Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00

2021-05-21 Thread Vladimir Dzhuvinov 
The spec is fine, we've had it implemented for some time now and support 
its publication.


+1 to Brian's comment. I suppose it suffices to say the iss parameter is 
redundant when JARM is used as JARM provides the same countermeasure. I 
found the normative text about what JARM allows or disallows (or have 
text that reads like normative) problematic, the JARM spec should remain 
the place for this.


Thanks for this work Karsten. Also my thanks to Daniel.

Vladimir

On 21/05/2021 00:00, Brian Campbell wrote:

Thanks Karsten,

That's moving in the right direction. But I think the last sentence is 
still too strong and maybe prone to misunderstanding given it's not 
100% obvious in the JARM case what exactly constitutes an 
authorization response parameter.


I'd say the last sentence could just be dropped altogether. Or maybe 
changed to something like this, "Therefore, an additional iss 
parameter outside the JWT is unneeded when JARM is used."



On Wed, May 19, 2021 at 12:45 AM Karsten Meyer zu Selhausen 
> wrote:


Hi Brian,

thank you for your feedback.

I agree that the language is too strong here. What do you think
about this new note?


Note: The "JWT Secured Authorization Response Mode for OAuth 2.0
(JARM)" [JARM] defines a mechanism that conveys all authorization
response parameters in a JWT. This JWT contains an iss claim that
provides the same protection if it is validated as described in
Section 2.4. Therefore, an additional iss authorization response
parameter as defined by this document MUST NOT be used when JARM
is used.


Best regards,
Karsten

On 15.05.2021 00:35, Brian Campbell wrote:

Overall it looks pretty good to me.
One little nit is that I don't love this text from the end of sec
2.4 that talks about JARM:

'Note: The "JWT Secured Authorization Response Mode for OAuth 2.0
(JARM)" [JARM] forbids the use of additional parameters in the
authorization response. Therefore, the iss parameter MUST NOT be
used when JARM is used. However, JARM responses contain an iss
claim that provides the same protection if it is validated as
described in Section 2.4.'

JARM doesn't exactly forbid additional parameters but rather just
wraps up all the authorization response parameters as claims in a
JWT which is itself sent as a single form/query/fragment
parameter. So really the iss authorization response parameter of
this draft is still sent as a claim of the JARM JWT. It just
happens to be the same as the iss claim value that JARM is
already including.

On Sat, May 1, 2021 at 2:47 PM Rifaat Shekh-Yusef
mailto:rifaat.s.i...@gmail.com>> wrote:

All,

We have not seen any comments on this document.
Can you please review the document and provide feedback, or
indicate that you have reviewed the document and have no
concerns.

Regards,
 Rifaat & Hannes


On Thu, Apr 15, 2021 at 3:04 AM Karsten Meyer zu Selhausen
mailto:karsten.meyerzuselhau...@hackmanit.de>> wrote:

Hi all,

the latest version of the security BCP references
draft-ietf-oauth-iss-auth-resp-00 as a countermeasures to
mix-up attacks.

There have not been any concerns with the first WG draft
version so far:
https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/


I would like to ask the WG if there are any comments on
or concerns with the current draft version.

Otherwise I hope we can move forward with the next steps
and hopefully finish the draft before/with the security BCP.

Best regards,
Karsten

-- 
Karsten Meyer zu Selhausen

Senior IT Security Consultant
Phone:  +49 (0)234 / 54456499
Web:https://hackmanit.de    | IT 
Security Consulting, Penetration Testing, Security Training

Is your OAuth or OpenID Connect client vulnerable to the severe 
impacts of mix-up attacks? Learn how to protect your client in our latest blog 
post on single sign-on:

https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks
  


Hackmanit GmbH
Universitätsstraße 60 (Exzenterhaus)
44789 Bochum

Registergericht: Amtsgericht Bochum, HRB 14896
Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj 
Somorovsky, Dr. Christian Mainka, Dr. Marcus Niemietz

___
OAuth mailing list
OAuth@ietf.org

Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00

2021-05-20 Thread Brian Campbell 
Thanks Karsten,

That's moving in the right direction. But I think the last sentence is
still too strong and maybe prone to misunderstanding given it's not 100%
obvious in the JARM case what exactly constitutes an authorization response
parameter.

I'd say the last sentence could just be dropped altogether. Or maybe
changed to something like this, "Therefore, an additional iss parameter
outside the JWT is unneeded when JARM is used."


On Wed, May 19, 2021 at 12:45 AM Karsten Meyer zu Selhausen <
karsten.meyerzuselhau...@hackmanit.de> wrote:

> Hi Brian,
>
> thank you for your feedback.
>
> I agree that the language is too strong here. What do you think about this
> new note?
>
> Note: The "JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)"
> [JARM] defines a mechanism that conveys all authorization response
> parameters in a JWT. This JWT contains an iss claim that provides the same
> protection if it is validated as described in Section 2.4. Therefore, an
> additional iss authorization response parameter as defined by this document
> MUST NOT be used when JARM is used.
>
> Best regards,
> Karsten
> On 15.05.2021 00:35, Brian Campbell wrote:
>
> Overall it looks pretty good to me.
> One little nit is that I don't love this text from the end of sec 2.4 that
> talks about JARM:
>
> 'Note: The "JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)"
> [JARM] forbids the use of additional parameters in the authorization
> response. Therefore, the iss parameter MUST NOT be used when JARM is used.
> However, JARM responses contain an iss claim that provides the same
> protection if it is validated as described in Section 2.4.'
>
> JARM doesn't exactly forbid additional parameters but rather just wraps up
> all the authorization response parameters as claims in a JWT which is
> itself sent as a single form/query/fragment parameter. So really the iss
> authorization response parameter of this draft is still sent as a claim of
> the JARM JWT. It just happens to be the same as the iss claim value that
> JARM is already including.
>
> On Sat, May 1, 2021 at 2:47 PM Rifaat Shekh-Yusef 
> wrote:
>
>> All,
>>
>> We have not seen any comments on this document.
>> Can you please review the document and provide feedback, or indicate that
>> you have reviewed the document and have no concerns.
>>
>> Regards,
>>  Rifaat & Hannes
>>
>>
>> On Thu, Apr 15, 2021 at 3:04 AM Karsten Meyer zu Selhausen <
>> karsten.meyerzuselhau...@hackmanit.de> wrote:
>>
>>> Hi all,
>>>
>>> the latest version of the security BCP references
>>> draft-ietf-oauth-iss-auth-resp-00 as a countermeasures to mix-up attacks.
>>>
>>> There have not been any concerns with the first WG draft version so far:
>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/
>>>
>>> I would like to ask the WG if there are any comments on or concerns with
>>> the current draft version.
>>>
>>> Otherwise I hope we can move forward with the next steps and hopefully
>>> finish the draft before/with the security BCP.
>>>
>>> Best regards,
>>> Karsten
>>>
>>> --
>>> Karsten Meyer zu Selhausen
>>> Senior IT Security Consultant
>>> Phone:  +49 (0)234 / 54456499
>>> Web:https://hackmanit.de | IT Security Consulting, Penetration 
>>> Testing, Security Training
>>>
>>> Is your OAuth or OpenID Connect client vulnerable to the severe impacts of 
>>> mix-up attacks? Learn how to protect your client in our latest blog post on 
>>> single 
>>> sign-on:https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks
>>>
>>> Hackmanit GmbH
>>> Universitätsstraße 60 (Exzenterhaus)
>>> 44789 Bochum
>>>
>>> Registergericht: Amtsgericht Bochum, HRB 14896
>>> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. 
>>> Christian Mainka, Dr. Marcus Niemietz
>>>
>>> ___
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>
> --
> Karsten Meyer zu Selhausen
> Senior IT Security Consultant
> Phone:+49 (0)234 / 54456499
> Web:  https://hackmanit.de | IT Security Consulting, Penetration Testing, 
> Security Training
>
> Möchten Sie sich für ein Projekt mit dem Thema Single Sign-On oder den 
> Standards OAuth und OpenID Connect vertraut machen?
> Dann melden Sie sich jetzt an für Ihre Einführung in Single Sign-On, OAuth 
> und OpenID Connect am Mittwoch, 09.06.2021, von 10:00 - 14:30 
>

Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00

2021-05-19 Thread Takahiko Kawasaki 
Hi Karsten,

I've read the specification and implemented it. I think that the
specification is good enough for implementers. Actually, the latest version
of my company's product supports the specification and has already been
rolled out. The release note of the version mentions the specification. If
you are interested, please visit the page:

https://www.authlete.com/developers/relnotes/2.2.2/#oauth-2-0-authorization-server-issuer-identifier-in-authorization-response

Best Regards,
Takahiko Kawasaki


On Wed, May 19, 2021 at 3:45 PM Karsten Meyer zu Selhausen <
karsten.meyerzuselhau...@hackmanit.de> wrote:

> Hi Brian,
>
> thank you for your feedback.
>
> I agree that the language is too strong here. What do you think about this
> new note?
>
> Note: The "JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)"
> [JARM] defines a mechanism that conveys all authorization response
> parameters in a JWT. This JWT contains an iss claim that provides the same
> protection if it is validated as described in Section 2.4. Therefore, an
> additional iss authorization response parameter as defined by this document
> MUST NOT be used when JARM is used.
>
> Best regards,
> Karsten
> On 15.05.2021 00:35, Brian Campbell wrote:
>
> Overall it looks pretty good to me.
> One little nit is that I don't love this text from the end of sec 2.4 that
> talks about JARM:
>
> 'Note: The "JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)"
> [JARM] forbids the use of additional parameters in the authorization
> response. Therefore, the iss parameter MUST NOT be used when JARM is used.
> However, JARM responses contain an iss claim that provides the same
> protection if it is validated as described in Section 2.4.'
>
> JARM doesn't exactly forbid additional parameters but rather just wraps up
> all the authorization response parameters as claims in a JWT which is
> itself sent as a single form/query/fragment parameter. So really the iss
> authorization response parameter of this draft is still sent as a claim of
> the JARM JWT. It just happens to be the same as the iss claim value that
> JARM is already including.
>
> On Sat, May 1, 2021 at 2:47 PM Rifaat Shekh-Yusef 
> wrote:
>
>> All,
>>
>> We have not seen any comments on this document.
>> Can you please review the document and provide feedback, or indicate that
>> you have reviewed the document and have no concerns.
>>
>> Regards,
>>  Rifaat & Hannes
>>
>>
>> On Thu, Apr 15, 2021 at 3:04 AM Karsten Meyer zu Selhausen <
>> karsten.meyerzuselhau...@hackmanit.de> wrote:
>>
>>> Hi all,
>>>
>>> the latest version of the security BCP references
>>> draft-ietf-oauth-iss-auth-resp-00 as a countermeasures to mix-up attacks.
>>>
>>> There have not been any concerns with the first WG draft version so far:
>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/
>>>
>>> I would like to ask the WG if there are any comments on or concerns with
>>> the current draft version.
>>>
>>> Otherwise I hope we can move forward with the next steps and hopefully
>>> finish the draft before/with the security BCP.
>>>
>>> Best regards,
>>> Karsten
>>>
>>> --
>>> Karsten Meyer zu Selhausen
>>> Senior IT Security Consultant
>>> Phone:  +49 (0)234 / 54456499
>>> Web:https://hackmanit.de | IT Security Consulting, Penetration 
>>> Testing, Security Training
>>>
>>> Is your OAuth or OpenID Connect client vulnerable to the severe impacts of 
>>> mix-up attacks? Learn how to protect your client in our latest blog post on 
>>> single 
>>> sign-on:https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks
>>>
>>> Hackmanit GmbH
>>> Universitätsstraße 60 (Exzenterhaus)
>>> 44789 Bochum
>>>
>>> Registergericht: Amtsgericht Bochum, HRB 14896
>>> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. 
>>> Christian Mainka, Dr. Marcus Niemietz
>>>
>>> ___
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>
> --
> Karsten Meyer zu Selhausen
> Senior IT Security Consultant
> Phone:+49 (0)234 / 54456499
> Web:  https://hackmanit.de | IT Security Consulting, Penetration Testing, 
> Security Training
>
> Möchten Sie sich für ein Projekt mit dem Thema Single Sign-On oder den 
> Standards OAuth und OpenID Connect vertraut machen?
> Dann melden Sie sich jetzt an für Ihre Einführung in Single Sign-On, OAuth 
>

Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00

2021-05-19 Thread Karsten Meyer zu Selhausen 

Hi Brian,

thank you for your feedback.

I agree that the language is too strong here. What do you think about 
this new note?


Note: The "JWT Secured Authorization Response Mode for OAuth 2.0 
(JARM)" [JARM] defines a mechanism that conveys all authorization 
response parameters in a JWT. This JWT contains an iss claim that 
provides the same protection if it is validated as described in 
Section 2.4. Therefore, an additional iss authorization response 
parameter as defined by this document MUST NOT be used when JARM is used.


Best regards,
Karsten

On 15.05.2021 00:35, Brian Campbell wrote:

Overall it looks pretty good to me.
One little nit is that I don't love this text from the end of sec 2.4 
that talks about JARM:


'Note: The "JWT Secured Authorization Response Mode for OAuth 2.0 
(JARM)" [JARM] forbids the use of additional parameters in the 
authorization response. Therefore, the iss parameter MUST NOT be used 
when JARM is used. However, JARM responses contain an iss claim that 
provides the same protection if it is validated as described in 
Section 2.4.'


JARM doesn't exactly forbid additional parameters but rather just 
wraps up all the authorization response parameters as claims in a JWT 
which is itself sent as a single form/query/fragment parameter. So 
really the iss authorization response parameter of this draft is still 
sent as a claim of the JARM JWT. It just happens to be the same as the 
iss claim value that JARM is already including.


On Sat, May 1, 2021 at 2:47 PM Rifaat Shekh-Yusef 
mailto:rifaat.s.i...@gmail.com>> wrote:


All,

We have not seen any comments on this document.
Can you please review the document and provide feedback, or
indicate that you have reviewed the document and have no concerns.

Regards,
 Rifaat & Hannes


On Thu, Apr 15, 2021 at 3:04 AM Karsten Meyer zu Selhausen
mailto:karsten.meyerzuselhau...@hackmanit.de>> wrote:

Hi all,

the latest version of the security BCP references
draft-ietf-oauth-iss-auth-resp-00 as a countermeasures to
mix-up attacks.

There have not been any concerns with the first WG draft
version so far:
https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/


I would like to ask the WG if there are any comments on or
concerns with the current draft version.

Otherwise I hope we can move forward with the next steps and
hopefully finish the draft before/with the security BCP.

Best regards,
Karsten

-- 
Karsten Meyer zu Selhausen

Senior IT Security Consultant
Phone:  +49 (0)234 / 54456499
Web:https://hackmanit.de    | IT Security 
Consulting, Penetration Testing, Security Training

Is your OAuth or OpenID Connect client vulnerable to the severe impacts 
of mix-up attacks? Learn how to protect your client in our latest blog post on 
single sign-on:

https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks
  


Hackmanit GmbH
Universitätsstraße 60 (Exzenterhaus)
44789 Bochum

Registergericht: Amtsgericht Bochum, HRB 14896
Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, 
Dr. Christian Mainka, Dr. Marcus Niemietz

___
OAuth mailing list
OAuth@ietf.org 
https://www.ietf.org/mailman/listinfo/oauth


___
OAuth mailing list
OAuth@ietf.org 
https://www.ietf.org/mailman/listinfo/oauth



/CONFIDENTIALITY NOTICE: This email may contain confidential and 
privileged material for the sole use of the intended recipient(s). Any 
review, use, distribution or disclosure by others is strictly 
prohibited.  If you have received this communication in error, please 
notify the sender immediately by e-mail and delete the message and any 
file attachments from your computer. Thank you./ 


--
Karsten Meyer zu Selhausen
Senior IT Security Consultant
Phone:  +49 (0)234 / 54456499
Web:https://hackmanit.de | IT Security Consulting, Penetration Testing, 
Security Training

Möchten Sie sich für ein Projekt mit dem Thema Single Sign-On oder den 
Standards OAuth und OpenID Connect vertraut machen?
Dann melden Sie sich jetzt an für Ihre Einführung in Single Sign-On, OAuth und 
OpenID Connect am Mittwoch, 09.06.2021, von 10:00 - 14:30 Uhr!
https://www.hackmanit.de/de/schulungen/uebersicht/139-einfuehrung-in-single-sign-on-oauth-und-openid-connect

Hackmanit GmbH
Universitätsstraße 60

Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00

2021-05-14 Thread Brian Campbell 
Overall it looks pretty good to me.
One little nit is that I don't love this text from the end of sec 2.4 that
talks about JARM:

'Note: The "JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)"
[JARM] forbids the use of additional parameters in the authorization
response. Therefore, the iss parameter MUST NOT be used when JARM is used.
However, JARM responses contain an iss claim that provides the same
protection if it is validated as described in Section 2.4.'

JARM doesn't exactly forbid additional parameters but rather just wraps up
all the authorization response parameters as claims in a JWT which is
itself sent as a single form/query/fragment parameter. So really the iss
authorization response parameter of this draft is still sent as a claim of
the JARM JWT. It just happens to be the same as the iss claim value that
JARM is already including.

On Sat, May 1, 2021 at 2:47 PM Rifaat Shekh-Yusef 
wrote:

> All,
>
> We have not seen any comments on this document.
> Can you please review the document and provide feedback, or indicate that
> you have reviewed the document and have no concerns.
>
> Regards,
>  Rifaat & Hannes
>
>
> On Thu, Apr 15, 2021 at 3:04 AM Karsten Meyer zu Selhausen <
> karsten.meyerzuselhau...@hackmanit.de> wrote:
>
>> Hi all,
>>
>> the latest version of the security BCP references
>> draft-ietf-oauth-iss-auth-resp-00 as a countermeasures to mix-up attacks.
>>
>> There have not been any concerns with the first WG draft version so far:
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/
>>
>> I would like to ask the WG if there are any comments on or concerns with
>> the current draft version.
>>
>> Otherwise I hope we can move forward with the next steps and hopefully
>> finish the draft before/with the security BCP.
>>
>> Best regards,
>> Karsten
>>
>> --
>> Karsten Meyer zu Selhausen
>> Senior IT Security Consultant
>> Phone:   +49 (0)234 / 54456499
>> Web: https://hackmanit.de | IT Security Consulting, Penetration Testing, 
>> Security Training
>>
>> Is your OAuth or OpenID Connect client vulnerable to the severe impacts of 
>> mix-up attacks? Learn how to protect your client in our latest blog post on 
>> single 
>> sign-on:https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks
>>
>> Hackmanit GmbH
>> Universitätsstraße 60 (Exzenterhaus)
>> 44789 Bochum
>>
>> Registergericht: Amtsgericht Bochum, HRB 14896
>> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. 
>> Christian Mainka, Dr. Marcus Niemietz
>>
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00

2021-05-14 Thread Brian Campbell 
Perhaps this draft could be marked as replacing
draft-ietf-oauth-mix-up-mitigation (I think the chairs have the tools to do
that) so that the datatracker somewhat reflects the history?

Some discussion in the draft itself might be helpful to a subset of readers
interested or knowledgeable about the history.  But I suspect that it'd
just be noise for the majority of readers.

On Mon, May 10, 2021 at 7:26 AM Daniel Fett  wrote:

> Hi Neil,
>
> I'm not sure - maybe others can chime in here as well - if a discussion
> relating to an expired previous draft is something one would expect in the
> spec.
>
> For the record, the client_id does not provide any additional security.
> The key to mitigating Mix-Up is that the "honest AS" ensures that the code
> issued at its token endpoint is sent to the honest IdP's token endpoint,
> and not to the attacker IdP's token endpoint. This is ensured by the iss
> parameter. The client_id would maybe be relevant if the honest AS sends
> different issuer values for different client_ids - I have not heard of such
> a constellation. I'm not sure why the client_id was included in the
> previous draft.
>
> -Daniel
>
>
> Am 10.05.21 um 14:57 schrieb Neil Madden:
>
> I have also read it and it looks good to me. It might be worth explicitly
> discussing how it relates to the older draft [1] (that we implemented at
> the time). That older draft also included a client_id parameter in the
> response, so it would be good to clarify if that is actually needed to
> prevent the attack or not.
>
> [1]:
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-mix-up-mitigation-01
>
>
> Kind regards,
>
> Neil
>
> On 15 Apr 2021, at 08:04, Karsten Meyer zu Selhausen <
> karsten.meyerzuselhau...@hackmanit.de> wrote:
>
> Hi all,
>
> the latest version of the security BCP references
> draft-ietf-oauth-iss-auth-resp-00 as a countermeasures to mix-up attacks.
>
> There have not been any concerns with the first WG draft version so far:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/
>
> I would like to ask the WG if there are any comments on or concerns with
> the current draft version.
>
> Otherwise I hope we can move forward with the next steps and hopefully
> finish the draft before/with the security BCP.
>
> Best regards,
> Karsten
>
> --
> Karsten Meyer zu Selhausen
> Senior IT Security Consultant
> Phone:+49 (0)234 / 54456499
> Web:  https://hackmanit.de | IT Security Consulting, Penetration Testing, 
> Security Training
>
> Is your OAuth or OpenID Connect client vulnerable to the severe impacts of 
> mix-up attacks? Learn how to protect your client in our latest blog post on 
> single 
> sign-on:https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks
>
> Hackmanit GmbH
> Universitätsstraße 60 (Exzenterhaus)
> 44789 Bochum
>
> Registergericht: Amtsgericht Bochum, HRB 14896
> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. 
> Christian Mainka, Dr. Marcus Niemietz
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> ForgeRock values your Privacy 
>
> ___
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
>
> -- https://danielfett.de
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00

2021-05-10 Thread Daniel Fett 
Hi Neil,

I'm not sure - maybe others can chime in here as well - if a discussion
relating to an expired previous draft is something one would expect in
the spec.

For the record, the client_id does not provide any additional security.
The key to mitigating Mix-Up is that the "honest AS" ensures that the
code issued at its token endpoint is sent to the honest IdP's token
endpoint, and not to the attacker IdP's token endpoint. This is ensured
by the iss parameter. The client_id would maybe be relevant if the
honest AS sends different issuer values for different client_ids - I
have not heard of such a constellation. I'm not sure why the client_id
was included in the previous draft.

-Daniel


Am 10.05.21 um 14:57 schrieb Neil Madden:
> I have also read it and it looks good to me. It might be worth
> explicitly discussing how it relates to the older draft [1] (that we
> implemented at the time). That older draft also included a client_id
> parameter in the response, so it would be good to clarify if that is
> actually needed to prevent the attack or not.
>
> [1]: 
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-mix-up-mitigation-01
>  
>
> Kind regards,
>
> Neil
>
>> On 15 Apr 2021, at 08:04, Karsten Meyer zu Selhausen
>> > > wrote:
>>
>> Hi all,
>>
>> the latest version of the security BCP references
>> draft-ietf-oauth-iss-auth-resp-00 as a countermeasures to mix-up attacks.
>>
>> There have not been any concerns with the first WG draft version so
>> far: https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/
>>
>> I would like to ask the WG if there are any comments on or concerns
>> with the current draft version.
>>
>> Otherwise I hope we can move forward with the next steps and
>> hopefully finish the draft before/with the security BCP.
>>
>> Best regards,
>> Karsten
>>
>> -- 
>> Karsten Meyer zu Selhausen
>> Senior IT Security Consultant
>> Phone:   +49 (0)234 / 54456499
>> Web: https://hackmanit.de | IT Security Consulting, Penetration Testing, 
>> Security Training
>>
>> Is your OAuth or OpenID Connect client vulnerable to the severe impacts of 
>> mix-up attacks? Learn how to protect your client in our latest blog post on 
>> single sign-on:
>> https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks
>>
>> Hackmanit GmbH
>> Universitätsstraße 60 (Exzenterhaus)
>> 44789 Bochum
>>
>> Registergericht: Amtsgericht Bochum, HRB 14896
>> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. 
>> Christian Mainka, Dr. Marcus Niemietz
>> ___
>> OAuth mailing list
>> OAuth@ietf.org 
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
> ForgeRock values your Privacy 
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


-- 
https://danielfett.de

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00

2021-05-10 Thread Neil Madden 
I have also read it and it looks good to me. It might be worth explicitly 
discussing how it relates to the older draft [1] (that we implemented at the 
time). That older draft also included a client_id parameter in the response, so 
it would be good to clarify if that is actually needed to prevent the attack or 
not.

[1]: 
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-mix-up-mitigation-01 
 

Kind regards,

Neil

> On 15 Apr 2021, at 08:04, Karsten Meyer zu Selhausen 
>  wrote:
> 
> Hi all,
> 
> the latest version of the security BCP references 
> draft-ietf-oauth-iss-auth-resp-00 as a countermeasures to mix-up attacks.
> 
> There have not been any concerns with the first WG draft version so far: 
> https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/ 
> 
> I would like to ask the WG if there are any comments on or concerns with the 
> current draft version.
> 
> Otherwise I hope we can move forward with the next steps and hopefully finish 
> the draft before/with the security BCP.
> 
> Best regards,
> Karsten
> 
> -- 
> Karsten Meyer zu Selhausen
> Senior IT Security Consultant
> Phone:+49 (0)234 / 54456499
> Web:  https://hackmanit.de  | IT Security Consulting, 
> Penetration Testing, Security Training
> 
> Is your OAuth or OpenID Connect client vulnerable to the severe impacts of 
> mix-up attacks? Learn how to protect your client in our latest blog post on 
> single sign-on:
> https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks
>  
> 
> 
> Hackmanit GmbH
> Universitätsstraße 60 (Exzenterhaus)
> 44789 Bochum
> 
> Registergericht: Amtsgericht Bochum, HRB 14896
> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. 
> Christian Mainka, Dr. Marcus Niemietz
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


-- 
ForgeRock values your Privacy 
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00

2021-05-10 Thread Vladislav Mladenov 
Hi all,

I reviewed the document and have no objections. I think we can move
forward with the next steps.

Best regards
Vladislav Mladenov


Am 09.05.21 um 12:11 schrieb Torsten Lodderstedt:
> Hi,
>
> I have read the document and have no concerns.
>
> As an editorial feedback, I would suggest to drop „ If implemented
> correctly,“ in the abstract since this apparently is a prerequisite
> for all kinds of security controls ;-)
>
> best regards,
> Torsten.
>
>> Am 01.05.2021 um 22:47 schrieb Rifaat Shekh-Yusef
>> :
>>
>> 
>> All,
>>
>> We have not seen any comments on this document.
>> Can you please review the document and provide feedback, or indicate
>> that you have reviewed the document and have no concerns.
>>
>> Regards,
>>  Rifaat & Hannes
>>
>>
>> On Thu, Apr 15, 2021 at 3:04 AM Karsten Meyer zu Selhausen
>> > > wrote:
>>
>> Hi all,
>>
>> the latest version of the security BCP references
>> draft-ietf-oauth-iss-auth-resp-00 as a countermeasures to mix-up
>> attacks.
>>
>> There have not been any concerns with the first WG draft version
>> so far:
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/
>> 
>> 
>>
>> I would like to ask the WG if there are any comments on or
>> concerns with the current draft version.
>>
>> Otherwise I hope we can move forward with the next steps and
>> hopefully finish the draft before/with the security BCP.
>>
>> Best regards,
>> Karsten
>>
>> -- 
>> Karsten Meyer zu Selhausen
>> Senior IT Security Consultant
>> Phone:   +49 (0)234 / 54456499
>> Web: https://hackmanit.de 
>> 
>>  | IT Security Consulting, Penetration Testing, Security Training
>>
>> Is your OAuth or OpenID Connect client vulnerable to the severe impacts 
>> of mix-up attacks? Learn how to protect your client in our latest blog post 
>> on single sign-on:
>> 
>> https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks
>>  
>> 
>>
>> Hackmanit GmbH
>> Universitätsstraße 60 (Exzenterhaus)
>> 44789 Bochum
>>
>> Registergericht: Amtsgericht Bochum, HRB 14896
>> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. 
>> Christian Mainka, Dr. Marcus Niemietz
>>
>> ___
>> OAuth mailing list
>> OAuth@ietf.org 
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> 
>>
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.google.com/url?q=https://www.ietf.org/mailman/listinfo/oauth=gmail-imap=162050684200=AOvVaw3dG-hH8lliyL13KAjSOYwA
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
Dr.-Ing. Vladislav Mladenov

Horst Görtz Institute for IT-Security 
Chair for Network and Data Security 
Ruhr-University Bochum, Germany

Universitätsstr. 150, ID 2/457
D-44801 Bochum, Germany
http:// www.nds.rub.de

Phone: (+49) (0)234 / 32 - 26742
Fax: (+49) (0)234 / 32 - 14347



OpenPGP_signature
Description: OpenPGP digital signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00

2021-05-10 Thread Christian Mainka 

Hi,

I read the document, have no concerns, and support it.

Christian

On 01.05.21 22:46, Rifaat Shekh-Yusef wrote:

All,

We have not seen any comments on this document.
Can you please review the document and provide feedback, or indicate that
you have reviewed the document and have no concerns.

Regards,
  Rifaat & Hannes


On Thu, Apr 15, 2021 at 3:04 AM Karsten Meyer zu Selhausen <
karsten.meyerzuselhau...@hackmanit.de> wrote:


Hi all,

the latest version of the security BCP references
draft-ietf-oauth-iss-auth-resp-00 as a countermeasures to mix-up attacks.

There have not been any concerns with the first WG draft version so far:
https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/

I would like to ask the WG if there are any comments on or concerns with
the current draft version.

Otherwise I hope we can move forward with the next steps and hopefully
finish the draft before/with the security BCP.

Best regards,
Karsten

--
Karsten Meyer zu Selhausen
Senior IT Security Consultant
Phone:  +49 (0)234 / 54456499
Web:https://hackmanit.de | IT Security Consulting, Penetration Testing, 
Security Training

Is your OAuth or OpenID Connect client vulnerable to the severe impacts of 
mix-up attacks? Learn how to protect your client in our latest blog post on 
single 
sign-on:https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks

Hackmanit GmbH
Universitätsstraße 60 (Exzenterhaus)
44789 Bochum

Registergericht: Amtsgericht Bochum, HRB 14896
Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. 
Christian Mainka, Dr. Marcus Niemietz

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth




___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



--
Dr.-Ing. Christian Mainka
Horst Görtz Institute for IT-Security
Chair for Network and Data Security
Ruhr University Bochum, Germany

Universitätsstr. 150, ID 2/463
D-44801 Bochum, Germany

Telefon: +49 (0) 234 / 32-26796
Fax: +49 (0) 234 / 32-14347
https://nds.rub.de/chair/people/cmainka/
@CheariX



OpenPGP_signature
Description: OpenPGP digital signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00

2021-05-09 Thread Torsten Lodderstedt 
Hi,

I have read the document and have no concerns.

As an editorial feedback, I would suggest to drop „ If implemented correctly,“ 
in the abstract since this apparently is a prerequisite for all kinds of 
security controls ;-)

best regards,
Torsten.

> Am 01.05.2021 um 22:47 schrieb Rifaat Shekh-Yusef :
> 
> 
> All,
> 
> We have not seen any comments on this document.
> Can you please review the document and provide feedback, or indicate that you 
> have reviewed the document and have no concerns.
> 
> Regards,
>  Rifaat & Hannes
> 
> 
>> On Thu, Apr 15, 2021 at 3:04 AM Karsten Meyer zu Selhausen 
>>  wrote:
>> Hi all,
>> 
>> the latest version of the security BCP references 
>> draft-ietf-oauth-iss-auth-resp-00 as a countermeasures to mix-up attacks.
>> 
>> There have not been any concerns with the first WG draft version so far: 
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/
>> 
>> I would like to ask the WG if there are any comments on or concerns with the 
>> current draft version.
>> 
>> Otherwise I hope we can move forward with the next steps and hopefully 
>> finish the draft before/with the security BCP.
>> 
>> Best regards,
>> Karsten
>> 
>> -- 
>> Karsten Meyer zu Selhausen
>> Senior IT Security Consultant
>> Phone:   +49 (0)234 / 54456499
>> Web: https://hackmanit.de | IT Security Consulting, Penetration Testing, 
>> Security Training
>> 
>> Is your OAuth or OpenID Connect client vulnerable to the severe impacts of 
>> mix-up attacks? Learn how to protect your client in our latest blog post on 
>> single sign-on:
>> https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks
>> 
>> Hackmanit GmbH
>> Universitätsstraße 60 (Exzenterhaus)
>> 44789 Bochum
>> 
>> Registergericht: Amtsgericht Bochum, HRB 14896
>> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. 
>> Christian Mainka, Dr. Marcus Niemietz
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.google.com/url?q=https://www.ietf.org/mailman/listinfo/oauth=gmail-imap=162050684200=AOvVaw3dG-hH8lliyL13KAjSOYwA


smime.p7s
Description: S/MIME cryptographic signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00

2021-05-01 Thread Rifaat Shekh-Yusef 
All,

We have not seen any comments on this document.
Can you please review the document and provide feedback, or indicate that
you have reviewed the document and have no concerns.

Regards,
 Rifaat & Hannes


On Thu, Apr 15, 2021 at 3:04 AM Karsten Meyer zu Selhausen <
karsten.meyerzuselhau...@hackmanit.de> wrote:

> Hi all,
>
> the latest version of the security BCP references
> draft-ietf-oauth-iss-auth-resp-00 as a countermeasures to mix-up attacks.
>
> There have not been any concerns with the first WG draft version so far:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/
>
> I would like to ask the WG if there are any comments on or concerns with
> the current draft version.
>
> Otherwise I hope we can move forward with the next steps and hopefully
> finish the draft before/with the security BCP.
>
> Best regards,
> Karsten
>
> --
> Karsten Meyer zu Selhausen
> Senior IT Security Consultant
> Phone:+49 (0)234 / 54456499
> Web:  https://hackmanit.de | IT Security Consulting, Penetration Testing, 
> Security Training
>
> Is your OAuth or OpenID Connect client vulnerable to the severe impacts of 
> mix-up attacks? Learn how to protect your client in our latest blog post on 
> single 
> sign-on:https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks
>
> Hackmanit GmbH
> Universitätsstraße 60 (Exzenterhaus)
> 44789 Bochum
>
> Registergericht: Amtsgericht Bochum, HRB 14896
> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. 
> Christian Mainka, Dr. Marcus Niemietz
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth