[OAUTH-WG] Re: WGLC for Cross-Device Flows BCP

-oauth-cross-device-security-07 - Cross-Device Flows: Security Best Current Practice<https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/07/> With gratitude Pieter From: OAuth On Behalf Of Pieter Kasselman Sent: Thursday, April 25, 2024 8:43 PM To: Tim Cappalli ; rifaat.

Re: [OAUTH-WG] WGLC for Cross-Device Flows BCP

Thanks Tim, really appreciating the feedback. I opened two issues to track your feedback here: 1. Editorial updates for FIDO Section: https://github.com/oauth-wg/oauth-cross-device-security/issues/138 2. Consistent use of Smart TV:

Re: [OAUTH-WG] WGLC for Cross-Device Flows BCP

Hi Dean, thanks for taking the time to review and provide feedback Dean, much appreciated. I have opened issues to address each of the items highlighted. 1. Add verbiage to diagrams: https://github.com/oauth-wg/oauth-cross-device-security/issues/124 2. Make examples consistent for

Re: [OAUTH-WG] Cross-Device Flows: Security Best Current Practice Review

ay, April 22, 2024 5:42 PM To: oauth@ietf.org Cc: Pieter Kasselman Subject: Cross-Device Flows: Security Best Current Practice Review I had promised at the 119 meeting that I would review this document and give feedback. I have completed that document and other than two potential clarificati

Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata

I volunteered to review the OAuth 2.0 Protected Resource Metadata (https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-03.html) at the IETF 119 meeting. First, I would like to thank the authors, Mike, Phil and Aaron, for creating this draft. It solves an important problem and I

[OAUTH-WG] Updating "Identity Chaining across Trust Domains" draft name

Following the working group adoption of the "Identity Chaining across Trust Domains" draft (see draft-ietf-oauth-identity-chaining-00 - Identity Chaining across Trust Domains), the editors thought it appropriate to update

Re: [OAUTH-WG] Call for adoption - Identity Chaining

I support adoption. From: OAuth On Behalf Of Rifaat Shekh-Yusef Sent: Tuesday, November 14, 2023 12:59 PM To: oauth Subject: [OAUTH-WG] Call for adoption - Identity Chaining All, This is an official call for adoption for the Identity Chaining draft:

Re: [OAUTH-WG] Call for adoption - Transaction Tokens

I support adoption. From: OAuth On Behalf Of Rifaat Shekh-Yusef Sent: Tuesday, November 14, 2023 12:58 PM To: oauth Subject: [OAUTH-WG] Call for adoption - Transaction Tokens All, This is an official call for adoption for the Transaction Tokens draft:

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-04.txt

s-device-security-04.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: Cross-Device Flows: Security Best Current Practice Authors: Pieter Kasselman Daniel Fett Filip Skokan Name:draft-ietf-oauth-cross-de

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

I support adoption From: OAuth On Behalf Of Rifaat Shekh-Yusef Sent: Wednesday, August 23, 2023 8:02 PM To: oauth Subject: [OAUTH-WG] Call for adoption - Protected Resource Metadata All, This is an official call for adoption for the Protected Resource Metadata draft:

Re: [OAUTH-WG] Call for adoption - SD-JWT-based Verifiable Credentials

I support adoption of this draft. From: OAuth On Behalf Of Rifaat Shekh-Yusef Sent: Saturday, July 29, 2023 8:25 PM To: oauth Subject: [OAUTH-WG] Call for adoption - SD-JWT-based Verifiable Credentials All, This is an official call for adoption for the SD-JWT-based Verifiable Credentials

Re: [OAUTH-WG] Call for adoption - Attestation-Based Client Authentication

I support adoption. From: OAuth On Behalf Of Rifaat Shekh-Yusef Sent: Saturday, July 29, 2023 8:27 PM To: oauth Subject: [OAUTH-WG] Call for adoption - Attestation-Based Client Authentication All, This is an official call for adoption for the Attestation-Based Client Authentication draft

Re: [OAUTH-WG] New Version Notification for draft-identity-chaining-00.txt

at IETF 117 to discuss this proposal? Cheers Pieter -Original Message- From: internet-dra...@ietf.org Sent: Monday, July 10, 2023 4:26 PM To: Arndt Schwenkschuster ; Kelley Burgin ; Michael Jenkins ; Mike Jenkins ; Pieter Kasselman ; Pieter Kasselman Subject: New Version Notification

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-02.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : Cross-Device Flows: Security Best Current Practice Authors : Pieter Kasselman

[OAUTH-WG] Cross-device security BCP: Proposal to add normative requirements

Hi folks The cross-device security BCP contain several non-normative recommendations (should, may, recommended). We (the editors) are considering making some of these normative (SHOULD, MAY, RECOMMENDED) to give clearer guidance and emphasise the desirability of implementing certain

[OAUTH-WG] Cross-device BCP: Alternative labels for different cross-device flow patterns

Hi folks, After the previous IETF meeting, we got some feedback that the labels we chose to describe the three variants of cross device flows could be a little more descriptive. After some discussion between Daniel and myself, we would like to propose the following changes in how we label and

[OAUTH-WG] Collective name for attacks on cross-device flows: Cross-Device Consent Phishing (CDCP)

Hi folks, one of the discussion points at IETF 116 for the cross-device security BCP was finding a collective name for the exploits of the cross device flows we were seeing. We got several suggestions since then (see list below). We are thinking of adopting the term "Cross-Device Consent

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-01.txt

:21 AM To: Pieter Kasselman ; oauth@ietf.org; i-d-annou...@ietf.org Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-01.txt Hi Pieter, I won't be able to attend IETF 116, so I ask my short question here: Why is there a difference between step (D) in Figure 1 (user trans

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-01.txt

the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : Cross-Device Flows: Security Best Current Practice Authors : Pieter Kasselman Daniel Fett

[OAUTH-WG] FW: New Version Notification for draft-kasselman-cross-device-security-02.txt

--Original Message- From: internet-dra...@ietf.org Sent: Tuesday, November 15, 2022 12:21 AM To: Daniel Fett ; panva.ip ; Pieter Kasselman Subject: New Version Notification for draft-kasselman-cross-device-security-02.txt A new version of I-D, draft-kasselman-cross-device-security-02.tx

Re: [OAUTH-WG] [E] Re: Draft Proposal for a Cross Device Flow Security BCP

Thanks Bjorn, I have opened an issue and the fix will be in the next update. Much appreciated! From: Hjelm, Bjorn Sent: Thursday, October 27, 2022 4:25 AM To: Pieter Kasselman ; Daniel Fett ; Filip Skokan Cc: oauth@ietf.org; Joseph Heenan Subject: Re: [E] Re: [OAUTH-WG] Draft Proposal

Re: [OAUTH-WG] Draft Proposal for a Cross Device Flow Security BCP

Thanks Joseph, those are good additions, thanks for pointing them out. I have opened issues to track both of them. -Original Message- From: Joseph Heenan Sent: Tuesday, October 25, 2022 11:49 AM To: Pieter Kasselman Cc: oauth@ietf.org; Daniel Fett ; Filip Skokan Subject: Re: [OAUTH

Re: [OAUTH-WG] Draft Proposal for a Cross Device Flow Security BCP

Thanks Brian, I will add clarification on CIBA and fix those transposition errors. Much appreciated! From: Brian Campbell Sent: Friday, October 21, 2022 11:10 PM To: Pieter Kasselman Cc: oauth@ietf.org; Daniel Fett ; Filip Skokan Subject: Re: [OAUTH-WG] Draft Proposal for a Cross Device Flow

[OAUTH-WG] Draft Proposal for a Cross Device Flow Security BCP

' time. - A new version of I-D, draft-kasselman-cross-device-security-00.txt has been successfully submitted by Pieter Kasselman and posted to the IETF repository. Name: draft-kasselman

Re: [OAUTH-WG] WGLC for Step-up Authentication

Of Pieter Kasselman Sent: Friday, October 7, 2022 9:29 PM To: Rifaat Shekh-Yusef ; oauth Subject: Re: [OAUTH-WG] WGLC for Step-up Authentication I am very supportive of this work and have been working through different use cases to see whether it can satisfy the requirements that arise from them

Re: [OAUTH-WG] WGLC for Step-up Authentication

I am very supportive of this work and have been working through different use cases to see whether it can satisfy the requirements that arise from them. One observation from working through these uses cases is that as customers move to Zero Trust architectures, we are seeing customers

Re: [OAUTH-WG] Call for adoption - SD-JWT

I support adoption From: OAuth On Behalf Of Rifaat Shekh-Yusef Sent: Friday, July 29, 2022 1:17 AM To: oauth Subject: [OAUTH-WG] Call for adoption - SD-JWT All, This is a call for adoption for the SD-JWT document

Re: [OAUTH-WG] Call for adoption - Step-up Authentication

I support adoption of this work. From: OAuth On Behalf Of Rifaat Shekh-Yusef Sent: Tuesday 26 April 2022 11:47 To: oauth Subject: [OAUTH-WG] Call for adoption - Step-up Authentication This is a call for adoption for the Step-up Authentication document

Re: [OAUTH-WG] Step-up Authentication review

Hi Vittorio, Brian, Rifaat and OAuth WG members. I volunteered to review the OAuth 2.0 Step-up Authentication Challenge Protocol (https://www.ietf.org/archive/id/draft-bertocci-oauth-step-up-authn-challenge-01.html) at the OAuth working group meeting at IETF 113. I did the review in the

Re: [OAUTH-WG] WGLC for DPoP Document

I support publication From: OAuth On Behalf Of Warren Parad Sent: Wednesday 30 March 2022 13:12 To: Torsten Lodderstedt Cc: oauth Subject: Re: [OAUTH-WG] WGLC for DPoP Document I support publication.

Re: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illicit Consent Exploits

a protocol in a certain way is really important if we want to minimise security issues that arise from implementation issues and protocol selection. Cheers Pieter From: Brock Allen Sent: Thursday 24 March 2022 02:25 To: George Fletcher ; Pieter Kasselman ; oauth@ietf.org Subject: Re: [OAUTH-WG

Re: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illicit Consent Exploits

of a number of signals that can help to reduce risk, based on the deployment scenario. Cheers Pieter From: George Fletcher Sent: Thursday 24 March 2022 02:10 To: Pieter Kasselman ; Brock Allen ; oauth@ietf.org Subject: Re: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illicit Consent

Re: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illicit Consent Exploits

attacks. Keeping that opening as small and constrained as possible and then mitigating against errors in judgement will help the overall security posture. Cheers Pieter From: Shane B Weeden Sent: Thursday 17 March 2022 21:21 To: Pieter Kasselman Cc: oauth@ietf.org Subject: [EXTERNAL] Re

Re: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illicit Consent Exploits

, help them make better decisions and then protecting them in case of a bad decision will help drive down risk. Cheers Pieter From: Brock Allen Sent: Thursday 17 March 2022 21:25 To: Pieter Kasselman ; oauth@ietf.org Subject: [EXTERNAL] Re: [OAUTH-WG] Device Authorization Grant and Illicit

[OAUTH-WG] Device Authorization Grant and Illicit Consent Exploits

Hi All One of the agenda items for IETF 113 is the device authorization grant flow (aka device code flow), scheduled for Thursday 24 March 2022.  Before the meeting, I wanted to share a bit more information for those interested in the topic and also give those who are unable to attend in

Re: [OAUTH-WG] [EXTERNAL] Re: Call for adoption - JWK Thumbprint URI

+1. I support adoption. From: OAuth On Behalf Of George Fletcher Sent: Friday 21 January 2022 21:22 To: Rifaat Shekh-Yusef ; oauth Subject: [EXTERNAL] Re: [OAUTH-WG] Call for adoption - JWK Thumbprint URI +1 for adoption On 1/13/22 9:26 AM, Rifaat Shekh-Yusef wrote: All, This is a call for

Re: [OAUTH-WG] [EXTERNAL] Re: OAuth Redirection Attacks

: Friday 17 December 2021 20:27 To: Pieter Kasselman Cc: Vittorio Bertocci ; oauth Subject: Re: [EXTERNAL] Re: [OAUTH-WG] OAuth Redirection Attacks You want to redirect on some errors because the last thing an AS wants is to leave the user in the AS because the user can't do anything

Re: [OAUTH-WG] [EXTERNAL] Re: OAuth Redirection Attacks

Agreed that the attackers goal is to bypass phishing filters and they found a way to achieve this by using an IdP that adheres to the standards. I don't have the context for the design choice to redirect on an error condition, but am curious why the IdP should not be allowed to handle the error

Re: [OAUTH-WG] [EXTERNAL] Re: dpop_jkt Authorization Request Parameter

cember 2021 15:29 To: Pieter Kasselman Cc: Mike Jones ; oauth@ietf.org Subject: Re: [OAUTH-WG] [EXTERNAL] Re: dpop_jkt Authorization Request Parameter (e.g. one-time use in a certain timeframe etc). Sure but couldn't we just reduce the lifetime? Even if the token isn't one time use, surely the

Re: [OAUTH-WG] [EXTERNAL] Re: dpop_jkt Authorization Request Parameter

mment. Note that I plan to add more of the attack description written by Pieter Kasselman to the security considerations in a future commit. This attack description was sent by Pieter yesterday in a message with the subject "Authorization Code Log File Attack (was

Re: [OAUTH-WG] [EXTERNAL] Rotating RTs and grace periods

Neil Is the goal to accommodate network latency or clock drift? It would be helpful to include reasons for why a grace period should be considered if it is allowed. Without knowing the reasons for the grace period it is not clear why a grace period is a better solution than just extending the

Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code reuse and OAuth 2.1

SHOULD is more likely to cause the right conversations to take place for implementors as they weigh the risks. Reducing it to MAY risks diluting it too much. From: OAuth On Behalf Of Warren Parad Sent: Friday 15 October 2021 09:25 To: Pieter Kasselman Cc: IETF oauth WG Subject: Re: [OAUTH-WG

Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code reuse and OAuth 2.1

uot;SHOULD" to continue to point out the possibility of enforcing one-time authorization codes if desired. On Wed, Oct 13, 2021 at 2:15 PM Pieter Kasselman mailto:pieter.kassel...@microsoft.com>> wrote: Log files can exist in lots of place (clients, servers, data lakes). T

Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code reuse and OAuth 2.1

ind that even with the proposed change to drop the requirement of authorization codes being one time use, authorization servers are free to enforce this still if they want. Authorization code lifetimes are still expected to be short lived as well. Aaron On Wed, Oct 13, 2021 at 1:25 PM Piet

Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code reuse and OAuth 2.1

Aaron, I was curious what prevents an attacker from presenting an Authorization Code and a PKCE Code Verifier for a second time if the one time use requirement is removed. Is there another countermeasure in PKCE that would prevent it? For example, an attacker may obtain the Authorization Code