Re: [OAUTH-WG] OAuth 2.1

Wed, 06 Apr 2016 12:12:57 -0700

I'd definitely prefer a single solution document to many little ones that have to be combined to actually build a secure solution. It's already getting complex with the additional specs that have been added. 

Additionally, I'm not against working on OAuth 2.1.

Thanks,
George

On 4/6/16 2:06 PM, Phil Hunt (IDM) wrote:

Existing implementations are for the large part ok and do not need these 
mitigations.

Only the new use cases we have been discussing (configure on the fly and 
multi-as, etc) really need mitigation.

The updated by approach seems like a good way to address the new cases.

Phil


On Apr 6, 2016, at 14:35, Hannes Tschofenig <hannes.tschofe...@gmx.net> wrote:

Hi all,

today we discussed the OAuth Authorization Server Mixup draft. We were
wondering what types of threats the document should find solutions for.

We discussed various document handling approaches including
* OAuth Mix-Up and Cut-and-Paste attacks documented in separate
solution documents
* combined solution document covering the OAuth Mix-Up and the
Cut-and-Paste attacks.

Barry pointed out that these documents could update the OAuth base
specification.

As a more radical change it was also suggested to revise RFC 6749 "OAuth
2.0 Authorization Framework" and RFC 6819 "OAuth 2.0 Threat Model and
Security Considerations".

Opening up the OAuth base specification obviously raises various other
questions about cleaning up parts that go far beyond the AS mix-up and
the cut-and-paste attacks. Other specifications, such as the Open
Redirector, could be folded into such a new specification.

Derek and I would appreciate your input on this topic before we make a
decision since it has significant impact on our work.

Ciao
Hannes & Derek


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to