[OAUTH-WG] I-D Action: draft-ietf-oauth-v2-1-08.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : The OAuth 2.1 Authorization Framework Authors : Dick Hardt Aaron Parecki Torsten Lodderstedt Filename: draft-ietf-oauth-v2-1-08.txt Pages : 88 Date: 2023-03-13 Abstract: The OAuth 2.1 authorization framework enables an application to obtain limited access to a protected resource, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and an authorization service, or by allowing the application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 2.0 Authorization Framework described in RFC 6749 and the Bearer Token Usage in RFC 6750. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-08.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-v2-1-08 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-01.txt
Hi folks, this updated version of the cross-device security BCP will be the basis for discussion in Yokohama. The draft was updated to: 1. Provide more granularity on different cross-device flow patterns 2. Include information on the limitations of some of the proposed mitigations (none of them are silver bullets and they are most effective when deployed as part of a defence-in-depth approach) 3. Updated and added additional use cases and exploit examples 3. Fixes for typos, grammar etc. I also want to thank Aaron Parecki for helping us migrate the -00 draft to the Github repository. Cheers Pieter -Original Message- From: OAuth On Behalf Of internet-dra...@ietf.org Sent: Monday, March 13, 2023 6:29 PM To: i-d-annou...@ietf.org Cc: oauth@ietf.org Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-01.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : Cross-Device Flows: Security Best Current Practice Authors : Pieter Kasselman Daniel Fett Filip Skokan Filename: draft-ietf-oauth-cross-device-security-01.txt Pages : 40 Date: 2023-03-13 Abstract: This document describes threats against cross-device flows along with near term mitigations, protocol selection guidance and the analytical tools needed to evaluate the effectiveness of these mitigations. It serves as a security guide to system designers, architects, product managers, security specialists, fraud analysts and engineers implementing cross-device flows. The IETF datatracker status page for this Internet-Draft is: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-oauth-cross-device-security%2F&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7C2177902f9a754bf06d1508db23f0ef5b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143289963685543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=J4tksmhwl2n0sTgexdtIl8%2BO4fLAbcfRy9kWQ%2F%2BA4pY%3D&reserved=0 There is also an HTML version available at: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-ietf-oauth-cross-device-security-01.html&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7C2177902f9a754bf06d1508db23f0ef5b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143289963685543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8yOF0hi777CSOBrkEFqPiTRzhFde067zXxBW%2FPH7zgE%3D&reserved=0 A diff from the previous version is available at: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fauthor-tools.ietf.org%2Fiddiff%3Furl2%3Ddraft-ietf-oauth-cross-device-security-01&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7C2177902f9a754bf06d1508db23f0ef5b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143289963685543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=G5%2BH8H0thDW1202i30NgVR6MTqXivysbisDqXpXwXGo%3D&reserved=0 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7C2177902f9a754bf06d1508db23f0ef5b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638143289963685543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WYeoZK67zgwPLDektVwqS%2FI3%2FxAvRUZFD%2FLnAT9eWL4%3D&reserved=0 ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-browser-based-apps-13.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : OAuth 2.0 for Browser-Based Apps Authors : Aaron Parecki David Waite Filename: draft-ietf-oauth-browser-based-apps-13.txt Pages : 34 Date: 2023-03-13 Abstract: This specification details the security considerations and best practices that must be taken into account when developing browser- based applications that use OAuth 2.0. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (oauth@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/oauth/. Source for this draft and an issue tracker can be found at https://github.com/oauth-wg/oauth-browser-based-apps. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-13.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-browser-based-apps-13 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-01.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : Cross-Device Flows: Security Best Current Practice Authors : Pieter Kasselman Daniel Fett Filip Skokan Filename: draft-ietf-oauth-cross-device-security-01.txt Pages : 40 Date: 2023-03-13 Abstract: This document describes threats against cross-device flows along with near term mitigations, protocol selection guidance and the analytical tools needed to evaluate the effectiveness of these mitigations. It serves as a security guide to system designers, architects, product managers, security specialists, fraud analysts and engineers implementing cross-device flows. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-01.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-cross-device-security-01 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-03.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : Selective Disclosure for JWTs (SD-JWT) Authors : Daniel Fett Kristina Yasuda Brian Campbell Filename: draft-ietf-oauth-selective-disclosure-jwt-03.txt Pages : 69 Date: 2023-03-13 Abstract: This document specifies conventions for creating JSON Web Token (JWT) documents that support selective disclosure of JWT claims. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (oauth@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/oauth/. Source for this draft and an issue tracker can be found at https://github.com/oauth-wg/oauth-selective-disclosure-jwt. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-03.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-selective-disclosure-jwt-03 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] Reac native
diego-d...@hotmail.com ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-22.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : OAuth 2.0 Security Best Current Practice Authors : Torsten Lodderstedt John Bradley Andrey Labunets Daniel Fett Filename: draft-ietf-oauth-security-topics-22.txt Pages : 60 Date: 2023-03-13 Abstract: This document describes best current security practice for OAuth 2.0. It updates and extends the OAuth 2.0 Security Threat Model to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-22.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-security-topics-22 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth