Hi Rifaat, apologies for the delay.
We published a new draft addressing your comments. We changed Section 2.4, paragraph 3 to:
If clients interact with both authorization servers supporting this
specification and authorization servers not supporting this
specification, clients MUST store the information which authorization
server supports the iss parameter. Clients*MUST* reject authorization
responses without the iss parameter from authorization servers which
do support the parameter according to the client's configuration.
*Clients SHOULD discard authorization responses with the iss parameter
from authorization servers which do not indicate their support for the
parameter. However, there might be legitimate authorization servers
that provide the iss parameter without indicating their support in
their metadata. The decision of whether to accept such responses is
individual for every scenario and it is not in the scope of this
specification.*
Let us know if there is anything else we should work on. Best regards, Karsten On 26.09.2021 00:04, Rifaat Shekh-Yusef wrote:
Karsten, Daniel,Can you please address my comments in a new version of the draft to allow me to progress it?Regards, RifaatOn Mon, Sep 6, 2021 at 6:50 AM Karsten Meyer zu Selhausen <karsten.meyerzuselhau...@hackmanit.de <mailto:karsten.meyerzuselhau...@hackmanit.de>> wrote:Hi Rifaat, thank you for the shepherd's review. Those are valid comments. We will have a second look on this paragraph. Best regards, Karsten On 04.09.2021 16:20, Rifaat Shekh-Yusef wrote:Hi Karsten, Daniel, As the document shepherd, I have reviewed the document and I have the following comments on draft-ietf-oauth-iss-auth-resp-01 version: Section 2.4, paragraph 3, first sentence: "If clients interact with both authorization servers supporting this specification and authorization servers not supporting this specification, clients SHOULD store the information which authorization server supports the "iss" parameter." Why is this a SHOULD? "Clients MUST reject authorization responses without the "iss" parameter from authorization servers which do support the parameter according to the client's configuration." What should the client do when it receives a response with "iss" parameter from an authorization server that did not indicate its support for this parameter? Section 7 RFC6479 should be replaced with *RFC6749* Regards, Rifaat _______________________________________________ OAuth mailing list OAuth@ietf.org <mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>-- Karsten Meyer zu SelhausenSenior IT Security Consultant Phone: +49 (0)234 / 54456499 Web: https://hackmanit.de <https://hackmanit.de> | IT Security Consulting, Penetration Testing, Security Training Is your OAuth or OpenID Connect application vulnerable to mix-up attacks? Find out more on our blog: https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks <https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks> Hackmanit GmbH Universitätsstraße 60 (Exzenterhaus) 44789 Bochum Registergericht: Amtsgericht Bochum, HRB 14896 Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Prof. Dr. Marcus Niemietz
-- Karsten Meyer zu Selhausen Senior IT Security Consultant Phone: +49 (0)234 / 54456499 Web: https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training Is your OAuth or OpenID Connect application vulnerable to mix-up attacks? Find out more on our blog: https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks Hackmanit GmbH Universitätsstraße 60 (Exzenterhaus) 44789 Bochum Registergericht: Amtsgericht Bochum, HRB 14896 Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Prof. Dr. Marcus Niemietz
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
