Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-14.txt
Brian Campbell <bcampbell@pingidentity.com> Tue, 11 February 2020 23:20 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BEC1120837 for <oauth@ietfa.amsl.com>; Tue, 11 Feb 2020 15:20:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z-KSPmaCw308 for <oauth@ietfa.amsl.com>; Tue, 11 Feb 2020 15:20:24 -0800 (PST)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93A5412004C for <oauth@ietf.org>; Tue, 11 Feb 2020 15:20:23 -0800 (PST)
Received: by mail-lj1-x235.google.com with SMTP id d10so92581ljl.9 for <oauth@ietf.org>; Tue, 11 Feb 2020 15:20:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=biIgEBzGr14yFiR9F1Yqa8J7OrgDYLLN7qxtRz/gMEw=; b=F1P7V1cny9fHaF06ELepD9HrMgAG8POYthHYR0oxuWLKp8kVJ9O8l/u5kgIBUZC/nv ys6DDJ09d1mC1CVGhRxFncmcA6R+rXk2+iQa7Kj0pF/7PGyRLTuMXvbZOx+sG+fg07Aq D9fqexipXKbLvJ3X5zDSkzj7xx2/l3HXASwVbeUN2yujHKSddlh5mdim9/uuiTD+ZnZk Pxr01lUzaS+cCsV4qLrM6eGdEHJ0qpWEZjigTMQqluz+v4E135QGGMkpJWN/+eU5xw9u LQAeI11ovMLB2q1MvUYQIYY/GIfsNN/3dIe5YE1OZf3WmeRwdL1b3x+Kh4KWnRQbnCa8 F3ig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=biIgEBzGr14yFiR9F1Yqa8J7OrgDYLLN7qxtRz/gMEw=; b=rL/hj8zphNcC/5WonhVVbe4Hgsqw8WpDF+E+67afBUYP9RyD8pBdsAnpCoje3OwLOk YRKg1mO5NjANC7ZoSOV4bGfW0sCvoVzC17zjQSxeXgQv+Z/YpQm9N62p2vmnisSFBTtt 5UNvSWuHHu3D9TUxLRcKdkpxYoxncL9QN/LA3oILaN3ePJvfD2HvPIOgFRokmD0LdQM7 NHbdnX7CZJYmUKU6e9Jdber0yB9Dv53qpv3StzK2TUsxhCw14InezoikMWxMHjntD4ad 9joJEibNfthmnOqQh1KbIJ+f+ZH9hQ8lUPEDdhvdvQT/lsSqlr+fSNlhhjuS0Wo2n11O Ytfw==
X-Gm-Message-State: APjAAAUtqDv4zCBW3bu1gOT15emT6uPyR2q9lfmfEqea4gNqmIgH9jrd hhNHejJMjUig+OQeaVxwFBCzqYWdtl8z+vCCC9C1UEwJFsPferVATIIjNN0Let0zzj2feaWp8Xq 5qZafrmWSH9hFRNAYMgg=
X-Google-Smtp-Source: APXvYqwElrNbjSC/teuEZf/X1/HRd7Wr5/Dtfj1NbkvavwZCOf6/0ktgLKxyNd9U3TqE6HhU1SyUur5fS329UwVEE9Y=
X-Received: by 2002:a2e:9a01:: with SMTP id o1mr5926064lji.247.1581463220768; Tue, 11 Feb 2020 15:20:20 -0800 (PST)
MIME-Version: 1.0
References: <158135846124.3970.5036541129625161720@ietfa.amsl.com> <0f312b87-7721-e8c1-30ef-b6cb7416248b@connect2id.com>
In-Reply-To: <0f312b87-7721-e8c1-30ef-b6cb7416248b@connect2id.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 11 Feb 2020 16:19:54 -0700
Message-ID: <CA+k3eCRfpHQouAECdt6vgkqWZNX0OGaQew2Z+tsHa-jmL-Ty+Q@mail.gmail.com>
To: Vladimir Dzhuvinov <vladimir@connect2id.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007fe886059e55192d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/va41fumgW3bgmgMqcPxzpiQnmio>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-14.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Feb 2020 23:20:27 -0000
code_challenge_methods_supported is/was already defined in RFC 8414, it's just kinda easy to miss that it's there as you'd typically expect to find that sort of thing in the doc that defines PKCE itself. But PKCE (RFC 7636) predates AS metadata (RFC 8414) so things are different in that case. I notice too that draft-ietf-oauth-security-topics-14 still erroneously has RFC 8418 as the reference next to code_challenge_methods_supported where it should be RFC 8414. On Tue, Feb 11, 2020 at 11:43 AM Vladimir Dzhuvinov <vladimir@connect2id.com> wrote: > Fantastic, we now have "code_challenge_methods_supported" defined for AS > metadata and it's a MUST. Long overdue. > > Vladimir > > On 10/02/2020 20:14, internet-drafts@ietf.org wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > This draft is a work item of the Web Authorization Protocol WG of the > IETF. > > > > Title : OAuth 2.0 Security Best Current Practice > > Authors : Torsten Lodderstedt > > John Bradley > > Andrey Labunets > > Daniel Fett > > Filename : draft-ietf-oauth-security-topics-14.txt > > Pages : 46 > > Date : 2020-02-10 > > > > Abstract: > > This document describes best current security practice for OAuth 2.0. > > It updates and extends the OAuth 2.0 Security Threat Model to > > incorporate practical experiences gathered since OAuth 2.0 was > > published and covers new threats relevant due to the broader > > application of OAuth 2.0. > > > > > > The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/ > > > > There are also htmlized versions available at: > > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-14 > > > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-14 > > > > A diff from the previous version is available at: > > https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-security-topics-14 > > > > > > Please note that it may take a couple of minutes from the time of > submission > > until the htmlized version and diff are available at tools.ietf.org. > > > > Internet-Drafts are also available by anonymous FTP at: > > ftp://ftp.ietf.org/internet-drafts/ > > > > _______________________________________________ > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] I-D Action: draft-ietf-oauth-security-… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Vladimir Dzhuvinov
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Vladimir Dzhuvinov