I have also read it and it looks good to me. It might be worth explicitly discussing how it relates to the older draft [1] (that we implemented at the time). That older draft also included a client_id parameter in the response, so it would be good to clarify if that is actually needed to prevent the attack or not.
[1]: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-mix-up-mitigation-01 <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-mix-up-mitigation-01> Kind regards, Neil > On 15 Apr 2021, at 08:04, Karsten Meyer zu Selhausen > <karsten.meyerzuselhau...@hackmanit.de> wrote: > > Hi all, > > the latest version of the security BCP references > draft-ietf-oauth-iss-auth-resp-00 as a countermeasures to mix-up attacks. > > There have not been any concerns with the first WG draft version so far: > https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/ > <https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/> > I would like to ask the WG if there are any comments on or concerns with the > current draft version. > > Otherwise I hope we can move forward with the next steps and hopefully finish > the draft before/with the security BCP. > > Best regards, > Karsten > > -- > Karsten Meyer zu Selhausen > Senior IT Security Consultant > Phone: +49 (0)234 / 54456499 > Web: https://hackmanit.de <https://hackmanit.de/> | IT Security Consulting, > Penetration Testing, Security Training > > Is your OAuth or OpenID Connect client vulnerable to the severe impacts of > mix-up attacks? Learn how to protect your client in our latest blog post on > single sign-on: > https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks > > <https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks> > > Hackmanit GmbH > Universitätsstraße 60 (Exzenterhaus) > 44789 Bochum > > Registergericht: Amtsgericht Bochum, HRB 14896 > Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. > Christian Mainka, Dr. Marcus Niemietz > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
