IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"

Vineet Banga <vineetbanga@google.com> Sat, 16 November 2019 21:42 UTC

Return-Path: <vineetbanga@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1ED5112011B for <oauth@ietfa.amsl.com>; Sat, 16 Nov 2019 13:42:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.5
X-Spam-Level:
X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9JdTA4r60A_W for <oauth@ietfa.amsl.com>; Sat, 16 Nov 2019 13:42:53 -0800 (PST)
Received: from mail-qv1-xf2e.google.com (mail-qv1-xf2e.google.com [IPv6:2607:f8b0:4864:20::f2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C0CD120013 for <oauth@ietf.org>; Sat, 16 Nov 2019 13:42:53 -0800 (PST)
Received: by mail-qv1-xf2e.google.com with SMTP id y18so5100065qve.2 for <oauth@ietf.org>; Sat, 16 Nov 2019 13:42:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OdCn/h+rXC+EE7E9sg6kpXxNarw18f7sEDQhA3EbBGo=; b=mPOi8TUKyOWbeDGy5GLcWyGZQq4ZbE94VugWNhWQEA0yzzn4nzRXWrkazY2i9cwla2 308OYUctBGinzdcs3331VOtB27plTOpyoqz5HJeyaxtvU8Xk3B7diNS69RAT2G8SiDrX mXkQd5vhxR2sYGhEbdXx//JTap/ffLIkY31oW4D1MJ9EUa1aSjvih3Fw5zmjBJOUBKOG mDuvnse9EroQ8gUF6f7NS+5aUqlMA8h266eZSM1MFQ6slZqGFT+HJgkSxsGLj31WzJCS oRYx59obsPK3OggG3A8UXlXxUF1WNLfV27lpkw+O2NyIQDQogB0Xw0EMCD+SCHl3g2S/ kMlQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OdCn/h+rXC+EE7E9sg6kpXxNarw18f7sEDQhA3EbBGo=; b=KDBcHtewiUUPwPfVqWbg+VpR8W3uEnylgJPoobWv/QsUHHufB4b8X2LmDk966KO597 4gmURKF2BqxOSjOPM7/QQjP1B1EtTVi6s6C7pAPm0WEGM/Tk316u0aTsDfHn0xoDpazt 19vz+hbAzgvJa6loZppVQp5n8c0iqCtVhzQ9k4BCMOY3wvAq/pEoS45mFcKRto7mOuck Uh2qNKQvBapE9iPyrftEU85565e5jEqlSB/9YR4TN0Ud+jx+/LdTP8FYiUmeJrUSrYWT hwCr5HOHWKNyWIVwl5IdYBAUTk2glvMInOsFrdHfK8173ycD1FIm+bvvJYBMLaZvIIh/ dRLA==
X-Gm-Message-State: APjAAAUs9+gkXvwordmgWCBuzKR7VCIsJ/6bBnU9ozKDjFdyTTxsaWXc 3g95NExM4fy5g7UG1rZv4nZGwBhHQlmCzaJFIiz3st9SKK9nlA==
X-Google-Smtp-Source: APXvYqx3O24KxXkT8Sz5ok4i3YqwX8fZ09Z6/GGjNMizhB9nB3jI8byB2XKvuCeE/k2nnzDi1NKQ/MeLGb/JoqnlNGg=
X-Received: by 2002:a05:6214:22a:: with SMTP id j10mr19043762qvt.154.1573940571960; Sat, 16 Nov 2019 13:42:51 -0800 (PST)
MIME-Version: 1.0
References: <VI1PR08MB5360FBBAF0D3A38BDBED618BFA790@VI1PR08MB5360.eurprd08.prod.outlook.com> <CAPHqeLd4szopBOVFUyThhx5X7bW2izB+nPKCzZ+1b5efB3wF_g@mail.gmail.com> <3FE840EE-9261-414E-8AB7-B75BD8BA6F86@lodderstedt.net>
In-Reply-To: <3FE840EE-9261-414E-8AB7-B75BD8BA6F86@lodderstedt.net>
From: Vineet Banga <vineetbanga@google.com>
Date: Sat, 16 Nov 2019 13:42:39 -0800
Message-ID: <CAPHqeLeA00FwSLv-ry7pCKguS+4RfnOC-PEBh6t4eoTU_GbY-Q@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b0fe4405977d989b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ww9yd4mSNvaqqNbzs6mNSkmrOd8>
Subject: Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Nov 2019 21:42:56 -0000

On Fri, Nov 15, 2019 at 11:51 PM Torsten Lodderstedt <
torsten@lodderstedt.net> wrote:

>
>> On 16. Nov 2019, at 02:07, Vineet Banga <vineetbanga=
40google.com@dmarc.ietf.org> wrote:

> >>

> >> Just one comment/question at the moment:

> > >3.1.1 - Is there any recommendation around leveraging state vs using
multiple URIs (with exact match) to remember the application state of the
client? I have seen exploding list of registered redirect URIs, but am not
aware of any security issues around this usage. But would like to check if
there are any opinions on this matter..

>
>The BCP recommends transaction specific one time use state values for CSRF
prevention. To achieve the same protection level with redirect URI’s and
exact match, one would need to register per transaction redirect URI
values.

>
>Do your redirect URIs meet those requirements?

> No. I think the options are using state for purely csrf or using
[I-D.bradley-oauth-jwt-encoded-state], which is called our in the BCP.
Using encoded jwt can be used to limit the number of redirect uris.





>

> >

> > On Wed, Nov 6, 2019 at 12:27 AM Hannes Tschofenig <
Hannes.Tschofenig@arm.com> wrote:

> > Hi all,

> >

> > this is a working group last call for "OAuth 2.0 Security Best Current
Practice".

> >

> > Here is the document:

> > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13

> >

> > Please send you comments to the OAuth mailing list by Nov. 27, 2019.

> > (We use a three week WGLC because of the IETF meeting.)

> >

> > Ciao

> > Hannes & Rifaat

> >

> > IMPORTANT NOTICE: The contents of this email and any attachments are
confidential and may also be privileged. If you are not the intended
recipient, please notify the sender immediately and do not disclose the
contents to any other person, use it for any purpose, or store or copy the
information in any medium. Thank you.

> >

> > _______________________________________________

> > OAuth mailing list

> > OAuth@ietf.org

> > https://www.ietf.org/mailman/listinfo/oauth

> > _______________________________________________

> > OAuth mailing list

> > OAuth@ietf.org

> > https://www.ietf.org/mailman/listinfo/oauth

>
>

v2.23.0 | Report a Bug | By Email