Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"

Vineet Banga <vineetbanga@google.com> Sat, 16 November 2019 01:08 UTC

Return-Path: <vineetbanga@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BC0B12006D for <oauth@ietfa.amsl.com>; Fri, 15 Nov 2019 17:08:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.5
X-Spam-Level:
X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I3voUkghWiKF for <oauth@ietfa.amsl.com>; Fri, 15 Nov 2019 17:08:04 -0800 (PST)
Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55551120019 for <oauth@ietf.org>; Fri, 15 Nov 2019 17:08:04 -0800 (PST)
Received: by mail-qt1-x82e.google.com with SMTP id o49so12823986qta.7 for <oauth@ietf.org>; Fri, 15 Nov 2019 17:08:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ST96H/G+vZVQ0mPoH/Q1fwjavDf712c7J/1IIKTKrxY=; b=Dq1i5B+LAiUCx+4CPc/ZpZaB7rmSg+WtwGfw+YgUfBb6opL3ngtuBzQwh2tEyQ4eZb Pu+ewTzkjgJjU0s4VSc19TaffjF9CPH8vgfTMYcZjhFpceiRFp/nZBBC/B/yopDZHny6 4CgOn7uxRJe42B+gEIRFlGTdsI+jqZItm6fQZ0zbUtjF2abnTxGR73WJNDBMzEw7YaIm Sd0GiykRXSMZXSNh3+SqBQh6Mn/Tu2IBWUI3U11L2KJ+Xf7248VGD108wFsRBN+Kyyrx zGluMdiiJ3xGtKK1tJMSfkOOH/w4dAMZYa7ZJu+l7KtxCHHCvuT6klJmnLPuguyIwB8/ 1VdA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ST96H/G+vZVQ0mPoH/Q1fwjavDf712c7J/1IIKTKrxY=; b=IU54sA6tADH82lwrkLlOt/eJN+xq0zMKX3KAGgOYQ5K/spQ36bNL4dLgVJiHtgx6Nn uAI0IJ0GXiC1tHut0IeyrXOprKF1Hb7PJMGwOqupOJei1hMS6+vKjl55i7K8FtwIMHC2 X2aiMJ3gFM7LdfWC6fuaqIzk50f5g2I0SBVO1QhUeJvZcqUBrpdpF3PX9ClZIFlHWdyA nS0h1owzz/+XEBsiqlOY987oWiD9YmT6YGOouSTmKY8r2agGV817//AyuHYxVqf4NzzD vwRPcbZhCWoNVdf2OtabasY2bLHH8eMULRd6gxR/UPpM/t3UP9dYoDZzgUtm42ev1JZz W9tg==
X-Gm-Message-State: APjAAAU0ZIrLd3iXEp8nH5UfTKK0YxBbfh8wwPCa+mLU8EiECMO3nVS2 7Cddjwy5Ui7PfTLCcjPGOQvQPao0johdcl28i/+Ot+TnYx8=
X-Google-Smtp-Source: APXvYqxupYQ7vaPzoMtIobbDzt+GAGE7plw3/k7PeddLz4yMP/hN7kkO4wDXCAmAi2TEX7IRIugpUpEpX/Y1fao1Iv8=
X-Received: by 2002:ac8:2dbd:: with SMTP id p58mr17071141qta.281.1573866483086; Fri, 15 Nov 2019 17:08:03 -0800 (PST)
MIME-Version: 1.0
References: <VI1PR08MB5360FBBAF0D3A38BDBED618BFA790@VI1PR08MB5360.eurprd08.prod.outlook.com>
In-Reply-To: <VI1PR08MB5360FBBAF0D3A38BDBED618BFA790@VI1PR08MB5360.eurprd08.prod.outlook.com>
From: Vineet Banga <vineetbanga@google.com>
Date: Fri, 15 Nov 2019 17:07:52 -0800
Message-ID: <CAPHqeLd4szopBOVFUyThhx5X7bW2izB+nPKCzZ+1b5efB3wF_g@mail.gmail.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a65f4b05976c58c6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/txGVWpcXcD_DN4z-JEOKAtq_iFA>
Subject: Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Nov 2019 01:08:07 -0000

Just one comment/question at the moment:

3.1.1 - Is there any recommendation around leveraging state vs using
multiple URIs (with exact match) to remember the application state of the
client? I have seen exploding list of registered redirect URIs, but am not
aware of any security issues around this usage. But would like to check if
there are any opinions on this matter.



On Wed, Nov 6, 2019 at 12:27 AM Hannes Tschofenig <Hannes.Tschofenig@arm.com>
wrote:

> Hi all,
>
> this is a working group last call for "OAuth 2.0 Security Best Current
> Practice".
>
> Here is the document:
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13
>
> Please send you comments to the OAuth mailing list by Nov. 27, 2019.
> (We use a three week WGLC because of the IETF meeting.)
>
> Ciao
> Hannes & Rifaat
>
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>