I recall +1’ing that idea in the chat. It’s an “updates” to 6819 at least.
— Justin > On Apr 18, 2016, at 6:34 PM, Brian Campbell <bcampb...@pingidentity.com> > wrote: > > Yeah, as I recall, there was at least some support around the idea of an > "enhanced OAuth security" document. > > On Sun, Apr 17, 2016 at 2:46 AM, Torsten Lodderstedt <tors...@lodderstedt.net > <mailto:tors...@lodderstedt.net>> wrote: > Hi all, > > the security discussion started with mix up and cut and paste, but we had a > much broader discussion including further issues, such as open redirector. I > suggested to merge all threats we are currently discussing into a single > document in order to come up with a consolidated view on "enhanced OAuth > security". This would at least include: > - mix up > - copy and paste > - changed behavior of browsers regarding URL fragments > - open redirector (AS and client) > - (potentially) XSRF and advice on how to mitigate it using state > > I think that would help the working group to get an overview on ALL issues > (including e.g. fragments) and _systematically_ improve OAuth. We did the > same when we originally published the core spec - and it worked. > > I felt some consensous around the topic that in the end, there must be > normative chances to the core protocol and the respective security > considerations. > > Barry gave his advice regarding updates in this context. > > best regards, > Torsten. > > > Am 06.04.2016 um 19:43 schrieb Hannes Tschofenig <hannes.tschofe...@gmx.net > > <mailto:hannes.tschofe...@gmx.net>>: > > > > Leif was so nice to take meeting notes during the OAuth meeting today > > and they have been uploaded to: > > https://www.ietf.org/proceedings/95/minutes/minutes-95-oauth > > <https://www.ietf.org/proceedings/95/minutes/minutes-95-oauth> > > > > Please take a look at them and let me know if they are incorrect or need > > to be extended. > > > > Ciao > > Hannes > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org <mailto:OAuth@ietf.org> > > https://www.ietf.org/mailman/listinfo/oauth > > <https://www.ietf.org/mailman/listinfo/oauth> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth