Thanks Joseph, those are good additions, thanks for pointing them out. I have opened issues to track both of them.
-----Original Message----- From: Joseph Heenan <jos...@authlete.com> Sent: Tuesday, October 25, 2022 11:49 AM To: Pieter Kasselman <pieter.kassel...@microsoft.com> Cc: oauth@ietf.org; Daniel Fett <dani...@yes.com>; Filip Skokan <filip.sko...@okta.com> Subject: Re: [OAUTH-WG] Draft Proposal for a Cross Device Flow Security BCP Hi Pieter / Daniel / Filip It's great to see this document moving forward. I may have missed it, but it may be worth being move explicit that one solution is to avoid using cross-device flows for same-device scenarios? It's sort of obvious, but questions like "well CIBA works for both cross-device and same-device, can't I save myself effort by only implementing CIBA and not bothering with standard redirect-based OAuth flows?" are commonly asked. Also, in this text: "If FIDO2/WebAuthn support is not available, Channel Initiated Backchannel Authentication (CIBA) provides an alternative, provided that the underlying devices can receive push notifications." It might be best to use a term other than 'push notifications' there or otherwise rewording this, as there are alternatives. e.g. I think there's at least one CIBA implementation out there that can use email to notify the user of an authorization request. Thanks Joseph > On 19 Oct 2022, at 15:55, Pieter Kasselman > <pieter.kasselman=40microsoft....@dmarc.ietf.org> wrote: > > Hi All > > Following on from the discussions at IETF 113, the OAuth Security Workshop, > Identiverse and IETF 114, Daniel, Filip and I created a draft document > capturing some of the attacks that we are seeing on cross device flows, > including Device Authorization Grant (aka Device Code Flow). > > These attacks exploit the unauthenticated channel between devices to trick > users into granting authorization by using social engineering techniques to > change the context in which authorization is requested. > > The purpose of the document is to serve as guidance on best practices when > designing and implementing scenarios that require cross device flows. We > would appreciate any feedback or comments on the document, or any other > mitigations or techniques that can be used to mitigate these attacks. Links > to the documents are below. We also hope to discuss this at IETF 115 in > London in a few weeks' time. > > ---------------------------------------------------------------------- > ------------------------------- A new version of I-D, > draft-kasselman-cross-device-security-00.txt > has been successfully submitted by Pieter Kasselman and posted to the IETF > repository. > > Name: draft-kasselman-cross-device-security > Revision: 00 > Title: Cross Device Flows: Security Best Current Practice > Document date: 2022-10-19 > Group: Individual Submission > Pages: 25 > URL: > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-kasselman-cross-device-security-00.txt&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7C13d136330ec84e82ff1c08dab676965f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638022917712107364%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2qQECauAiHwL5QTl0ijskyr7Rk1OX3%2F8LducJ6HBPoU%3D&reserved=0 > Status: > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-kasselman-cross-device-security-00.txt&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7C13d136330ec84e82ff1c08dab676965f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638022917712107364%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2qQECauAiHwL5QTl0ijskyr7Rk1OX3%2F8LducJ6HBPoU%3D&reserved=0 > > Html: > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-kasselman-cross-device-security-00.html&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7C13d136330ec84e82ff1c08dab676965f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638022917712107364%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=IL3OzMJpCQLSLEOxUSBv71egJo%2FAk1TkveMLX2bVGqY%3D&reserved=0 > Htmlized: > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-kasselman-cross-device-security&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7C13d136330ec84e82ff1c08dab676965f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638022917712107364%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=AAUBzWehBbE32S2tSk4MLghzBqnfyv7h5dVT%2F0xmLWU%3D&reserved=0 > > > Abstract: > This document describes threats against cross-device flows along with > near term mitigations, protocol selection guidance and the analytical > tools needed to evaluate the effectiveness of these mitigations. It > serves as a security guide to system designers, architects, product > managers, security specialists, fraud analysts and engineers > implementing cross-device flows. > > > > > The IETF Secretariat > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww. > ietf.org%2Fmailman%2Flistinfo%2Foauth&data=05%7C01%7Cpieter.kassel > man%40microsoft.com%7C13d136330ec84e82ff1c08dab676965f%7C72f988bf86f14 > 1af91ab2d7cd011db47%7C1%7C0%7C638022917712107364%7CUnknown%7CTWFpbGZsb > 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D% > 7C3000%7C%7C%7C&sdata=iOhPQ3IXjtgTZej0WjNAZavIrSFs1oH%2BccebeRiVZK > o%3D&reserved=0 _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth