Thanks, Torsten. In 4.11, you can probably add client_secret and code phishing explained in https://nat.sakimura.org/2016/01/22/code-phishing-attack-on-oauth-2-0-rfc6749/ . I do not like the mitigation strategy there at all, though. Now that we have MTLS draft, using that is much better.
The current document is based on the known threat analysis. As Andrey pointed out in the Trier seminar, most problems actually arise from the failure of 1) Source authentication, 2) Destination authentication, and 3) Message authentication. This, I think, is a good viewpoint. The [BCM] paper further recommends to have 4) protocol version and message identifier, 5) full list of actor/roles in addition. It will probably make the protocol provably secure as well. Perhaps we can add these as a consideration to mitigating unknown attacks. Also, analysing each known attacks in light of 1) to 5) above will provide a uniform viewpoint to each attack, so it may be worthwhile to do. Nat [BCM] Basin, D., Cremers, C., Meier, S.: Provably Repairing the ISO/IEC 9798 Standard for Entity Authentication. Journal of Computer Security - Security and Trust Principles archive Volume 21 Issue 6, 817-846 (2013) On Tue, Nov 14, 2017 at 10:28 PM Torsten Lodderstedt < tors...@lodderstedt.net> wrote: > Hi all, > > I just published revision -04. > > Changes: > > - Added best practices on Token Leakage prevention > > > - Restructured document for better readability > > > kind regards, > Torsten. > > Anfang der weitergeleiteten Nachricht: > > *Von: *internet-dra...@ietf.org > *Betreff: **[OAUTH-WG] I-D Action: > draft-ietf-oauth-security-topics-04.txt* > *Datum: *14. November 2017 um 19:49:00 GMT+8 > *An: *<i-d-annou...@ietf.org> > *Kopie: *oauth@ietf.org > > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Web Authorization Protocol WG of the IETF. > > Title : OAuth Security Topics > Authors : Torsten Lodderstedt > John Bradley > Andrey Labunets > Filename : draft-ietf-oauth-security-topics-04.txt > Pages : 26 > Date : 2017-11-14 > > Abstract: > This draft gives a comprehensive overview on open OAuth security > topics. It is intended to serve as a working document for the OAuth > working group to systematically capture and discuss these security > topics and respective mitigations and eventually recommend best > current practice and also OAuth extensions needed to cope with the > respective security threats. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-04 > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-04 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-security-topics-04 > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Nat Sakimura Chairman of the Board, OpenID Foundation
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
