Thanks Roy, thanks for the review and feedback, much apprecioated. I have opened two issues to add clarification and provide additional guidance to implementers.
1. Highlight edge cases of geolocation based on IP Address * Issue #123 * oauth-wg/oauth-cross-device-security (github.com)<https://github.com/oauth-wg/oauth-cross-device-security/issues/123> 2. Same device flow prevention * Issue #122 * oauth-wg/oauth-cross-device-security (github.com)<https://github.com/oauth-wg/oauth-cross-device-security/issues/122> Cheers Pieter From: Roy Williams (E+P) <royw...@exchange.microsoft.com> Sent: Monday, April 22, 2024 5:42 PM To: oauth@ietf.org Cc: Pieter Kasselman <pieter.kassel...@microsoft.com> Subject: Cross-Device Flows: Security Best Current Practice Review I had promised at the 119 meeting that I would review this document and give feedback. I have completed that document and other than two potential clarification points, I found it to be helpful. The following two areas could be slightly improved: 1. At the end of section (5) there is a paragraph that talks about limiting Cross-device protocols on the same device. It does not seem to be something that a client could\would know about when let's say YouTube TV requests auth and it ends up on Authenticator on the same device. In theory this would then be the Authenticator Service's Job to determine this situation and respond with a well known pattern to drive the client to engage in a local oath call directly to authenticator. 2. In the case of 6.1.1 establishing proximity, there is a boundary (pun not intended) case where a device will shift between two different cellular providers. The IETF's Drone effort were examining the same problem as the drone flies close to an international boundary and flips back and forth to roaming and not. How to deal with this case or whether it is dependable is a question. I know that Pieter is suggesting Fido2, but the way this section is written a Consumption device may be on a weak Wifi and the authentication device has shifted to Cellular. Roy.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
