Thanks Karsten, I have seen implementations of the client transferred pattern where the user does not require the user to authenticate, they just have to provide approval (in effect possession/control of the device is considered sufficient), so I wrote the scenario focused on providing authorization. However it is a good point to add the authentication step, along with recommendations on the benefits of that step as well. I opened an issue to clarify (see Add clarification that authentication may be required prior to authorization for the client initiated pattern. · Issue #39 · oauth-wg/oauth-cross-device-security (github.com)<https://github.com/oauth-wg/oauth-cross-device-security/issues/39>)
Thanks for taking the time to read the draft and provide feedback. Cheers Pieter From: OAuth <oauth-boun...@ietf.org> On Behalf Of Karsten Meyer zu Selhausen Sent: Tuesday, March 14, 2023 10:21 AM To: Pieter Kasselman <pieter.kasselman=40microsoft....@dmarc.ietf.org>; oauth@ietf.org; i-d-annou...@ietf.org Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-01.txt Hi Pieter, I won't be able to attend IETF 116, so I ask my short question here: Why is there a difference between step (D) in Figure 1 (user transferred pattern) and steps (D) + (E) in Figure 2 (client transferred pattern)? Shouldn't the user authenticate to the authorization server and then grant the authorization in both patterns? FYI: I also created a PR<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Foauth-wg%2Foauth-cross-device-security%2Fpull%2F38&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7Cdec7860d8f094683a8be08db2475dc2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143861971846150%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=bAEpkPdnn7R%2FzoS9YuYwVi5LByH54OWlVVivdjFuT6c%3D&reserved=0> with some typo fixes and minor suggestions. Best regards, Karsten On 13.03.2023 21:24, Pieter Kasselman wrote: Hi folks, this updated version of the cross-device security BCP will be the basis for discussion in Yokohama. The draft was updated to: 1. Provide more granularity on different cross-device flow patterns 2. Include information on the limitations of some of the proposed mitigations (none of them are silver bullets and they are most effective when deployed as part of a defence-in-depth approach) 3. Updated and added additional use cases and exploit examples 3. Fixes for typos, grammar etc. I also want to thank Aaron Parecki for helping us migrate the -00 draft to the Github repository. Cheers Pieter -----Original Message----- From: OAuth <oauth-boun...@ietf.org><mailto:oauth-boun...@ietf.org> On Behalf Of internet-dra...@ietf.org<mailto:internet-dra...@ietf.org> Sent: Monday, March 13, 2023 6:29 PM To: i-d-annou...@ietf.org<mailto:i-d-annou...@ietf.org> Cc: oauth@ietf.org<mailto:oauth@ietf.org> Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-01.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : Cross-Device Flows: Security Best Current Practice Authors : Pieter Kasselman Daniel Fett Filip Skokan Filename : draft-ietf-oauth-cross-device-security-01.txt Pages : 40 Date : 2023-03-13 Abstract: This document describes threats against cross-device flows along with near term mitigations, protocol selection guidance and the analytical tools needed to evaluate the effectiveness of these mitigations. It serves as a security guide to system designers, architects, product managers, security specialists, fraud analysts and engineers implementing cross-device flows. The IETF datatracker status page for this Internet-Draft is: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-oauth-cross-device-security%2F&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7C2177902f9a754bf06d1508db23f0ef5b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143289963685543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=J4tksmhwl2n0sTgexdtIl8%2BO4fLAbcfRy9kWQ%2F%2BA4pY%3D&reserved=0<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-oauth-cross-device-security%2F&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7Cdec7860d8f094683a8be08db2475dc2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143861971846150%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=XQis7DH%2FrIaDMfIbwoC4wksippDhGaUtIMHRsAreKe4%3D&reserved=0> There is also an HTML version available at: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-ietf-oauth-cross-device-security-01.html&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7C2177902f9a754bf06d1508db23f0ef5b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143289963685543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8yOF0hi777CSOBrkEFqPiTRzhFde067zXxBW%2FPH7zgE%3D&reserved=0<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-ietf-oauth-cross-device-security-01.html&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7Cdec7860d8f094683a8be08db2475dc2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143861971846150%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=PXL%2FHqBL1VohsSC%2FU7%2BemuTING53hRaAh5UTxa6xK84%3D&reserved=0> A diff from the previous version is available at: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fauthor-tools.ietf.org%2Fiddiff%3Furl2%3Ddraft-ietf-oauth-cross-device-security-01&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7C2177902f9a754bf06d1508db23f0ef5b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143289963685543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=G5%2BH8H0thDW1202i30NgVR6MTqXivysbisDqXpXwXGo%3D&reserved=0<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fauthor-tools.ietf.org%2Fiddiff%3Furl2%3Ddraft-ietf-oauth-cross-device-security-01&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7Cdec7860d8f094683a8be08db2475dc2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143861971846150%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=sm2aeT3wByigH9rwKfVXwRtUVy8156RYkY7W0HSHSdM%3D&reserved=0> Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7C2177902f9a754bf06d1508db23f0ef5b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143289963685543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WYeoZK67zgwPLDektVwqS%2FI3%2FxAvRUZFD%2FLnAT9eWL4%3D&reserved=0<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7Cdec7860d8f094683a8be08db2475dc2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143861971846150%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=JrTdjy3kQjsUVWCRW0679mLeSEKDvpZ%2Bnje1cBn3eyM%3D&reserved=0> _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7Cdec7860d8f094683a8be08db2475dc2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143861971846150%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=JrTdjy3kQjsUVWCRW0679mLeSEKDvpZ%2Bnje1cBn3eyM%3D&reserved=0> -- Karsten Meyer zu Selhausen Senior IT Security Consultant Phone: +49 (0)234 / 54456499 Web: https://hackmanit.de<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhackmanit.de%2F&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7Cdec7860d8f094683a8be08db2475dc2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143861971846150%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=g2m%2BXJ8FqApwe3KmLxhdqYHLerSQHPz46uZJ31TkE9w%3D&reserved=0> | IT Security Consulting, Penetration Testing, Security Training Save the date: 11.-12.5.2023. Join us in celebrating the 5th anniversary of RuhrSec - the IT security conference in Bochum: https://www.ruhrsec.de/2023<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ruhrsec.de%2F2023&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7Cdec7860d8f094683a8be08db2475dc2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143861971846150%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=KoJqJqje4EqGaRmVJ%2BJ9hUzZHjCe1qInbRhbunpWeuk%3D&reserved=0> Hackmanit GmbH Universitätsstraße 60 (Exzenterhaus) 44789 Bochum Registergericht: Amtsgericht Bochum, HRB 14896 Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Prof. Dr. Marcus Niemietz
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth