Hi folks, This was a super useful document. I thought all the examples and delineations were very helpful in making a tough topic understandable.
A few comments/nits: Links in this section https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-10.html#name-defending-against-cross-dev don't point to the correct anchor/aren't processed. In the Examples section (3.3) there were some inconsistencies: - this section is "Cross-Device Session Transfer Pattern" rather than "Session Transfer Pattern": https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-10.html#section-3.3.5 doing so makes it consistent with the other parenthesized pattern names, which all refer to the specific pattern name used above. - same issue with https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-10.html#section-3.3.7 In section 4.3, some of the parenthesized text doesn't tie back to the patterns: - this section: https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-10.html#section-4.3.6 - this section: https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-10.html#section-4.3.8 These are the only ones with the "suffix" exploit, everything else is a "pattern". Typo: https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-10.html#section-5-5 has an upper case S in server: "An authorization Server" it should be lowercase for consistency. In this section, https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-10.html#name-mitigating-against-cross-de I'd modify this sentence: 'End-users have "expertise elsewhere" and are typically not security experts and don't understand the protocols and systems they interact with.' to use commas 'End-users have "expertise elsewhere", are typically not security experts, and don't understand the protocols and systems they interact with.' In this section https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-10.html#section-6.1.1-2.3.1 I'd add that the shared network check breaks down if the consumption device (TV) is on wifi and the authorization device (mobile phone) is on the mobile network, a common situation. In this section: https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-10.html#section-6.1.1-1 When the doc suggests "There are a couple of ways to establish proximity" is it worth being explicit that the authorization server is the entity that is responsible for this? It is implied. The mitigations section was great! I wondered if it made sense to break mitigations out further between those that the authorization server can implement (limited scopes, short lived tokens) and those that require work across other systems (such as content filtering, trusted devices). An alternative might be including that info in the table in 6.1.18. This section has some extra hash marks: https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-10.html#name-ietf-oauth-20-device-author . Saw the same with 6.2.2 and 6.2.3. There are some busted internal anchor links here: https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-10.html#section-6.3-6.2.1 Thanks, Dan On Tue, Jun 17, 2025 at 8:34 AM Pieter Kasselman <pie...@spirl.com> wrote: > Dear chairs > > Thanks for the shepherd feedback on the Cross-Device Flows: Security Best > Current Practice draft provided at IETF 122. > > The below draft includes updates to address the feedback received. > > Please advise on the next steps for this draft. > > Cheers > > Pieter > > On Tue, Jun 17, 2025 at 3:19 PM <internet-dra...@ietf.org> wrote: > >> Internet-Draft draft-ietf-oauth-cross-device-security-10.txt is now >> available. >> It is a work item of the Web Authorization Protocol (OAUTH) WG of the >> IETF. >> >> Title: Cross-Device Flows: Security Best Current Practice >> Authors: Pieter Kasselmann >> Daniel Fett >> Filip Skokan >> Name: draft-ietf-oauth-cross-device-security-10.txt >> Pages: 58 >> Dates: 2025-06-17 >> >> Abstract: >> >> This document describes threats against cross-device flows along with >> practical mitigations, protocol selection guidance, and a summary of >> formal analysis results identified as relevant to the security of >> cross-device flows. It serves as a security guide to system >> designers, architects, product managers, security specialists, fraud >> analysts and engineers implementing cross-device flows. >> >> The IETF datatracker status page for this Internet-Draft is: >> https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/ >> >> There is also an HTML version available at: >> >> https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-10.html >> >> A diff from the previous version is available at: >> >> https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-cross-device-security-10 >> >> Internet-Drafts are also available by rsync at: >> rsync.ietf.org::internet-drafts >> >> >> _______________________________________________ >> OAuth mailing list -- oauth@ietf.org >> To unsubscribe send an email to oauth-le...@ietf.org >> > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org >
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
