> A sender constrained access token scopes the applicability of an access
> token to a certain sender.  This sender is
> obliged to demonstrate knowledge of a certain secret as prerequisite for
> the acceptance of that token at the recipient (e.g. a resource server).
>

I think that would be sufficient to avoid reading too much into "sender
constrained" based on how it is used elsewhere. Thanks.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email