[OAUTH-WG] Invitation: IETF OAuth WG Virtual Office Hours @ Wed Jun 14, 2023 12pm - 12:30pm (EDT) (oauth@ietf.org)

BEGIN:VCALENDAR PRODID:-//Google Inc//Google Calendar 70.9054//EN VERSION:2.0 CALSCALE:GREGORIAN METHOD:REQUEST BEGIN:VTIMEZONE TZID:America/Los_Angeles X-LIC-LOCATION:America/Los_Angeles BEGIN:DAYLIGHT TZOFFSETFROM:-0800 TZOFFSETTO:-0700 TZNAME:PDT DTSTART:19700308T02

Re: [OAUTH-WG] Invitation: IETF OAuth WG Virtual Office Hours @ Wed Jun 14, 2023 12pm - 12:30pm (EDT) (oauth@ietf.org)

All, This is the new invitation for the OAuth WG Virtual Office Hours using Zoom, because we could not resolve the issues with the IETF WebEx application. Regards, Rifaat On Wed, Jun 14, 2023 at 8:37 AM wrote: > IETF OAuth WG Virtual Office Hours > Rifaat Shekh-Yusef is inviting you to a

[OAUTH-WG] BCP: Mix-Up Attacks, Implicit Grant Variant

*Hello, everyone!Section 4.4.1 of the BCP draft lists several variants of mix-up attacks; the description of the Implicit grant variant reads as follows: "In the implicit grant, the attacker receives an access

Re: [OAUTH-WG] Simplification and consolidation of SD-JWT terminology and format

Hi Hannes, maybe it was a bit implicit, but the point of Brian's email was to specifically do what you said - discuss this normative change here first. Although this is an extremely small change, we are conscious about not introducing breaking changes unless there is a tangible, practical

Re: [OAUTH-WG] BCP: Mix-Up Attacks, Implicit Grant Variant

Hi Alex, I see what you mean, in Section 4.4.1 with the implicit flow, the sequence ends with the redirect back to the client from H-AS with the access token. Steps 5 and 6 don't happen with the implicit flow, so "works as above" isn't descriptive enough. The paper describes a slightly different

Re: [OAUTH-WG] BCP: Mix-Up Attacks, Implicit Grant Variant

I've created a pull request to update this section here: https://github.com/oauthstuff/draft-ietf-oauth-security-topics/pull/82/files Aaron On Wed, Jun 14, 2023 at 6:47 AM Aaron Parecki wrote: > Hi Alex, > > I see what you mean, in Section 4.4.1 with the implicit flow, the sequence > ends with

Re: [OAUTH-WG] BCP: Mix-Up Attacks, Implicit Grant Variant

Hi Alexander, Am 14.06.23 um 15:19 schrieb Alexander Rademann: ** Hello, everyone! Section 4.4.1 of the BCP draft lists several variants of mix-up attacks; the description of the Implicit grant variant

Re: [OAUTH-WG] BCP: Mix-Up Attacks, Implicit Grant Variant

Presumably, the attacker can get the token by having the Honest-AS redirect the user to a site controlled by the Attacker. That site then would redirect the user back to the original site with the Honest-AS token. This is no different than an ordinary phishing based attack. On Wed, Jun 14, 2023,

Re: [OAUTH-WG] BCP: Mix-Up Attacks, Implicit Grant Variant

That doesn't make sense to me. On Wed, Jun 14, 2023, 21:31 Daniel Fett wrote: > Hi Alexander, > Am 14.06.23 um 15:19 schrieb Alexander Rademann: > > *Hello, everyone! Section 4.4.1 of the BCP > > draft

Re: [OAUTH-WG] BCP: Mix-Up Attacks, Implicit Grant Variant

Hi Warren, this is described in detail in the linked paper on page 31 if you need further clarification. Aaron On Wed, Jun 14, 2023 at 7:36 AM Warren Parad wrote: > That doesn't make sense to me. > > On Wed, Jun 14, 2023, 21:31 Daniel Fett 40danielfett...@dmarc.ietf.org> wrote: > >> Hi

Re: [OAUTH-WG] Simplification and consolidation of SD-JWT terminology and format

Hi Brian, please note that this is a working group item and you cannot make decisions in a small group with off-line discussions. Hence, I suggest to propose the changes to the list and get support for it. As you know, we need to follow this approach to give everyone in the group a chance to