subject:"Re\: \[OAUTH\-WG\] Draft Proposal for a Cross Device Flow Security BCP"

Re: [OAUTH-WG] Draft Proposal for a Cross Device Flow Security BCP

2022-10-26 Thread Pieter Kasselman

Thanks Joseph, those are good additions, thanks for pointing them out. I have 
opened issues to track both of them.

-Original Message-
From: Joseph Heenan  
Sent: Tuesday, October 25, 2022 11:49 AM
To: Pieter Kasselman 
Cc: oauth@ietf.org; Daniel Fett ; Filip Skokan 

Subject: Re: [OAUTH-WG] Draft Proposal for a Cross Device Flow Security BCP

Hi Pieter / Daniel / Filip

It's great to see this document moving forward.

I may have missed it, but it may be worth being move explicit that one solution 
is to avoid using cross-device flows for same-device scenarios? It's sort of 
obvious, but questions like "well CIBA works for both cross-device and 
same-device, can't I save myself effort by only implementing CIBA and not 
bothering with standard redirect-based OAuth flows?" are commonly asked.

Also, in this text:

"If FIDO2/WebAuthn support is not available, Channel Initiated Backchannel 
Authentication (CIBA) provides an alternative, provided that the underlying 
devices can receive push notifications."

It might be best to use a term other than 'push notifications' there or 
otherwise rewording this, as there are alternatives. e.g. I think there's at 
least one CIBA implementation out there that can use email to notify the user 
of an authorization request.

Thanks

Joseph

> On 19 Oct 2022, at 15:55, Pieter Kasselman 
>  wrote:
> 
> Hi All
> 
> Following on from the discussions at IETF 113, the OAuth Security Workshop, 
> Identiverse and IETF 114, Daniel, Filip and I created a draft document 
> capturing some of the attacks that we are seeing on cross device flows, 
> including Device Authorization Grant (aka Device Code Flow). 
> 
> These attacks exploit the unauthenticated channel between devices to trick 
> users into granting authorization by using social engineering techniques to 
> change the context in which authorization is requested. 
> 
> The purpose of the document is to serve as guidance on best practices when 
> designing and implementing scenarios that require cross device flows. We 
> would appreciate any feedback or comments on the document, or any other 
> mitigations or techniques that can be used to mitigate these attacks. Links 
> to the documents are below. We also hope to discuss this at IETF 115 in 
> London in a few weeks' time.
> 
> --
> --- A new version of I-D, 
> draft-kasselman-cross-device-security-00.txt
> has been successfully submitted by Pieter Kasselman and posted to the IETF 
> repository.
> 
> Name: draft-kasselman-cross-device-security
> Revision: 00
> Title:Cross Device Flows: Security Best Current Practice
> Document date:2022-10-19
> Group:Individual Submission
> Pages:25
> URL: 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-kasselman-cross-device-security-00.txtdata=05%7C01%7Cpieter.kasselman%40microsoft.com%7C13d136330ec84e82ff1c08dab676965f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638022917712107364%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=2qQECauAiHwL5QTl0ijskyr7Rk1OX3%2F8LducJ6HBPoU%3Dreserved=0
> Status: 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-kasselman-cross-device-security-00.txtdata=05%7C01%7Cpieter.kasselman%40microsoft.com%7C13d136330ec84e82ff1c08dab676965f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638022917712107364%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=2qQECauAiHwL5QTl0ijskyr7Rk1OX3%2F8LducJ6HBPoU%3Dreserved=0
>  
> Html:   
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-kasselman-cross-device-security-00.htmldata=05%7C01%7Cpieter.kasselman%40microsoft.com%7C13d136330ec84e82ff1c08dab676965f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638022917712107364%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=IL3OzMJpCQLSLEOxUSBv71egJo%2FAk1TkveMLX2bVGqY%3Dreserved=0
> Htmlized:
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-kasselman-cross-device-securitydata=05%7C01%7Cpieter.kasselman%40microsoft.com%7C13d136330ec84e82ff1c08dab676965f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638022917712107364%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=AAUBzWehBbE32S2tSk4MLghzBqnfyv7h5dVT%2F0xmLWU%3Dreserved=0
> 
> 
> Abstract:
>   This document describes threats against cross-device

Re: [OAUTH-WG] Draft Proposal for a Cross Device Flow Security BCP

2022-10-25 Thread Joseph Heenan

Hi Pieter / Daniel / Filip

It’s great to see this document moving forward.

I may have missed it, but it may be worth being move explicit that one solution 
is to avoid using cross-device flows for same-device scenarios? It’s sort of 
obvious, but questions like “well CIBA works for both cross-device and 
same-device, can’t I save myself effort by only implementing CIBA and not 
bothering with standard redirect-based OAuth flows?” are commonly asked.

Also, in this text:

"If FIDO2/WebAuthn support is not available, Channel Initiated Backchannel 
Authentication (CIBA) provides an alternative, provided that the underlying 
devices can receive push notifications.”

It might be best to use a term other than ‘push notifications’ there or 
otherwise rewording this, as there are alternatives. e.g. I think there’s at 
least one CIBA implementation out there that can use email to notify the user 
of an authorization request.

Thanks

Joseph

> On 19 Oct 2022, at 15:55, Pieter Kasselman 
>  wrote:
> 
> Hi All
> 
> Following on from the discussions at IETF 113, the OAuth Security Workshop, 
> Identiverse and IETF 114, Daniel, Filip and I created a draft document 
> capturing some of the attacks that we are seeing on cross device flows, 
> including Device Authorization Grant (aka Device Code Flow). 
> 
> These attacks exploit the unauthenticated channel between devices to trick 
> users into granting authorization by using social engineering techniques to 
> change the context in which authorization is requested. 
> 
> The purpose of the document is to serve as guidance on best practices when 
> designing and implementing scenarios that require cross device flows. We 
> would appreciate any feedback or comments on the document, or any other 
> mitigations or techniques that can be used to mitigate these attacks. Links 
> to the documents are below. We also hope to discuss this at IETF 115 in 
> London in a few weeks' time.
> 
> -
> A new version of I-D, draft-kasselman-cross-device-security-00.txt
> has been successfully submitted by Pieter Kasselman and posted to the IETF 
> repository.
> 
> Name: draft-kasselman-cross-device-security
> Revision: 00
> Title:Cross Device Flows: Security Best Current Practice
> Document date:2022-10-19
> Group:Individual Submission
> Pages:25
> URL: 
> https://www.ietf.org/archive/id/draft-kasselman-cross-device-security-00.txt
> Status: 
> https://www.ietf.org/archive/id/draft-kasselman-cross-device-security-00.txt 
> Html:   
> https://www.ietf.org/archive/id/draft-kasselman-cross-device-security-00.html
> Htmlized:
> https://datatracker.ietf.org/doc/html/draft-kasselman-cross-device-security
> 
> 
> Abstract:
>   This document describes threats against cross-device flows along with
>   near term mitigations, protocol selection guidance and the analytical
>   tools needed to evaluate the effectiveness of these mitigations.  It
>   serves as a security guide to system designers, architects, product
>   managers, security specialists, fraud analysts and engineers
>   implementing cross-device flows.
> 
> 
> 
> 
> The IETF Secretariat
> 
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Draft Proposal for a Cross Device Flow Security BCP

2022-10-24 Thread Pieter Kasselman

Thanks Brian, I will add clarification on CIBA and fix those transposition 
errors. Much appreciated!

From: Brian Campbell 
Sent: Friday, October 21, 2022 11:10 PM
To: Pieter Kasselman 
Cc: oauth@ietf.org; Daniel Fett ; Filip Skokan 

Subject: Re: [OAUTH-WG] Draft Proposal for a Cross Device Flow Security BCP

And I just happened to notice there are a few mentions of RFC8682 (TinyMT32 
Pseudorandom Number Generator) which should probably be RFC8628 (OAuth 2.0 
Device Authorization Grant).

On Fri, Oct 21, 2022 at 4:06 PM Brian Campbell 
mailto:bcampb...@pingidentity.com>> wrote:
Just want to try and clarify some things about the status of CIBA, which is 
described somewhat erroneously as a "standard under development."  There is a 
FAPI profile of CIBA that is still under development but core 
CIBA<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-client-initiated-backchannel-authentication-core-1_0.html=05%7C01%7Cpieter.kasselman%40microsoft.com%7C0d240f6b43f9cd6008dab3b12d19%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638019870835005801%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=FSBqj0OFDHj9ERUVs%2B8l2mOUR6zHUekJZWE%2Ffy9Lg%2F0%3D=0>
 was finalized last year.

On Wed, Oct 19, 2022 at 8:56 AM Pieter Kasselman 
mailto:40microsoft@dmarc.ietf.org>>
 wrote:
Hi All

Following on from the discussions at IETF 113, the OAuth Security Workshop, 
Identiverse and IETF 114, Daniel, Filip and I created a draft document 
capturing some of the attacks that we are seeing on cross device flows, 
including Device Authorization Grant (aka Device Code Flow).

These attacks exploit the unauthenticated channel between devices to trick 
users into granting authorization by using social engineering techniques to 
change the context in which authorization is requested.

The purpose of the document is to serve as guidance on best practices when 
designing and implementing scenarios that require cross device flows. We would 
appreciate any feedback or comments on the document, or any other mitigations 
or techniques that can be used to mitigate these attacks. Links to the 
documents are below. We also hope to discuss this at IETF 115 in London in a 
few weeks' time.

-
A new version of I-D, draft-kasselman-cross-device-security-00.txt
has been successfully submitted by Pieter Kasselman and posted to the IETF 
repository.

Name:   draft-kasselman-cross-device-security
Revision:   00
Title:  Cross Device Flows: Security Best Current Practice
Document date:  2022-10-19
Group:  Individual Submission
Pages:  25
URL: 
https://www.ietf.org/archive/id/draft-kasselman-cross-device-security-00.txt<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-kasselman-cross-device-security-00.txt=05%7C01%7Cpieter.kasselman%40microsoft.com%7C0d240f6b43f9cd6008dab3b12d19%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638019870835005801%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=3zvGvZt0nubZbiEQh3YbkrI7%2BmJCt9YzhXUfmaI1JpY%3D=0>
Status: 
https://www.ietf.org/archive/id/draft-kasselman-cross-device-security-00.txt<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-kasselman-cross-device-security-00.txt=05%7C01%7Cpieter.kasselman%40microsoft.com%7C0d240f6b43f9cd6008dab3b12d19%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638019870835005801%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=3zvGvZt0nubZbiEQh3YbkrI7%2BmJCt9YzhXUfmaI1JpY%3D=0>
Html:   
https://www.ietf.org/archive/id/draft-kasselman-cross-device-security-00.html<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-kasselman-cross-device-security-00.html=05%7C01%7Cpieter.kasselman%40microsoft.com%7C0d240f6b43f9cd6008dab3b12d19%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638019870835005801%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=Y8WZlZbLMrcmEtSZtbm1p4L4CqMGecS%2FXuGiTyi7plY%3D=0>
Htmlized:
https://datatracker.ietf.org/doc/html/draft-kasselman-cross-device-security<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-kasselman-cross-device-security=05%7C01%7Cpieter.kasselman%40microsoft.com%7C0d240f6b43f9cd6008dab3b12d19%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638019870835005801%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=Vo1I0ugE9hlMDEKGnB9d4Y51ymxt%2F%2BuM4lIb8KCbJ98%3D=0>

Abstract:

Re: [OAUTH-WG] Draft Proposal for a Cross Device Flow Security BCP

2022-10-21 Thread Brian Campbell

And I just happened to notice there are a few mentions of RFC8682 (TinyMT32
Pseudorandom Number Generator) which should probably be RFC8628 (OAuth 2.0
Device Authorization Grant).

On Fri, Oct 21, 2022 at 4:06 PM Brian Campbell 
wrote:

> Just want to try and clarify some things about the status of CIBA, which
> is described somewhat erroneously as a "standard under development."  There
> is a FAPI profile of CIBA that is still under development but core CIBA
> 
> was finalized last year.
>
>
>
>
> On Wed, Oct 19, 2022 at 8:56 AM Pieter Kasselman  40microsoft@dmarc.ietf.org> wrote:
>
>> Hi All
>>
>> Following on from the discussions at IETF 113, the OAuth Security
>> Workshop, Identiverse and IETF 114, Daniel, Filip and I created a draft
>> document capturing some of the attacks that we are seeing on cross device
>> flows, including Device Authorization Grant (aka Device Code Flow).
>>
>> These attacks exploit the unauthenticated channel between devices to
>> trick users into granting authorization by using social engineering
>> techniques to change the context in which authorization is requested.
>>
>> The purpose of the document is to serve as guidance on best practices
>> when designing and implementing scenarios that require cross device flows.
>> We would appreciate any feedback or comments on the document, or any other
>> mitigations or techniques that can be used to mitigate these attacks. Links
>> to the documents are below. We also hope to discuss this at IETF 115 in
>> London in a few weeks' time.
>>
>>
>> -
>> A new version of I-D, draft-kasselman-cross-device-security-00.txt
>> has been successfully submitted by Pieter Kasselman and posted to the
>> IETF repository.
>>
>> Name:   draft-kasselman-cross-device-security
>> Revision:   00
>> Title:  Cross Device Flows: Security Best Current Practice
>> Document date:  2022-10-19
>> Group:  Individual Submission
>> Pages:  25
>> URL:
>> https://www.ietf.org/archive/id/draft-kasselman-cross-device-security-00.txt
>> Status:
>> https://www.ietf.org/archive/id/draft-kasselman-cross-device-security-00.txt
>> Html:
>> https://www.ietf.org/archive/id/draft-kasselman-cross-device-security-00.html
>> Htmlized:
>> https://datatracker.ietf.org/doc/html/draft-kasselman-cross-device-security
>>
>>
>> Abstract:
>>This document describes threats against cross-device flows along with
>>near term mitigations, protocol selection guidance and the analytical
>>tools needed to evaluate the effectiveness of these mitigations.  It
>>serves as a security guide to system designers, architects, product
>>managers, security specialists, fraud analysts and engineers
>>implementing cross-device flows.
>>
>>
>>
>>
>> The IETF Secretariat
>>
>>
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Draft Proposal for a Cross Device Flow Security BCP

2022-10-21 Thread Brian Campbell

Just want to try and clarify some things about the status of CIBA, which is
described somewhat erroneously as a "standard under development."  There is
a FAPI profile of CIBA that is still under development but core CIBA

was finalized last year.




On Wed, Oct 19, 2022 at 8:56 AM Pieter Kasselman  wrote:

> Hi All
>
> Following on from the discussions at IETF 113, the OAuth Security
> Workshop, Identiverse and IETF 114, Daniel, Filip and I created a draft
> document capturing some of the attacks that we are seeing on cross device
> flows, including Device Authorization Grant (aka Device Code Flow).
>
> These attacks exploit the unauthenticated channel between devices to trick
> users into granting authorization by using social engineering techniques to
> change the context in which authorization is requested.
>
> The purpose of the document is to serve as guidance on best practices when
> designing and implementing scenarios that require cross device flows. We
> would appreciate any feedback or comments on the document, or any other
> mitigations or techniques that can be used to mitigate these attacks. Links
> to the documents are below. We also hope to discuss this at IETF 115 in
> London in a few weeks' time.
>
>
> -
> A new version of I-D, draft-kasselman-cross-device-security-00.txt
> has been successfully submitted by Pieter Kasselman and posted to the IETF
> repository.
>
> Name:   draft-kasselman-cross-device-security
> Revision:   00
> Title:  Cross Device Flows: Security Best Current Practice
> Document date:  2022-10-19
> Group:  Individual Submission
> Pages:  25
> URL:
> https://www.ietf.org/archive/id/draft-kasselman-cross-device-security-00.txt
> Status:
> https://www.ietf.org/archive/id/draft-kasselman-cross-device-security-00.txt
> Html:
> https://www.ietf.org/archive/id/draft-kasselman-cross-device-security-00.html
> Htmlized:
> https://datatracker.ietf.org/doc/html/draft-kasselman-cross-device-security
>
>
> Abstract:
>This document describes threats against cross-device flows along with
>near term mitigations, protocol selection guidance and the analytical
>tools needed to evaluate the effectiveness of these mitigations.  It
>serves as a security guide to system designers, architects, product
>managers, security specialists, fraud analysts and engineers
>implementing cross-device flows.
>
>
>
>
> The IETF Secretariat
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Draft Proposal for a Cross Device Flow Security BCP

Re: [OAUTH-WG] Draft Proposal for a Cross Device Flow Security BCP

Re: [OAUTH-WG] Draft Proposal for a Cross Device Flow Security BCP

Re: [OAUTH-WG] Draft Proposal for a Cross Device Flow Security BCP

Re: [OAUTH-WG] Draft Proposal for a Cross Device Flow Security BCP

5 matches

Site Navigation

Mail list logo

Footer information