IETF Logo Mail Archive

[OAUTH-WG] Re: I-D Action: draft-ietf-oauth-cross-device-security-10.txt

Pieter Kasselman <pieter@spirl.com> Tue, 17 June 2025 14:31 UTC

Return-Path: <pieter@spirl.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 7130135F787A for <oauth@mail2.ietf.org>; Tue, 17 Jun 2025 07:31:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=spirl.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mmpjR2-cbv-p for <oauth@mail2.ietf.org>; Tue, 17 Jun 2025 07:31:50 -0700 (PDT)
Received: from mail-ot1-x336.google.com (mail-ot1-x336.google.com [IPv6:2607:f8b0:4864:20::336]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E2CBD35F786B for <oauth@ietf.org>; Tue, 17 Jun 2025 07:31:50 -0700 (PDT)
Received: by mail-ot1-x336.google.com with SMTP id 46e09a7af769-736f1953673so1471121a34.0 for <oauth@ietf.org>; Tue, 17 Jun 2025 07:31:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=spirl.com; s=google; t=1750170710; x=1750775510; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=C/Y6RFaPoJZu6kshdaaepzDapsU0cOlDWtuFa5NvzCI=; b=WIYG0cM50aamRU8zC1YZJAX0T2nBpJ+FAYzx0ouNvHSP5zbC4foTPelfIl/J8pQtj3 Z3LiiqY6fQVs86Ah3AfS1Ur/VkWm6lpg7f27a+KiO6BbiWcG/EnLlETYIf57OWygQP7+ xcqgU5uYOVH982W7Jgw0nLTG3FSdz9Ja2v2+3qJG8QEPqN1xyU+23GiboCfqby66C5el uoud5LOY9BWmw57IAcfFSVlA8sC4Ei9AgrLu9pNSN4UO+V+xgtHDINiTY4mZ0wyHtyau dnyZBrB8Vv0QozE+6ORivsckn0Dpt6cm0/Zxdad/PzSsekVz+8L4oKzHZRzO3eWc4ZLi qa8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750170710; x=1750775510; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=C/Y6RFaPoJZu6kshdaaepzDapsU0cOlDWtuFa5NvzCI=; b=AwDbPsMg/VjEWo0IV4a4hb39zEEbf8Zq7ixN329qdtYBVlYOPCE7uVc1ry+aggWzWy BYxsBkUUhkUVD89ia4EartuLxnLAkJwYfgMeFX+DlB+ca7mwhmaZDuqcvghTqJmlgUwb Q2kZFOi8nVuG1oUFwEUrU6Ktvp8MnJhwMRI2CtFSLfc7tWQ5HXc3EA5Iug9OElOu106O KvNxIkHK224irGWRddh1jxdk85O9mXVRzVa5tIfgLeZulwwISLJpKaSg3HccQoL8cp5r gaAzS8TNZjh5I8pnMimOxpeyZ8zOzJWm0DClh9A5+iZZexvbOu32ywGU6vDUSmk/KqQr psVA==
X-Gm-Message-State: AOJu0YxfKFDOVzPmFiqCnCasURIDCa+0PaqaJedPIVprQc/EZTp5EdPn Lidm1RqNPhOjnEimFb7+J6yO70a4sRTNjpHFLYZax/ZYUTT+PJ6E8vgagO8+dTkDhd1Wc902nJB TVAeNH+fUtZS8SiR11SgvuIaY6oZ7DEbB2JXa5IzYlJL5GJ9fTinXmPY=
X-Gm-Gg: ASbGncvj8g5VljR9+p1I0VSvKSGAeevhwDQUIZfCGKm9ElSpMjNqi15r3IfVpH7QPfy bgAYuTdbBQbVhWymRbAOcbqAlKMUA924b0RSt8vg5kIh3B4V8mMBgRwimIDZ9HCBeSalWXllv1/ ZDHGXpE4FPqJhKtNvG+McYiQO/TSQbqHOi/vtx+KuWa0dimUS3hOv4qscr7X0omQnLKfgK56Af+ ZQ=
X-Google-Smtp-Source: AGHT+IGpIg7LjRksVyh909UhS8EHieOUXdl1PhwgdpdHI58AqlU/zGkpbw94nKvw10rroK1c/OUlI7yHXMaI1hiuKkE=
X-Received: by 2002:a05:6830:280e:b0:739:fe04:7ae8 with SMTP id 46e09a7af769-73a36294323mr8497338a34.11.1750170710017; Tue, 17 Jun 2025 07:31:50 -0700 (PDT)
MIME-Version: 1.0
References: <175016985952.523495.3155620685572659697@dt-datatracker-75bbdb9cc5-qvb4t>
In-Reply-To: <175016985952.523495.3155620685572659697@dt-datatracker-75bbdb9cc5-qvb4t>
From: Pieter Kasselman <pieter@spirl.com>
Date: Tue, 17 Jun 2025 15:31:38 +0100
X-Gm-Features: AX0GCFtmSv0GUGHiIDb2UXXiQv5yFKnD4sb0Z3p6P1Ky7uS2FTQ-sQwd_w8sZlc
Message-ID: <CALtWOA2ZaqrcLA002XE4DFGBthvV4h9HYT0yMb4c4_B5RdKLsw@mail.gmail.com>
To: oauth@ietf.org, mail@danielfett.de, Filip Skokan <panva.ip@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000779ca60637c55fe3"
Message-ID-Hash: 6SVBRK2OZJBOLYDIVL4QIML7OUZ22SVJ
X-Message-ID-Hash: 6SVBRK2OZJBOLYDIVL4QIML7OUZ22SVJ
X-MailFrom: pieter@spirl.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: I-D Action: draft-ietf-oauth-cross-device-security-10.txt
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/qJzsZUIO1Q3CTg9t_2CSt7zbqvY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Dear chairs

Thanks for the shepherd feedback on the Cross-Device Flows: Security Best
Current Practice draft provided at IETF 122.

The below draft includes updates to address the feedback received.

Please advise on the next steps for this draft.

Cheers

Pieter

On Tue, Jun 17, 2025 at 3:19 PM <internet-drafts@ietf.org> wrote:

> Internet-Draft draft-ietf-oauth-cross-device-security-10.txt is now
> available.
> It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF.
>
>    Title:   Cross-Device Flows: Security Best Current Practice
>    Authors: Pieter Kasselmann
>             Daniel Fett
>             Filip Skokan
>    Name:    draft-ietf-oauth-cross-device-security-10.txt
>    Pages:   58
>    Dates:   2025-06-17
>
> Abstract:
>
>    This document describes threats against cross-device flows along with
>    practical mitigations, protocol selection guidance, and a summary of
>    formal analysis results identified as relevant to the security of
>    cross-device flows.  It serves as a security guide to system
>    designers, architects, product managers, security specialists, fraud
>    analysts and engineers implementing cross-device flows.
>
> The IETF datatracker status page for this Internet-Draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/
>
> There is also an HTML version available at:
>
> https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-10.html
>
> A diff from the previous version is available at:
>
> https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-cross-device-security-10
>
> Internet-Drafts are also available by rsync at:
> rsync.ietf.org::internet-drafts
>
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>

v2.31.3 | Report a Bug | By Email | System Status