Re: [OAUTH-WG] WGLC for Browser-based Apps

In my opinion, this document is not ready to be published as an RFC. In fact, I will be at the OAuth Security Workshop in two weeks to discuss exactly this (See "The insecurity of OAuth 2.0 in frontends" here: https://oauth.secworkshop.events/osw2023/agenda-thursday). My hope is that my presen

Re: [OAUTH-WG] OAuth Trust model

I'm trying to explain my concern more deeply, please try to follow my thinking. First: Everything you've written is correct and I fully agree. But: The difference is: I'm deciding, that I'm using email from xy, I'm deciding, that I'm using this email to register at some site or anything. Any

Re: [OAUTH-WG] OAuth Trust model

Let me try that differently, is OAuth more vulnerable than email usage? If you hacked any email provider that's arguably a bigger goldmine than just ones protected by oauth. As long as sites are protected by email, oauth gives a more secure strategy. Most providers that accept email as authenticati

Re: [OAUTH-WG] OAuth Trust model

Thank you for the responses so far. On 8/9/23 22:20, Warren Parad wrote: I can tell you I definitely read it. I actually read it multiple times. But I don't know what to tell you. The problem you've identified exists, but that doesn't necessarily mean it is a problem. In a way it is a bit like

Re: [OAUTH-WG] Adhoc meeting at IETF 117 for anyone interested in attested Open-ID/Connect and Oauth2

Folks, We had a side-bar meeting at the IETF117 last week in San Francisco, regarding the possible use of OpenID-Connect/OAuth2.0 as a mechanism to deliver RATS-based device-attestation. The meeting was attended by about 15 people, mostly from the Identity community (folks who regularly attend

Re: [OAUTH-WG] OAuth Trust model

From an OAuth perspective, there isn’t much here - I can’t log into GitHub or stack overflow with OAuth, I need extensions such as those provided by OpenID Connect (or something more bespoke in Github’s case). From a general standards perspective, this would be more implementation guidance for

Re: [OAUTH-WG] OAuth Trust model

I can tell you I definitely read it. I actually read it multiple times. But I don't know what to tell you. The problem you've identified exists, but that doesn't necessarily mean it is a problem. In a way it is a bit like, You create a bank account at a bank and you give them all your money. They t

Re: [OAUTH-WG] OAuth Trust model

Anyone read this topic or could tell if there is a better place to adress this? Sent from Nine Von: mfulz Gesendet: Sonntag, 16. Juli 2023 03:38 An: oauth@ietf.org Betreff: [OAUTH-WG] OAuth Trust model Hi Together, I was thinking

Re: [OAUTH-WG] [External Sender] Re: IETF OAuth WG Virtual Office Hours

I will not make today’s meeting On Wed, Aug 9, 2023 at 11:33 AM Sanesh Narayanan < saneshnarayananin...@gmail.com> wrote: > Go ahead and start without me. > > sanesh chazhiyottil > ___ > OAuth mailing list > OAuth@ietf.org > > https://urldefense.com/v3/

Re: [OAUTH-WG] IETF OAuth WG Virtual Office Hours

Go ahead and start without me. sanesh chazhiyottil ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth