Thank you Pieter.
From: Pieter Kasselman
Sent: Tuesday, April 23, 2024 6:43 AM
To: Roy Williams (E+P) ; oauth@ietf.org
Subject: RE: Cross-Device Flows: Security Best Current Practice Review
Thanks Roy, thanks for the review and feedback, much apprecioated.
I have opened two issues to add clarification and provide additional guidance
to implementers.
1. Highlight edge cases of geolocation based on IP Address * Issue #123 *
oauth-wg/oauth-cross-device-security
(github.com)<https://github.com/oauth-wg/oauth-cross-device-security/issues/123>
2. Same device flow prevention * Issue #122 *
oauth-wg/oauth-cross-device-security
(github.com)<https://github.com/oauth-wg/oauth-cross-device-security/issues/122>
Cheers
Pieter
From: Roy Williams (E+P)
mailto:royw...@exchange.microsoft.com>>
Sent: Monday, April 22, 2024 5:42 PM
To: oauth@ietf.org<mailto:oauth@ietf.org>
Cc: Pieter Kasselman
mailto:pieter.kassel...@microsoft.com>>
Subject: Cross-Device Flows: Security Best Current Practice Review
I had promised at the 119 meeting that I would review this document and give
feedback. I have completed that document and other than two potential
clarification points, I found it to be helpful.
The following two areas could be slightly improved:
1. At the end of section (5) there is a paragraph that talks about limiting
Cross-device protocols on the same device. It does not seem to be something
that a client could\would know about when let's say YouTube TV requests auth
and it ends up on Authenticator on the same device. In theory this would then
be the Authenticator Service's Job to determine this situation and respond with
a well known pattern to drive the client to engage in a local oath call
directly to authenticator.
2. In the case of 6.1.1 establishing proximity, there is a boundary (pun not
intended) case where a device will shift between two different cellular
providers. The IETF's Drone effort were examining the same problem as the
drone flies close to an international boundary and flips back and forth to
roaming and not. How to deal with this case or whether it is dependable is a
question. I know that Pieter is suggesting Fido2, but the way this section is
written a Consumption device may be on a weak Wifi and the authentication
device has shifted to Cellular.
Roy.
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth