Re: [OAUTH-WG] WGLC for Cross-Device Flows BCP

2024-04-30 Thread Marco Pernpruner 
Dear all,
I reviewed the draft and I do not have any further comments or concerns.
All my previous comments have been successfully addressed. Therefore, I'm
supportive of the document.

Best regards,
Marco

*From:* OAuth  *On Behalf Of *Rifaat Shekh-Yusef
*Sent:* Monday, April 15, 2024 2:32 PM
*To:* oauth 
*Subject:* [OAUTH-WG] WGLC for Cross-Device Flows BCP



All,

This is a *WG Last Call* for the *Cross-Device Flows BCP *document.
https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device
-security-06.html

Please, review this document and reply on the mailing list if you have any
comments or concerns, by *April 29th*.

Regards,
  Rifaat & Hannes

-- 
--
Le informazioni contenute nella presente comunicazione sono di natura 
privata e come tali sono da considerarsi riservate ed indirizzate 
esclusivamente ai destinatari indicati e per le finalità strettamente 
legate al relativo contenuto. Se avete ricevuto questo messaggio per 
errore, vi preghiamo di eliminarlo e di inviare una comunicazione 
all’indirizzo e-mail del mittente.

--
The information transmitted is 
intended only for the person or entity to which it is addressed and may 
contain confidential and/or privileged material. If you received this in 
error, please contact the sender and delete the material.
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] WGLC for Cross-Device Flows BCP

2024-04-25 Thread Pieter Kasselman 
Thanks Tim, really appreciating the feedback.

I opened two issues to track your feedback here:


  1.  Editorial updates for FIDO Section: 
https://github.com/oauth-wg/oauth-cross-device-security/issues/138
  2.  Consistent use of Smart TV: 
https://github.com/oauth-wg/oauth-cross-device-security/issues/137

Once again thanks for your feedback.

Cheers

Pieter

From: OAuth  On Behalf Of Tim Cappalli
Sent: Wednesday, April 24, 2024 8:13 PM
To: rifaat.s.ietf 
Cc: oauth 
Subject: Re: [OAUTH-WG] WGLC for Cross-Device Flows BCP

You don't often get email from 
tim.cappalli=40okta@dmarc.ietf.org<mailto:tim.cappalli=40okta@dmarc.ietf.org>.
 Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
Looks great! Some small proposed tweaks:

Nit: "SmartTV" and "Smart TV" are used interchangeably throughout the doc. No 
preference on which one is used, but should be consistent.

6.2.3.1

Current text: "supports a new cross-device authentication protocol, called 
"hybrid""
Proposed text: "supports a new cross-device transport protocol, called "hybrid 
transports"

Propose adding the following at the end of the first paragraph: "CTAP 2.2 
hybrid transports is implemented by the client and authenticator platforms."

Current text: "The main device and authenticator"
Proposed text: "The main device (CTAP client) and authenticator"

Current text: "The user will receive a push notification on the authenticator."
Proposed text: "The user will typically receive a push notification on the 
device serving as the FIDO authenticator."

6.2.3.3
Current text: "Both the Consumption Device and the authenticator require BLE 
support."
Proposed text: "Both the Consumption Device and the authenticator require BLE 
support and also need access to the internet"

s/hybrid transport/hybrid transports

Current text: "The mobile phone must support CTAP 2.2+ to be used as a 
cross-device authenticator."
Proposed text: "The device serving as the FIDO authenticator must support CTAP 
2.2+ to be used as a cross-device authenticator."

tim

On Mon, Apr 22, 2024 at 10:57 AM Rifaat Shekh-Yusef 
mailto:rifaat.s.i...@gmail.com>> wrote:

This message originated outside your organization.



We have not received any feedback on this document so far.

This is a reminder to review and provide feedback on this document.
If you reviewed the document, and you do not have any comments or concerns, it 
would be great if you can send an email to the list indicating that.

Regards,
 Rifaat



On Mon, Apr 15, 2024 at 9:32 AM Rifaat Shekh-Yusef 
mailto:rifaat.s.i...@gmail.com>> wrote:
All,

This is a WG Last Call for the Cross-Device Flows BCP document.
https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-06.html<https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-06.html__;!!PwKahg!525wPy1_fpxaxk0Ic3TFoDq_1bASFewwEnh5LzytxLRyQ3DK4Yk5cIXmhgeed2ocAyWYCgh_FuutXE_aMzBQRlKp$>

Please, review this document and reply on the mailing list if you have any 
comments or concerns, by April 29th.

Regards,
  Rifaat & Hannes

___
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] WGLC for Cross-Device Flows BCP

2024-04-24 Thread Tim Cappalli 
Looks great! Some small proposed tweaks:

Nit: "SmartTV" and "Smart TV" are used interchangeably throughout the doc.
No preference on which one is used, but should be consistent.

*6.2.3.1 *

Current text: "supports a new cross-device authentication protocol, called
"hybrid""
Proposed text: "supports a new cross-device transport protocol, called
"hybrid transports"

Propose adding the following at the end of the first paragraph: "CTAP 2.2
hybrid transports is implemented by the client and authenticator platforms."

Current text: "The main device and authenticator"
Proposed text: "The main device (CTAP client) and authenticator"

Current text: "The user will receive a push notification on the
authenticator."
Proposed text: "The user will typically receive a push notification on the
device serving as the FIDO authenticator."

*6.2.3.3*
Current text: "Both the Consumption Device and the authenticator require
BLE support."
Proposed text: "Both the Consumption Device and the authenticator require
BLE support and also need access to the internet"

s/hybrid transport/hybrid transports

Current text: "The mobile phone must support CTAP 2.2+ to be used as a
cross-device authenticator."
Proposed text: "The device serving as the FIDO authenticator must support
CTAP 2.2+ to be used as a cross-device authenticator."

tim

On Mon, Apr 22, 2024 at 10:57 AM Rifaat Shekh-Yusef 
wrote:

> *This message originated outside your organization.*
>
> --
>
> We have not received any feedback on this document so far.
>
> This is a reminder to review and provide feedback on this document.
> If you reviewed the document, and you do not have any comments or
> concerns, it would be great if you can send an email to the list indicating
> that.
>
> Regards,
>  Rifaat
>
>
>
> On Mon, Apr 15, 2024 at 9:32 AM Rifaat Shekh-Yusef <
> rifaat.s.i...@gmail.com> wrote:
>
>> All,
>>
>> This is a *WG Last Call* for the *Cross-Device Flows BCP *document.
>>
>> https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-06.html
>> 
>>
>> Please, review this document and reply on the mailing list if you have
>> any comments or concerns, by *April 29th*.
>>
>> Regards,
>>   Rifaat & Hannes
>>
>> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] WGLC for Cross-Device Flows BCP

2024-04-23 Thread Saxe, Dean 
Thanks Pieter!
-dhs

--
Dean H. Saxe, CIDPRO<https://idpro.org/cidpro/> (he/him)
Senior Security Engineer, AWS Identity Security Team | Amazon Web Services (AWS)
E: deans...@amazon.com<mailto:deans...@amazon.com> | M: 
206-659-7293

From: Pieter Kasselman 
Date: Tuesday, April 23, 2024 at 7:02 AM
To: "Saxe, Dean" , "rifaat.s.ietf" 
, oauth 
Subject: RE: [EXTERNAL] [OAUTH-WG] WGLC for Cross-Device Flows BCP


CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you can confirm the sender and know the 
content is safe.


Hi Dean, thanks for taking the time to review and provide feedback Dean, much 
appreciated.

I have opened issues to address each of the items highlighted.


  1.  Add verbiage to diagrams: 
https://github.com/oauth-wg/oauth-cross-device-security/issues/124
  2.  Make examples consistent for Section 3.1.3: 
https://github.com/oauth-wg/oauth-cross-device-security/issues/125
  3.  Clarify origin of QR Code: 
https://github.com/oauth-wg/oauth-cross-device-security/issues/126
  4.  Editorial updates: 
https://github.com/oauth-wg/oauth-cross-device-security/issues/127
  5.  FIDO Reference update: 
https://github.com/oauth-wg/oauth-cross-device-security/issues/128
  6.  Update Guidance on using FIDO: 
https://github.com/oauth-wg/oauth-cross-device-security/issues/129

Cheers

Pieter


From: OAuth  On Behalf Of Saxe, Dean
Sent: Monday, April 22, 2024 6:54 PM
To: rifaat.s.ietf ; oauth 
Subject: Re: [OAUTH-WG] WGLC for Cross-Device Flows BCP


You don't often get email from 
deansaxe=40amazon@dmarc.ietf.org<mailto:deansaxe=40amazon@dmarc.ietf.org>.
 Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>

Rifaat,

I have a few minor nits in the doc, nothing of significant concern for WGLC.


  1.  When describing the visuals documenting the flows, there is a step that 
includes “The user authenticates to the authorization server”.  In each case 
this should include verbiage to indicate that this is only necessary if the 
user is unauthenticated, e.g. “If unauthenticated, the user authenticates to 
the authorization server…”.  Specific sections include 3.1.1, 3.1.2, 4.1.1, 
4.1.2
  2.  Section 3.1.3 the final sentence notes the authorization data may be 
delivered as a text message or via a mobile app.  This is inconsistent with the 
methods mentioned in the first paragraph, which includes email and text 
messages.  I suggest being clear that these are example mechanisms and not a 
full list of mechanisms by which codes can be delivered.
  3.  Section 3.3.1 the first sentence should note that the QR code is 
associated with the particular service (Netflix, AppleTV, Disney+).  Readers 
could assume that the QR codes originate from the TV manufacturer’s service 
alone as written.
  4.  Section 4.3.9 reads, “… using an e-mail campaign etc.”  Should this be 
rewritten, “using an e-mail campaign, for example.”?
  5.  Section 6.2.3 discusses FIDO CTAP 2.2.  This document is still in review 
draft 01<https://fidoalliance.org/specifications/download/>.  We should note 
that the document is not final as of today.
  6.  Section 6.2.3.5 could be softened a bit.  The first sentence should 
include, “… and a suitable FIDO credential is not available on the consumption 
device.”  In most patterns, this mechanism is used to bootstrap a new 
credential on the device, rather than using this mechanism for authN every time.

Authors, if you have any questions please let me know.

Thanks,
-dhs

--
Dean H. Saxe, CIDPRO<https://idpro.org/cidpro/> (he/him)
Senior Security Engineer, AWS Identity Security Team | Amazon Web Services (AWS)
E: deans...@amazon.com<mailto:deans...@amazon.com> | M: 
206-659-7293

From: OAuth mailto:oauth-boun...@ietf.org>> on behalf 
of Rifaat Shekh-Yusef mailto:rifaat.s.i...@gmail.com>>
Date: Monday, April 22, 2024 at 7:57 AM
To: oauth mailto:oauth@ietf.org>>
Subject: RE: [EXTERNAL] [OAUTH-WG] WGLC for Cross-Device Flows BCP


CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you can confirm the sender and know the 
content is safe.


We have not received any feedback on this document so far.

This is a reminder to review and provide feedback on this document.
If you reviewed the document, and you do not have any comments or concerns, it 
would be great if you can send an email to the list indicating that.

Regards,
 Rifaat



On Mon, Apr 15, 2024 at 9:32 AM Rifaat Shekh-Yusef 
mailto:rifaat.s.i...@gmail.com>> wrote:
All,

This is a WG Last Call for the Cross-Device Flows BCP document.
https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-06.html

Please, review this document and reply on the mailing list if you have any 
comments or concerns, by April 29th.

Regards,
  Rifaat & Hannes

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] WGLC for Cross-Device Flows BCP

2024-04-23 Thread Pieter Kasselman 
Hi Dean, thanks for taking the time to review and provide feedback Dean, much 
appreciated.

I have opened issues to address each of the items highlighted.


  1.  Add verbiage to diagrams: 
https://github.com/oauth-wg/oauth-cross-device-security/issues/124
  2.  Make examples consistent for Section 3.1.3: 
https://github.com/oauth-wg/oauth-cross-device-security/issues/125
  3.  Clarify origin of QR Code: 
https://github.com/oauth-wg/oauth-cross-device-security/issues/126
  4.  Editorial updates: 
https://github.com/oauth-wg/oauth-cross-device-security/issues/127
  5.  FIDO Reference update: 
https://github.com/oauth-wg/oauth-cross-device-security/issues/128
  6.  Update Guidance on using FIDO: 
https://github.com/oauth-wg/oauth-cross-device-security/issues/129

Cheers

Pieter


From: OAuth  On Behalf Of Saxe, Dean
Sent: Monday, April 22, 2024 6:54 PM
To: rifaat.s.ietf ; oauth 
Subject: Re: [OAUTH-WG] WGLC for Cross-Device Flows BCP

You don't often get email from 
deansaxe=40amazon@dmarc.ietf.org<mailto:deansaxe=40amazon@dmarc.ietf.org>.
 Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
Rifaat,

I have a few minor nits in the doc, nothing of significant concern for WGLC.


  1.  When describing the visuals documenting the flows, there is a step that 
includes “The user authenticates to the authorization server”.  In each case 
this should include verbiage to indicate that this is only necessary if the 
user is unauthenticated, e.g. “If unauthenticated, the user authenticates to 
the authorization server…”.  Specific sections include 3.1.1, 3.1.2, 4.1.1, 
4.1.2
  2.  Section 3.1.3 the final sentence notes the authorization data may be 
delivered as a text message or via a mobile app.  This is inconsistent with the 
methods mentioned in the first paragraph, which includes email and text 
messages.  I suggest being clear that these are example mechanisms and not a 
full list of mechanisms by which codes can be delivered.
  3.  Section 3.3.1 the first sentence should note that the QR code is 
associated with the particular service (Netflix, AppleTV, Disney+).  Readers 
could assume that the QR codes originate from the TV manufacturer’s service 
alone as written.
  4.  Section 4.3.9 reads, “… using an e-mail campaign etc.”  Should this be 
rewritten, “using an e-mail campaign, for example.”?
  5.  Section 6.2.3 discusses FIDO CTAP 2.2.  This document is still in review 
draft 01<https://fidoalliance.org/specifications/download/>.  We should note 
that the document is not final as of today.
  6.  Section 6.2.3.5 could be softened a bit.  The first sentence should 
include, “… and a suitable FIDO credential is not available on the consumption 
device.”  In most patterns, this mechanism is used to bootstrap a new 
credential on the device, rather than using this mechanism for authN every time.

Authors, if you have any questions please let me know.

Thanks,
-dhs

--
Dean H. Saxe, CIDPRO<https://idpro.org/cidpro/> (he/him)
Senior Security Engineer, AWS Identity Security Team | Amazon Web Services (AWS)
E: deans...@amazon.com<mailto:deans...@amazon.com> | M: 
206-659-7293

From: OAuth mailto:oauth-boun...@ietf.org>> on behalf 
of Rifaat Shekh-Yusef mailto:rifaat.s.i...@gmail.com>>
Date: Monday, April 22, 2024 at 7:57 AM
To: oauth mailto:oauth@ietf.org>>
Subject: RE: [EXTERNAL] [OAUTH-WG] WGLC for Cross-Device Flows BCP


CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you can confirm the sender and know the 
content is safe.

We have not received any feedback on this document so far.

This is a reminder to review and provide feedback on this document.
If you reviewed the document, and you do not have any comments or concerns, it 
would be great if you can send an email to the list indicating that.

Regards,
 Rifaat



On Mon, Apr 15, 2024 at 9:32 AM Rifaat Shekh-Yusef 
mailto:rifaat.s.i...@gmail.com>> wrote:
All,

This is a WG Last Call for the Cross-Device Flows BCP document.
https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-06.html

Please, review this document and reply on the mailing list if you have any 
comments or concerns, by April 29th.

Regards,
  Rifaat & Hannes

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] WGLC for Cross-Device Flows BCP

2024-04-22 Thread Saxe, Dean 
Rifaat,

I have a few minor nits in the doc, nothing of significant concern for WGLC.


  1.  When describing the visuals documenting the flows, there is a step that 
includes “The user authenticates to the authorization server”.  In each case 
this should include verbiage to indicate that this is only necessary if the 
user is unauthenticated, e.g. “If unauthenticated, the user authenticates to 
the authorization server…”.  Specific sections include 3.1.1, 3.1.2, 4.1.1, 
4.1.2
  2.  Section 3.1.3 the final sentence notes the authorization data may be 
delivered as a text message or via a mobile app.  This is inconsistent with the 
methods mentioned in the first paragraph, which includes email and text 
messages.  I suggest being clear that these are example mechanisms and not a 
full list of mechanisms by which codes can be delivered.
  3.  Section 3.3.1 the first sentence should note that the QR code is 
associated with the particular service (Netflix, AppleTV, Disney+).  Readers 
could assume that the QR codes originate from the TV manufacturer’s service 
alone as written.
  4.  Section 4.3.9 reads, “… using an e-mail campaign etc.”  Should this be 
rewritten, “using an e-mail campaign, for example.”?
  5.  Section 6.2.3 discusses FIDO CTAP 2.2.  This document is still in review 
draft 01<https://fidoalliance.org/specifications/download/>.  We should note 
that the document is not final as of today.
  6.  Section 6.2.3.5 could be softened a bit.  The first sentence should 
include, “… and a suitable FIDO credential is not available on the consumption 
device.”  In most patterns, this mechanism is used to bootstrap a new 
credential on the device, rather than using this mechanism for authN every time.

Authors, if you have any questions please let me know.

Thanks,
-dhs

--
Dean H. Saxe, CIDPRO<https://idpro.org/cidpro/> (he/him)
Senior Security Engineer, AWS Identity Security Team | Amazon Web Services (AWS)
E: deans...@amazon.com<mailto:deans...@amazon.com> | M: 
206-659-7293

From: OAuth  on behalf of Rifaat Shekh-Yusef 

Date: Monday, April 22, 2024 at 7:57 AM
To: oauth 
Subject: RE: [EXTERNAL] [OAUTH-WG] WGLC for Cross-Device Flows BCP


CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you can confirm the sender and know the 
content is safe.


We have not received any feedback on this document so far.

This is a reminder to review and provide feedback on this document.
If you reviewed the document, and you do not have any comments or concerns, it 
would be great if you can send an email to the list indicating that.

Regards,
 Rifaat



On Mon, Apr 15, 2024 at 9:32 AM Rifaat Shekh-Yusef 
mailto:rifaat.s.i...@gmail.com>> wrote:
All,

This is a WG Last Call for the Cross-Device Flows BCP document.
https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-06.html

Please, review this document and reply on the mailing list if you have any 
comments or concerns, by April 29th.

Regards,
  Rifaat & Hannes

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] WGLC for Cross-Device Flows BCP

2024-04-22 Thread Rifaat Shekh-Yusef 
We have not received any feedback on this document so far.

This is a reminder to review and provide feedback on this document.
If you reviewed the document, and you do not have any comments or concerns,
it would be great if you can send an email to the list indicating that.

Regards,
 Rifaat



On Mon, Apr 15, 2024 at 9:32 AM Rifaat Shekh-Yusef 
wrote:

> All,
>
> This is a *WG Last Call* for the *Cross-Device Flows BCP *document.
>
> https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-06.html
>
> Please, review this document and reply on the mailing list if you have any
> comments or concerns, by *April 29th*.
>
> Regards,
>   Rifaat & Hannes
>
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] WGLC for Cross-Device Flows BCP

2024-04-15 Thread Rifaat Shekh-Yusef 
All,

This is a *WG Last Call* for the *Cross-Device Flows BCP *document.
https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-06.html

Please, review this document and reply on the mailing list if you have any
comments or concerns, by *April 29th*.

Regards,
  Rifaat & Hannes
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth