Hi Neil, I'm not sure - maybe others can chime in here as well - if a discussion relating to an expired previous draft is something one would expect in the spec.
For the record, the client_id does not provide any additional security. The key to mitigating Mix-Up is that the "honest AS" ensures that the code issued at its token endpoint is sent to the honest IdP's token endpoint, and not to the attacker IdP's token endpoint. This is ensured by the iss parameter. The client_id would maybe be relevant if the honest AS sends different issuer values for different client_ids - I have not heard of such a constellation. I'm not sure why the client_id was included in the previous draft. -Daniel Am 10.05.21 um 14:57 schrieb Neil Madden: > I have also read it and it looks good to me. It might be worth > explicitly discussing how it relates to the older draft [1] (that we > implemented at the time). That older draft also included a client_id > parameter in the response, so it would be good to clarify if that is > actually needed to prevent the attack or not. > > [1]: > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-mix-up-mitigation-01 > <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-mix-up-mitigation-01> > > Kind regards, > > Neil > >> On 15 Apr 2021, at 08:04, Karsten Meyer zu Selhausen >> <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi all, >> >> the latest version of the security BCP references >> draft-ietf-oauth-iss-auth-resp-00 as a countermeasures to mix-up attacks. >> >> There have not been any concerns with the first WG draft version so >> far: https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/ >> >> I would like to ask the WG if there are any comments on or concerns >> with the current draft version. >> >> Otherwise I hope we can move forward with the next steps and >> hopefully finish the draft before/with the security BCP. >> >> Best regards, >> Karsten >> >> -- >> Karsten Meyer zu Selhausen >> Senior IT Security Consultant >> Phone: +49 (0)234 / 54456499 >> Web: https://hackmanit.de | IT Security Consulting, Penetration Testing, >> Security Training >> >> Is your OAuth or OpenID Connect client vulnerable to the severe impacts of >> mix-up attacks? Learn how to protect your client in our latest blog post on >> single sign-on: >> https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks >> >> Hackmanit GmbH >> Universitätsstraße 60 (Exzenterhaus) >> 44789 Bochum >> >> Registergericht: Amtsgericht Bochum, HRB 14896 >> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. >> Christian Mainka, Dr. Marcus Niemietz >> _______________________________________________ >> OAuth mailing list >> [email protected] <mailto:[email protected]> >> https://www.ietf.org/mailman/listinfo/oauth > > > ForgeRock values your Privacy <https://www.forgerock.com/your-privacy> > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth -- https://danielfett.de
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
