Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00

2021-05-20 Thread Brian Campbell 
Thanks Karsten,

That's moving in the right direction. But I think the last sentence is
still too strong and maybe prone to misunderstanding given it's not 100%
obvious in the JARM case what exactly constitutes an authorization response
parameter.

I'd say the last sentence could just be dropped altogether. Or maybe
changed to something like this, "Therefore, an additional iss parameter
outside the JWT is unneeded when JARM is used."


On Wed, May 19, 2021 at 12:45 AM Karsten Meyer zu Selhausen <
karsten.meyerzuselhau...@hackmanit.de> wrote:

> Hi Brian,
>
> thank you for your feedback.
>
> I agree that the language is too strong here. What do you think about this
> new note?
>
> Note: The "JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)"
> [JARM] defines a mechanism that conveys all authorization response
> parameters in a JWT. This JWT contains an iss claim that provides the same
> protection if it is validated as described in Section 2.4. Therefore, an
> additional iss authorization response parameter as defined by this document
> MUST NOT be used when JARM is used.
>
> Best regards,
> Karsten
> On 15.05.2021 00:35, Brian Campbell wrote:
>
> Overall it looks pretty good to me.
> One little nit is that I don't love this text from the end of sec 2.4 that
> talks about JARM:
>
> 'Note: The "JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)"
> [JARM] forbids the use of additional parameters in the authorization
> response. Therefore, the iss parameter MUST NOT be used when JARM is used.
> However, JARM responses contain an iss claim that provides the same
> protection if it is validated as described in Section 2.4.'
>
> JARM doesn't exactly forbid additional parameters but rather just wraps up
> all the authorization response parameters as claims in a JWT which is
> itself sent as a single form/query/fragment parameter. So really the iss
> authorization response parameter of this draft is still sent as a claim of
> the JARM JWT. It just happens to be the same as the iss claim value that
> JARM is already including.
>
> On Sat, May 1, 2021 at 2:47 PM Rifaat Shekh-Yusef 
> wrote:
>
>> All,
>>
>> We have not seen any comments on this document.
>> Can you please review the document and provide feedback, or indicate that
>> you have reviewed the document and have no concerns.
>>
>> Regards,
>>  Rifaat & Hannes
>>
>>
>> On Thu, Apr 15, 2021 at 3:04 AM Karsten Meyer zu Selhausen <
>> karsten.meyerzuselhau...@hackmanit.de> wrote:
>>
>>> Hi all,
>>>
>>> the latest version of the security BCP references
>>> draft-ietf-oauth-iss-auth-resp-00 as a countermeasures to mix-up attacks.
>>>
>>> There have not been any concerns with the first WG draft version so far:
>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/
>>>
>>> I would like to ask the WG if there are any comments on or concerns with
>>> the current draft version.
>>>
>>> Otherwise I hope we can move forward with the next steps and hopefully
>>> finish the draft before/with the security BCP.
>>>
>>> Best regards,
>>> Karsten
>>>
>>> --
>>> Karsten Meyer zu Selhausen
>>> Senior IT Security Consultant
>>> Phone:  +49 (0)234 / 54456499
>>> Web:https://hackmanit.de | IT Security Consulting, Penetration 
>>> Testing, Security Training
>>>
>>> Is your OAuth or OpenID Connect client vulnerable to the severe impacts of 
>>> mix-up attacks? Learn how to protect your client in our latest blog post on 
>>> single 
>>> sign-on:https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks
>>>
>>> Hackmanit GmbH
>>> Universitätsstraße 60 (Exzenterhaus)
>>> 44789 Bochum
>>>
>>> Registergericht: Amtsgericht Bochum, HRB 14896
>>> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. 
>>> Christian Mainka, Dr. Marcus Niemietz
>>>
>>> ___
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>
> --
> Karsten Meyer zu Selhausen
> Senior IT Security Consultant
> Phone:+49 (0)234 / 54456499
> Web:  https://hackmanit.de | IT Security Consulting, Penetration Testing, 
> Security Training
>
> Möchten Sie sich für ein Projekt mit dem Thema Single Sign-On oder den 
> Standards OAuth und OpenID Connect vertraut machen?
> Dann melden Sie sich jetzt an für Ihre Einführung in Single Sign-On, OAuth 
> und OpenID Connect am Mittwoch, 09.06.2021, von 10:00 - 14:30 
>

[OAUTH-WG] Save the Date: May 25-26, Federation and Browsers Workshop

2021-05-20 Thread Rifaat Shekh-Yusef 
All,

Take a look at the following email from Heather regarding the Browsers
Workshop.

Regards,
 Rifaat


The *WebID* project in the *W3C Web Incubator Community Group (WICG)* would
like to invite you to participate in a workshop on
*May 25 & 26 from 10:00-13:00 PDT* dedicated to understanding the
implications of federation on the web in the face of privacy-preserving
changes to eliminate inappropriate user tracking. To date, discussions
about aspects of tracking, including eliminating third-party cookies,
evolving the use of link decoration, potential protocol-level changes, and
so on, are happening in several locations. Given the location of
expertise on each of those specific areas, that is entirely understandable.
What we are hoping to accomplish with this workshop is to bring
all the communities grappling with the impact of browser changes on
federated identity together to establish a common understanding of the
challenges.

Day one will focus on presentations from browsers and large-scale IdP
operators. Each IdP operator will have around 15 minutes to offer their
perspective with 5 minutes to allow for clarification questions from
participants. Day two will focus on questions and discussion topics that
came
out of day one.

The connection details, agenda, and notes for the day are in the WICG WebID
GitHub repository
,
and participation requires joining the WICG
and accepting the W3C’s Community Contributor’s Agreement
. There is no cost to the
workshop or WICG membership. We hope you can attend!
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth