Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-18.txt
Daniel Fett <fett@danielfett.de> Tue, 13 April 2021 14:47 UTC
Return-Path: <fett@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D211A3A19EE for <oauth@ietfa.amsl.com>; Tue, 13 Apr 2021 07:47:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q4dyMQeRi5zN for <oauth@ietfa.amsl.com>; Tue, 13 Apr 2021 07:47:31 -0700 (PDT)
Received: from d3f.me (redstone.d3f.me [5.9.29.41]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7953E3A19EB for <oauth@ietf.org>; Tue, 13 Apr 2021 07:47:31 -0700 (PDT)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by d3f.me (Postfix) with ESMTPA id 9ED7624A2E for <oauth@ietf.org>; Tue, 13 Apr 2021 14:47:28 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1618325248; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=NrfgzjeyBCIQekVJ1KcuKAXmD4zdrfdSs2Xb/tfa0fU=; b=vkuyqhCXHVOj+h4odFc9FeYkyCRo2KR9ut+gVcm0b70TS0Yg4rn3yfDVKaxhQuEdk1A9O3 SuVK/dLmVZBx0u0jB3y9JvLRui5hjmC5J249TfvsyVLP5NTo2WExxBgsLd8Cp8ObRWassj 4nPGkxeKKKF2o58/SZa7a4XCUGJcsUw=
To: oauth@ietf.org
References: <161832446333.27988.15821920693407061318@ietfa.amsl.com>
From: Daniel Fett <fett@danielfett.de>
Message-ID: <91601a0c-733a-f113-dad5-5232629c337c@danielfett.de>
Date: Tue, 13 Apr 2021 16:47:28 +0200
MIME-Version: 1.0
In-Reply-To: <161832446333.27988.15821920693407061318@ietfa.amsl.com>
Content-Type: multipart/alternative; boundary="------------43CB1FDB503F2FD18F45564A"
Content-Language: de-DE
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1618325248; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=NrfgzjeyBCIQekVJ1KcuKAXmD4zdrfdSs2Xb/tfa0fU=; b=GiRRoN5CO+3k4wF8i47i/ybrhQSgeFLiOZJCizWKqa1sOk+ljLJXnXjyaFlsR4jjXMHYZ7 cuRDJu6wiXhsOGb7x9qrsziivHU6+OFJPpait1vX1VWEcE5jdBKCeesZlLVbn3cyz6bjQZ V3AKJWLmG9WgZgPHNKf/G29VG47oPK0=
ARC-Seal: i=1; s=dkim; d=danielfett.de; t=1618325248; a=rsa-sha256; cv=none; b=hgxDYVK5tujugO8rjZ87ejYoSkOY/KoKOYaODvNTYQH8zSmgbpSlJ915PUuaNzl5Bwspfz puiD8bTAzpbskvK4PI+7iRwS8snl3l78lRJ9cIhQjozuS5O7RdU/qReuusabJshESvnBft eOgtd5r7Iao4KM7hSETnmfpVO7duufs=
ARC-Authentication-Results: i=1; d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
Authentication-Results: d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
X-Spamd-Bar: --
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/yIic5KjCwHqndkbNQeGmoAMy2cs>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-18.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Apr 2021 14:47:36 -0000
Hi all, This version includes some minor editorial fixes and a new wording for disallowing insecure redirect URIs, as discussed on yesterday's call. I would kindly ask the chairs to start a WGLC on this version. Given the nature of a Best Current Practice document and the relatively broad topic, there will always be more things to add to this document. In order to deliver this document, it would be great if we could come to the consensus that after this WGLC any attacks, mitigations, and security topics not covered in draft-ietf-oauth-security-topics-18 go into a future update of the BCP. Exceptions would be grave oversights in proposed mitigations, factual errors, and anything coming up in the IETF process after WGLC, of course. Cheers, Daniel Am 13.04.21 um 16:34 schrieb internet-drafts@ietf.org: > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Web Authorization Protocol WG of the IETF. > > Title : OAuth 2.0 Security Best Current Practice > Authors : Torsten Lodderstedt > John Bradley > Andrey Labunets > Daniel Fett > Filename : draft-ietf-oauth-security-topics-18.txt > Pages : 53 > Date : 2021-04-13 > > Abstract: > This document describes best current security practice for OAuth 2.0. > It updates and extends the OAuth 2.0 Security Threat Model to > incorporate practical experiences gathered since OAuth 2.0 was > published and covers new threats relevant due to the broader > application of OAuth 2.0. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/ > > There is also an HTML version available at: > https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-18.html > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-security-topics-18 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- https://danielfett.de
- [OAUTH-WG] I-D Action: draft-ietf-oauth-security-… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Daniel Fett