Hi all,
We updated the cross-device security BCP based on guidance received at IETF 117
as well as input during the OAuth Security Workshop (OSW) 2023. The additions
include:
1. Introduction of normative SHOULD, RECOMMENDED and MAY when applied to
actions the Authorization Server, Resource Server or Client may implement as
discussed at IETF 117.
2. Added Cross-Device Session Transfer pattern based on input received at OSW
2023
3. Added two additional mitigations:
a) User Education as a standalone mitigation.
b) Request Binding with Out-of-Band Data
4. Added additional examples based on attacks observed in the wild.
5. Renamed "Authenticated Flow" to the more descriptive
"Authenticate-then-Initiate"
6. Adopted OpenID Foundation terminology from CIBA, using Consumption Device
instead of Initiating Device
7. Added acknowledgements to recognise contributions from Maryam Mehrnezhad,
Marco Pernpruner and Giada Sciarretta.
8. Editorial updates.
Apologies for the two quick releases in succession. There was a formatting
issue in the -03 version that resulted in the document history not showing
correctly, prompting an update to the -04 version.
Cheers
Pieter
-----Original Message-----
From: OAuth <[email protected]> On Behalf Of [email protected]
Sent: Sunday, October 22, 2023 9:00 PM
To: [email protected]
Cc: [email protected]
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-04.txt
Internet-Draft draft-ietf-oauth-cross-device-security-04.txt is now available.
It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF.
Title: Cross-Device Flows: Security Best Current Practice
Authors: Pieter Kasselman
Daniel Fett
Filip Skokan
Name: draft-ietf-oauth-cross-device-security-04.txt
Pages: 53
Dates: 2023-10-22
Abstract:
This document describes threats against cross-device flows along with
near term mitigations, protocol selection guidance, and the
analytical tools needed to evaluate the effectiveness of these
mitigations. It serves as a security guide to system designers,
architects, product managers, security specialists, fraud analysts
and engineers implementing cross-device flows.
The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/
There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-04.html
A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-cross-device-security-04
Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
