Hi folks, this updated version of the cross-device security BCP will be the
basis for discussion in Yokohama. The draft was updated to:
1. Provide more granularity on different cross-device flow patterns
2. Include information on the limitations of some of the proposed mitigations
(none of them are silver bullets and they are most effective when deployed as
part of a defence-in-depth approach)
3. Updated and added additional use cases and exploit examples
3. Fixes for typos, grammar etc.
I also want to thank Aaron Parecki for helping us migrate the -00 draft to the
Github repository.
Cheers
Pieter
-----Original Message-----
From: OAuth <oauth-boun...@ietf.org> On Behalf Of internet-dra...@ietf.org
Sent: Monday, March 13, 2023 6:29 PM
To: i-d-annou...@ietf.org
Cc: oauth@ietf.org
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-01.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG
of the IETF.
Title : Cross-Device Flows: Security Best Current Practice
Authors : Pieter Kasselman
Daniel Fett
Filip Skokan
Filename : draft-ietf-oauth-cross-device-security-01.txt
Pages : 40
Date : 2023-03-13
Abstract:
This document describes threats against cross-device flows along with
near term mitigations, protocol selection guidance and the analytical
tools needed to evaluate the effectiveness of these mitigations. It
serves as a security guide to system designers, architects, product
managers, security specialists, fraud analysts and engineers
implementing cross-device flows.
The IETF datatracker status page for this Internet-Draft is:
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-oauth-cross-device-security%2F&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7C2177902f9a754bf06d1508db23f0ef5b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143289963685543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=J4tksmhwl2n0sTgexdtIl8%2BO4fLAbcfRy9kWQ%2F%2BA4pY%3D&reserved=0
There is also an HTML version available at:
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-ietf-oauth-cross-device-security-01.html&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7C2177902f9a754bf06d1508db23f0ef5b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143289963685543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8yOF0hi777CSOBrkEFqPiTRzhFde067zXxBW%2FPH7zgE%3D&reserved=0
A diff from the previous version is available at:
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fauthor-tools.ietf.org%2Fiddiff%3Furl2%3Ddraft-ietf-oauth-cross-device-security-01&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7C2177902f9a754bf06d1508db23f0ef5b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143289963685543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=G5%2BH8H0thDW1202i30NgVR6MTqXivysbisDqXpXwXGo%3D&reserved=0
Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7C2177902f9a754bf06d1508db23f0ef5b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143289963685543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WYeoZK67zgwPLDektVwqS%2FI3%2FxAvRUZFD%2FLnAT9eWL4%3D&reserved=0
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
