Re: [OAUTH-WG] Follow up on draft-ietf-oauth-device-flow-08

Mike Jones <Michael.Jones@microsoft.com> Sat, 14 April 2018 01:07 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D2E912422F for <oauth@ietfa.amsl.com>; Fri, 13 Apr 2018 18:07:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.009
X-Spam-Level:
X-Spam-Status: No, score=-2.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J8nxV8GuNKte for <oauth@ietfa.amsl.com>; Fri, 13 Apr 2018 18:07:00 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on070e.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe48::70e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E506D1204DA for <oauth@ietf.org>; Fri, 13 Apr 2018 18:06:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=njb/bUk4aGfLepVnJtISgS3O4UqgygQJ0zQCRZVhXxg=; b=jVCwb/Sp+VFneMlHJFnYGEseede7RRQihkFSF5yTXhbgchQn36x6ID2nRV/5S4P4G/xholLzpnKwFOdWlEl0LoT5RWCXYvn+l95pSBCPA5NxpdxnxeKpM0V0SW7PndCu+G0XhqJPwUiVzeVDBlZpzZDMil+uAWWCOcFFk4IMpQg=
Received: from BL0PR00MB0292.namprd00.prod.outlook.com (2603:10b6:207:1e::30) by BL0PR00MB0403.namprd00.prod.outlook.com (2603:10b6:207:1f::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.719.0; Sat, 14 Apr 2018 01:06:54 +0000
Received: from BL0PR00MB0292.namprd00.prod.outlook.com ([fe80::e0f6:c52a:b96e:a10a]) by BL0PR00MB0292.namprd00.prod.outlook.com ([fe80::e0f6:c52a:b96e:a10a%4]) with mapi id 15.20.0714.000; Sat, 14 Apr 2018 01:06:54 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Eric Rescorla <ekr@rtfm.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Follow up on draft-ietf-oauth-device-flow-08
Thread-Index: AQHT04wCwx4Q8pxqD0CRb2HM3g16k6P/coIw
Date: Sat, 14 Apr 2018 01:06:54 +0000
Message-ID: <BL0PR00MB0292EB90294DE62DEF6BDF43F5B20@BL0PR00MB0292.namprd00.prod.outlook.com>
References: <CABcZeBMWdZ4q8N0X4QrGQhkEVs8_38Tqa8Fou+oVP1tYoJ0aXg@mail.gmail.com>
In-Reply-To: <CABcZeBMWdZ4q8N0X4QrGQhkEVs8_38Tqa8Fou+oVP1tYoJ0aXg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:5::4df]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BL0PR00MB0403; 7:WENzZpoP7DQkn2WdHlQe4DPJyzk34agmW55W8dJU5ieCq98NxVT4pR6ctnkXTcw+rZYAMypAvSpttxKGCgpVrxm8FLLJFz4PaTou/u19dzoMfxWNKiDRUdGGt4WT9WM2rDFsjv3s99KtIDiJXDOKfSIcYvxRPkVXbnseep0hKIeTzuMMF4gOhUH1VahnFK/5Z7M1sl5pdljQLL1F49/Z6dK88L/WBQXBWpEV6p1JQGz1umtS25FEveZhQuMZpklu; 20:or7My7Z4pNSy+mQc/QwwbDEq93orWJdpA4EptEJouXbfKH2NXe8jVocoP+1nfgZwbgQyCrGv89BQ/zUm7puKOfoQWh5NBNv2spbinwqpCCC5V7cAdymt/ZkJjXYgmbwN6GgcCbI0hx5vK3AL98duugSjcl3EJLDcXk2b0AOSDos=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7193020); SRVR:BL0PR00MB0403;
x-ms-traffictypediagnostic: BL0PR00MB0403:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-microsoft-antispam-prvs: <BL0PR00MB0403B1C35BCEC47774D57942F5B20@BL0PR00MB0403.namprd00.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(61425038)(2017102700009)(2017102701064)(6040522)(2401047)(5005006)(8121501046)(2017102702064)(20171027021009)(20171027022009)(20171027023009)(20171027024009)(20171027025009)(20171027026009)(2017102703076)(10201501046)(3002001)(93006095)(93001095)(3231232)(944501347)(52105095)(6055026)(61426038)(61427038)(6041310)(20161123558120)(20161123562045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(6072148)(201708071742011); SRVR:BL0PR00MB0403; BCL:0; PCL:0; RULEID:; SRVR:BL0PR00MB0403;
x-forefront-prvs: 0642A5E7BA
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(39860400002)(346002)(39380400002)(396003)(376002)(199004)(189003)(476003)(5660300001)(9686003)(54896002)(55016002)(6306002)(6246003)(446003)(11346002)(186003)(99286004)(229853002)(97736004)(5250100002)(2900100001)(52396003)(7696005)(68736007)(486006)(76176011)(2501003)(53936002)(46003)(6116002)(86362001)(53546011)(790700001)(6506007)(478600001)(22452003)(8990500004)(10290500003)(102836004)(86612001)(25786009)(106356001)(14454004)(3280700002)(3660700001)(33656002)(110136005)(72206003)(6436002)(10090500001)(2906002)(105586002)(8676002)(7736002)(8936002)(74316002)(81166006)(81156014)(316002); DIR:OUT; SFP:1102; SCL:1; SRVR:BL0PR00MB0403; H:BL0PR00MB0292.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: n9VrObUAo1St/kCizMdqfA6PTML7NpYarze1FjddAwrjC3JxLHEw9FazV6fmcQwtxoF5AyyZr2DXwG4UwkZiZ76q6jht8ra98ymA2EIt/SVNvZUmnUiseXA04ZpEUmidSeRr2MSR+MCrc3U55iVsiS6Gcap9edUQqpLWU2vxdXedxkUnXVEyRAigIv//vcMs
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BL0PR00MB0292EB90294DE62DEF6BDF43F5B20BL0PR00MB0292namp_"
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 1d43164a-8123-4359-ccba-08d5a1a40362
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1d43164a-8123-4359-ccba-08d5a1a40362
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Apr 2018 01:06:54.4056 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR00MB0403
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/eubuExwga3u0CnlL29s0Nxs_Bbs>
Subject: Re: [OAUTH-WG] Follow up on draft-ietf-oauth-device-flow-08
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Apr 2018 01:07:02 -0000

We still need to add the text addressing the points described in John Bradley’s reply to you sent while in London.

                                                       -- Mike

From: OAuth <oauth-bounces@ietf.org> On Behalf Of Eric Rescorla
Sent: Friday, April 13, 2018 6:00 PM
To: oauth@ietf.org
Subject: [OAUTH-WG] Follow up on draft-ietf-oauth-device-flow-08

Hi folks,

I just looked at the -08 diffs and I see a new section on brute forcing the token
but not describing the confused deputy attack. Did I miss something, or were you
still planning to add more text?

Thanks
-Ekr