Re: [OAUTH-WG] Call for adoption: OAuth Security Topics

Mon, 20 Feb 2017 02:54:14 -0800 

Hi Denis,

thanks for your feedback regarding the scope.

The scope for this document is limited to the specifications we develop
in the IETF OAuth working group. OpenID Connect, UMA, or other
specifications need to be dealt with in other SDOs.

The document only represents a starting point for work and hence various
attacks, such as the ABC attack you mentioned, can be incorporated in
future versions of the document.

Ciao
Hannes

On 02/06/2017 01:30 PM, Denis wrote:
> 
> The scope of this draft is unclear. The title states: "OAuth Security
> Topics".**
> 
> I have some questions:
> 
>   * Does this document intend to cover only the OAuth 2.0 delegation
>     protocol (since Justin said that OAuth 2.0 is a delegation protocol)
>     or OpenId Connect as well which is not limited to a delegation
>     protocol ?
>   * Should we discuss OpenID Connect issues and/or solutions in an IETF
>     RFC ?
> 
> If this document is going to be progressed, the threats should be
> clearly separated whether they relate to a delegation model or to
> a client-server access control model. This is not currently the case.
> 
> If this document is going to be progressed, the ABC attack (in the
> context of an access control model) should be mentioned even if there exits
> no way to counter it given the current implicit assumptions made in
> OAuth 2.0, in particular the use of software only implementations.
> 
> 
> Denis
> 
>> A belated +1
>>
>>
>> On Sat, Feb 4, 2017, 9:08 AM Jim Manico <[email protected]
>> <mailto:[email protected]>> wrote:
>>
>>     I'm just some random idiot am an not in this working group but the
>>     work from
>>     https://tools.ietf.org/html/draft-lodderstedt-oauth-security-topics-00
>>     is one of the most up to date and useful OAuth security resources
>>     every published. I am thrilled to see more work put into it.
>>
>>     Aloha, Jim
>>
>>
>>     On 2/3/17 1:57 PM, William Denniss wrote:
>>>     I support the adoption of this document as a working group item.
>>>
>>>     On Thu, Feb 2, 2017 at 2:30 PM, Jim Willeke <[email protected]
>>>     <mailto:[email protected]>> wrote:
>>>
>>>         +! 
>>>         I agree this is needed.
>>>
>>>         --
>>>         -jim
>>>         Jim Willeke
>>>
>>>         On Thu, Feb 2, 2017 at 4:33 PM, John Bradley
>>>         <[email protected] <mailto:[email protected]>> wrote:
>>>
>>>             I am in favour of adoption.
>>>             > On Feb 2, 2017, at 4:09 AM, Hannes Tschofenig
>>>             <[email protected]
>>>             <mailto:[email protected]>> wrote:
>>>             >
>>>             > Hi all,
>>>             >
>>>             > this is the call for adoption of the 'OAuth Security
>>>             Topics' document
>>>             > following the positive call for adoption at the last IETF
>>>             > meeting in Seoul.
>>>             >
>>>             > Here is the document:
>>>             >
>>>             
>>> https://tools.ietf.org/html/draft-lodderstedt-oauth-security-topics-00
>>>             >
>>>             > The intention with this document is to have a place to
>>>             collect
>>>             > discussions and conclusions around OAuth 2.0 security
>>>             and to reference
>>>             > the actual solution specifications.
>>>             >
>>>             > Please let us know by Feb 16th whether you accept /
>>>             object to the
>>>             > adoption of this document as a starting point for work
>>>             in the OAuth
>>>             > working group.
>>>             >
>>>             > Ciao
>>>             > Hannes & Derek
>>>             >
>>>             > _______________________________________________
>>>             > OAuth mailing list
>>>             > [email protected] <mailto:[email protected]>
>>>             > https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>             _______________________________________________
>>>             OAuth mailing list
>>>             [email protected] <mailto:[email protected]>
>>>             https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>>         _______________________________________________
>>>         OAuth mailing list
>>>         [email protected] <mailto:[email protected]>
>>>         https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>>
>>>     _______________________________________________
>>>     OAuth mailing list
>>>     [email protected] <mailto:[email protected]>
>>>     https://www.ietf.org/mailman/listinfo/oauth
>>
>>     -- 
>>     Jim Manico
>>     Manicode Security
>>     https://www.manicode.com
>>
>>     _______________________________________________
>>     OAuth mailing list
>>     [email protected] <mailto:[email protected]>
>>     https://www.ietf.org/mailman/listinfo/oauth
>>
>> -- 
>>
>> Nat Sakimura
>>
>> Chairman of the Board, OpenID Foundation
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> [email protected]
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> 
> 
> _______________________________________________
> OAuth mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/oauth
>

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to