Hi all, A bit of background on the document: https://datatracker.ietf.org/doc/html/draft-wuertele-oauth-security-topics-update We recently discussed this in the WG Interim Meeting on Sept 29 (Slides [1], Video [2], Minutes [3]), following earlier discussions at IETF 122 & 123. The draft currently documents three attacks that can lead to unauthorized access/account takeover:
Regarding the document management process (if adopted), the current rough “consensus” is to eventually have it coexist with (rather than replace) the published Security BCP - RFC9700 [14], under BCP 240: https://datatracker.ietf.org/doc/bcp240/ Thank you, [2] https://youtu.be/OlWq0aFn6Fo [4] https://datatracker.ietf.org/doc/draft-ietf-oauth-rfc7523bis/ [5] https://openid.net/specs/openid-connect-core-1_0-36.html [6] https://bitbucket.org/openid/fapi/pull-requests/522/ [7] https://eprint.iacr.org/2025/629 [8] https://openid.net/notice-of-a-security-vulnerability/ [9] https://youtu.be/0Bw2YCDypUY?t=2743 [10] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36019 [11] https://www.usenix.org/conference/usenixsecurity25/presentation/luo-kaixuan [14] https://datatracker.ietf.org/doc/html/rfc9700 On 2025/10/3, 19:01, "Rifaat Shekh-Yusef via Datatracker" <[email protected]> wrote: Subject: Call for adoption: draft-wuertele-oauth-security-topics-update-02 (Ends 2025-10-17) This message starts a 2-week Call for Adoption for this document. Abstract: This document updates the set of best current security practices for OAuth 2.0 by extending the security advice given in RFC 6749, RFC 6750, and RFC 9700, to cover new threats that have been discovered since the former documents have been published. File can be retrieved from: Please reply to this message keeping [email protected] in copy by indicating whether you support or not the adoption of this draft as a WG document. Comments to motivate your preference are highly appreciated. Authors, and WG participants in general, are reminded of the Intellectual Property Rights (IPR) disclosure obligations described in BCP 79 [2]. Appropriate IPR disclosures required for full conformance with the provisions of BCP 78 [1] and BCP 79 [2] must be filed, if you are aware of any. Sanctions available for application to violators of IETF IPR Policy can be found at [3]. Thank you. _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected] |
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
