Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

2018-03-20 Thread Jim Manico
If you plan on adding these web layer security suggestions into the OAuth standard I can think of 100-200 more requirements to add. I thought “do web security right” was an implied recommendation? -- Jim Manico @Manicode Secure Coding Education +1 (808) 652-3805 > On Mar 20, 2018, at 5:37 AM, B

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

2018-03-20 Thread Brian Campbell
The strict redirect_uri matching, referrer-policy headers, and appending a dummy fragment on error redirects are things that protect from token leakage/interception resulting from redirection on error, which is the threat in section 2.2 of -closing-redirectors-00

[OAUTH-WG] Review of oauth-mtls-07

2018-03-20 Thread Justin Richer
As promised in yesterday’s meeting, here’s my review of the oauth-mtls draft. We’ve recently implemented the spec from the AS and RS side for an as-yet-unreleased version of the Authlete service, and overall it’s in really good shape and very implementable as it stands today. Great work, and usa

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

2018-03-20 Thread Torsten Lodderstedt
Hi Brian, > Am 20.03.2018 um 15:37 schrieb Brian Campbell : > > +1 to what Travis said about 3.8.1 > > The text in 3.8 about Open Redirection is new in this most recent -05 version > of the draft so this is really the first time it's been reviewed. I believe > 3.8..1 goes too far in saying "th

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

2018-03-20 Thread Brian Campbell
+1 to what Travis said about 3.8.1 The text in 3.8 about Open Redirection is new in this most recent -05 version of the draft so this is really the first time it's been reviewed. I believe 3.8.1 goes too far in saying "this draft recommends that every invalid authorization request MUST NOT automat

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

2018-03-20 Thread Travis Spencer
I read through this doc and would like to share a bit of feedback in hopes that it helps: * There is no mention of Content Security Policy (CSP). This is a very helpful security mechanism that all OAuth servers and web-based clients should implement. I think this needs to be addressed in this doc.

Re: [OAUTH-WG] WGLC on draft-ietf-oauth-mtls-07

2018-03-20 Thread Brian Campbell
I talked with Justin briefly yesterday after the meeting and he pointed out that the document is currently rather ambiguous about whether or not the base64 pad "=" character is to be used on the encoding of "x5t#S256" member. The intent was that padding be omitted and I'll take it as a WGLC comment