Hi all, on February 19 I posted a note to the list asking the group to consider a call for adoption of either <draft-jones-oauth-mix-up-mitigation-01> or <draft-sakimura-oauth-meta-07>, see https://www.ietf.org/mail-archive/web/oauth/current/msg15829.html
I gave time till early March to think about this topic and there was a
lot of feedback on the mailing list.
Here are key observations I made:
(1) Most folks argued that they wanted
<draft-jones-oauth-mix-up-mitigation-01> as a starting point for a
solution (*).
There are, however, various issues that surfaced:
a) From the discussions I think the document needs to provide more
information about the attack (in addition to the reference to the
research paper).
b) William furthermore suggested to change the title of the document
to have a more positive tone, namely to focus on the use case it support
rather than the attack it mitigates. I am open to suggestions to hear
better document titles and abstracts.
c) Torsten argued that the code injection/copy and paste attack
should go into a separate document (instead of covering both type of
issues in the same document).
(2) There is some interest to explore a PKCE-based solution approach as
well. I believe we should survey the landscape extensively and also
consider this approach.
To acknowledge the work Nat has put into this topic with the work on
<draft-sakimura-oauth-meta-07> and the discussion feedback I would like
to have him participate in the work of the working group item as a
co-author.
I would like to already now thank those who had spent time and energy in
exploring this topic. Big thanks also go to Roland, Brian and Hans for
their prototyping efforts.
Ciao
Hannes
PS: During the discussion some other issues surface, such as associating
the access tokens with a specific audience, and this is a topic we will
have to cover separately.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
