Hi Pieter, I won't be able to attend IETF 116, so I ask my short question here:
Why is there a difference between step (D) in Figure 1 (user transferred pattern) and steps (D) + (E) in Figure 2 (client transferred pattern)?
Shouldn't the user authenticate to the authorization server and then grant the authorization in both patterns?
FYI: I also created a PR <https://github.com/oauth-wg/oauth-cross-device-security/pull/38> with some typo fixes and minor suggestions.
Best regards, Karsten On 13.03.2023 21:24, Pieter Kasselman wrote:
Hi folks, this updated version of the cross-device security BCP will be the
basis for discussion in Yokohama. The draft was updated to:
1. Provide more granularity on different cross-device flow patterns
2. Include information on the limitations of some of the proposed mitigations
(none of them are silver bullets and they are most effective when deployed as
part of a defence-in-depth approach)
3. Updated and added additional use cases and exploit examples
3. Fixes for typos, grammar etc.
I also want to thank Aaron Parecki for helping us migrate the -00 draft to the
Github repository.
Cheers
Pieter
-----Original Message-----
From: OAuth<oauth-boun...@ietf.org> On Behalf ofinternet-dra...@ietf.org
Sent: Monday, March 13, 2023 6:29 PM
To:i-d-annou...@ietf.org
Cc:oauth@ietf.org
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-01.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG
of the IETF.
Title : Cross-Device Flows: Security Best Current Practice
Authors : Pieter Kasselman
Daniel Fett
Filip Skokan
Filename : draft-ietf-oauth-cross-device-security-01.txt
Pages : 40
Date : 2023-03-13
Abstract:
This document describes threats against cross-device flows along with
near term mitigations, protocol selection guidance and the analytical
tools needed to evaluate the effectiveness of these mitigations. It
serves as a security guide to system designers, architects, product
managers, security specialists, fraud analysts and engineers
implementing cross-device flows.
The IETF datatracker status page for this Internet-Draft is:
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-oauth-cross-device-security%2F&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7C2177902f9a754bf06d1508db23f0ef5b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143289963685543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=J4tksmhwl2n0sTgexdtIl8%2BO4fLAbcfRy9kWQ%2F%2BA4pY%3D&reserved=0
There is also an HTML version available at:
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-ietf-oauth-cross-device-security-01.html&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7C2177902f9a754bf06d1508db23f0ef5b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143289963685543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8yOF0hi777CSOBrkEFqPiTRzhFde067zXxBW%2FPH7zgE%3D&reserved=0
A diff from the previous version is available at:
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fauthor-tools.ietf.org%2Fiddiff%3Furl2%3Ddraft-ietf-oauth-cross-device-security-01&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7C2177902f9a754bf06d1508db23f0ef5b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143289963685543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=G5%2BH8H0thDW1202i30NgVR6MTqXivysbisDqXpXwXGo%3D&reserved=0
Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7C2177902f9a754bf06d1508db23f0ef5b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143289963685543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WYeoZK67zgwPLDektVwqS%2FI3%2FxAvRUZFD%2FLnAT9eWL4%3D&reserved=0
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
-- Karsten Meyer zu Selhausen Senior IT Security Consultant Phone: +49 (0)234 / 54456499 Web: https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training Save the date: 11.-12.5.2023. Join us in celebrating the 5th anniversary of RuhrSec - the IT security conference in Bochum:https://www.ruhrsec.de/2023 Hackmanit GmbH Universitätsstraße 60 (Exzenterhaus) 44789 Bochum Registergericht: Amtsgericht Bochum, HRB 14896 Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Prof. Dr. Marcus Niemietz
OpenPGP_0x4535C0E7DB16F148.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
