Perhaps this draft could be marked as replacing draft-ietf-oauth-mix-up-mitigation (I think the chairs have the tools to do that) so that the datatracker somewhat reflects the history?
Some discussion in the draft itself might be helpful to a subset of readers interested or knowledgeable about the history. But I suspect that it'd just be noise for the majority of readers. On Mon, May 10, 2021 at 7:26 AM Daniel Fett <f...@danielfett.de> wrote: > Hi Neil, > > I'm not sure - maybe others can chime in here as well - if a discussion > relating to an expired previous draft is something one would expect in the > spec. > > For the record, the client_id does not provide any additional security. > The key to mitigating Mix-Up is that the "honest AS" ensures that the code > issued at its token endpoint is sent to the honest IdP's token endpoint, > and not to the attacker IdP's token endpoint. This is ensured by the iss > parameter. The client_id would maybe be relevant if the honest AS sends > different issuer values for different client_ids - I have not heard of such > a constellation. I'm not sure why the client_id was included in the > previous draft. > > -Daniel > > > Am 10.05.21 um 14:57 schrieb Neil Madden: > > I have also read it and it looks good to me. It might be worth explicitly > discussing how it relates to the older draft [1] (that we implemented at > the time). That older draft also included a client_id parameter in the > response, so it would be good to clarify if that is actually needed to > prevent the attack or not. > > [1]: > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-mix-up-mitigation-01 > > > Kind regards, > > Neil > > On 15 Apr 2021, at 08:04, Karsten Meyer zu Selhausen < > karsten.meyerzuselhau...@hackmanit.de> wrote: > > Hi all, > > the latest version of the security BCP references > draft-ietf-oauth-iss-auth-resp-00 as a countermeasures to mix-up attacks. > > There have not been any concerns with the first WG draft version so far: > https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/ > > I would like to ask the WG if there are any comments on or concerns with > the current draft version. > > Otherwise I hope we can move forward with the next steps and hopefully > finish the draft before/with the security BCP. > > Best regards, > Karsten > > -- > Karsten Meyer zu Selhausen > Senior IT Security Consultant > Phone: +49 (0)234 / 54456499 > Web: https://hackmanit.de | IT Security Consulting, Penetration Testing, > Security Training > > Is your OAuth or OpenID Connect client vulnerable to the severe impacts of > mix-up attacks? Learn how to protect your client in our latest blog post on > single > sign-on:https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks > > Hackmanit GmbH > Universitätsstraße 60 (Exzenterhaus) > 44789 Bochum > > Registergericht: Amtsgericht Bochum, HRB 14896 > Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. > Christian Mainka, Dr. Marcus Niemietz > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > ForgeRock values your Privacy <https://www.forgerock.com/your-privacy> > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > > -- https://danielfett.de > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
