Something to consider in the new security text that’s just occurred to me:
If an attacker gets their account tied to a user’s device, there’s a risk that the attacker would potentially be able to get that user’s information as input through the device. Setting aside the obvious alexa-style panopticon boxes for a minute, just think of a set-top box that allows you to enter your credit card information through the device itself. You’d then be buying your attacker the new season of Stargate, or whatever. — Justin > On Mar 19, 2018, at 12:06 PM, William Denniss <wdenn...@google.com> wrote: > > The update has been posted and is now available. > https://tools.ietf.org/html/draft-ietf-oauth-device-flow-08 > <https://tools.ietf.org/html/draft-ietf-oauth-device-flow-08> > > Thanks Scott for the feedback, and Justin for reviewing! > > > On Thu, Mar 8, 2018 at 6:19 PM Justin Richer <jric...@mit.edu > <mailto:jric...@mit.edu>> wrote: > +1 > >> On Mar 5, 2018, at 10:23 PM, William Denniss <wdenn...@google.com >> <mailto:wdenn...@google.com>> wrote: >> >> Thanks again for the feedback Scott. I've staged an update here: >> https://github.com/WilliamDenniss/draft-ietf-oauth-device-flow/pull/6 >> <https://github.com/WilliamDenniss/draft-ietf-oauth-device-flow/pull/6> >> >> It expands on the brute force attack section to include some detail on this >> attack, as it is quite unique for OAuth brute-force attacks (since the >> victim actually ends up with the attacker's grant on the device, instead of >> the other way around – not that this is totally safe of course, it's just >> unique). It also adds some further discussion around what factors need to >> be considered by authorization servers when creating the user code format. >> >> I'll post this once my co-authors have reviewed, and the submission tool >> re-opens. >> >> >> On Fri, Jan 5, 2018 at 10:56 AM Rifaat Shekh-Yusef <rifaat.i...@gmail.com >> <mailto:rifaat.i...@gmail.com>> wrote: >> Hi Scott, >> >> Sorry, I missed that last discussion that you had with William. >> >> >> William, >> >> Can you please update the document based on your last discussion with Scott? >> I will then update the request for publication to use the new updated >> version. >> >> Regards, >> Rifaat >> >> >> >> On Fri, Jan 5, 2018 at 12:40 PM, Hollenbeck, Scott <shollenb...@verisign.com >> <mailto:shollenb...@verisign.com>> wrote: >> > -----Original Message----- >> > From: OAuth [mailto:oauth-boun...@ietf.org >> > <mailto:oauth-boun...@ietf.org>] On Behalf Of Rifaat Shekh- >> > Yusef >> > Sent: Friday, January 05, 2018 12:30 PM >> > To: e...@rtfm.com <mailto:e...@rtfm.com> >> > Cc: oauth@ietf.org <mailto:oauth@ietf.org>; iesg-secret...@ietf.org >> > <mailto:iesg-secret...@ietf.org>; oauth-cha...@ietf.org >> > <mailto:oauth-cha...@ietf.org> >> > Subject: [EXTERNAL] [OAUTH-WG] Publication has been requested for draft- >> > ietf-oauth-device-flow-07 >> > >> > Rifaat Shekh-Yusef has requested publication of draft-ietf-oauth-device- >> > flow-07 as Proposed Standard on behalf of the OAUTH working group. >> > >> > Please verify the document's state at >> > https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/ >> > <https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/> >> >> The document really should be updated to reflect the last call discussions >> prior to requesting publication for the -07 version that needs to be updated. >> >> Scott >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> <https://www.ietf.org/mailman/listinfo/oauth> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> <https://www.ietf.org/mailman/listinfo/oauth> >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
