Re: [OAUTH-WG] Downgrade attacks on PKCE

I also have #2 in place since ages like others have, or are about to. It just made sense to me to have it that way based on PKCE Section 4.4. The challenge and method are bound to the code to be verified later. When the server issues the authorization code in the authorization response, it

Re: [OAUTH-WG] Downgrade attacks on PKCE

On Sat, 30 May 2020 at 17:59, Daniel Fett wrote: > Aaron, Dick, Torsten and I today discussed the downgrade attacks on PKCE > [1] and how to mitigate them in OAuth 2.1 and 2.0. We came to the > conclusion that we have two options: > [..snip..] > *2. "Dynamic" Solution* > > Each AS that supports P

[OAUTH-WG] [Errata Rejected] RFC7800 (6195)

The following errata report has been rejected for RFC7800, "Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)". -- You may review the report below and at: https://www.rfc-editor.org/errata/eid6195 -- Status: Reject

Re: [OAUTH-WG] [Errata Verified] RFC7800 (6187)

On Sun, May 31, 2020 at 12:58:54PM -0500, Pete Resnick wrote: > On 31 May 2020, at 12:47, Barry Leiba wrote: > > >> But > >> https://www.ietf.org/about/groups/iesg/statements/processing-rfc-errata/, > >> in particular: > >> > >> Only errors that could cause implementation or deployment problems

Re: [OAUTH-WG] [Technical Errata Reported] RFC7636 (6179)

Nat, John, Do you guys have any thoughts on this errata? Regards, Rifaat On Sat, May 23, 2020 at 4:25 PM Benjamin Kaduk wrote: > Authors, WG, any comments? > > Right now the likely dispositions seem to me to be Editorial/HFDU or > Rejected; the text is noting that salting is not used and att

Re: [OAUTH-WG] [Errata Verified] RFC7800 (6187)

On 31 May 2020, at 12:47, Barry Leiba wrote: But https://www.ietf.org/about/groups/iesg/statements/processing-rfc-errata/, in particular: Only errors that could cause implementation or deployment problems or significant confusion should be Verified. Things that are clearly wrong but could no

Re: [OAUTH-WG] [Errata Verified] RFC7800 (6187)

> But https://www.ietf.org/about/groups/iesg/statements/processing-rfc-errata/, > in particular: > > Only errors that could cause implementation or deployment problems or > significant confusion should be Verified. > Things that are clearly wrong but could not cause an implementation or > deploy

Re: [OAUTH-WG] Virtual OAuth Security Workshop 2020, July 21-24

Hi all, I hope that many of you can make it to the virtual OSW! While the official call is closed, we can easily fit some more tutorials/workshops or talks into the schedule. If you are interested to host a session, please contact me. Finding good start and end times for an event with participan

[OAUTH-WG] Virtual OAuth Security Workshop 2020, July 21-24

Website: https://osw2020.com/ Registration: https://barcamptools.eu/oauth-security-workshop-2020/ Twitter: https://twitter.com/secworkshop The OAuth Security Workshop 2020 will be held as a virtual event on July 21 to 24. As Zoom Fatigue is a real thing, the workshop will be spread over four days

[OAUTH-WG] To the authors of jwsreq/JAR

Hi, We had asked a couple of questions over the last weeks regarding details of the JAR spec. Not a single response from the spec authors. We are in the process of implementing JAR and about to release the software.. We need some clarifications and I am confused that we did not get any response.