Hi all, on February 19 I posted a note to the list asking the group to consider a call for adoption of either <draft-jones-oauth-mix-up-mitigation-01> or <draft-sakimura-oauth-meta-07>, see https://www.ietf.org/mail-archive/web/oauth/current/msg15829.html
I gave time till early March to think about this topic and there was a lot of feedback on the mailing list. Here are key observations I made: (1) Most folks argued that they wanted <draft-jones-oauth-mix-up-mitigation-01> as a starting point for a solution (*). There are, however, various issues that surfaced: a) From the discussions I think the document needs to provide more information about the attack (in addition to the reference to the research paper). b) William furthermore suggested to change the title of the document to have a more positive tone, namely to focus on the use case it support rather than the attack it mitigates. I am open to suggestions to hear better document titles and abstracts. c) Torsten argued that the code injection/copy and paste attack should go into a separate document (instead of covering both type of issues in the same document). (2) There is some interest to explore a PKCE-based solution approach as well. I believe we should survey the landscape extensively and also consider this approach. To acknowledge the work Nat has put into this topic with the work on <draft-sakimura-oauth-meta-07> and the discussion feedback I would like to have him participate in the work of the working group item as a co-author. I would like to already now thank those who had spent time and energy in exploring this topic. Big thanks also go to Roland, Brian and Hans for their prototyping efforts. Ciao Hannes PS: During the discussion some other issues surface, such as associating the access tokens with a specific audience, and this is a topic we will have to cover separately.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth