And I just happened to notice there are a few mentions of RFC8682 (TinyMT32 Pseudorandom Number Generator) which should probably be RFC8628 (OAuth 2.0 Device Authorization Grant).
On Fri, Oct 21, 2022 at 4:06 PM Brian Campbell <bcampb...@pingidentity.com> wrote: > Just want to try and clarify some things about the status of CIBA, which > is described somewhat erroneously as a "standard under development." There > is a FAPI profile of CIBA that is still under development but core CIBA > <https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html> > was finalized last year. > > > > > On Wed, Oct 19, 2022 at 8:56 AM Pieter Kasselman <pieter.kasselman= > 40microsoft....@dmarc.ietf.org> wrote: > >> Hi All >> >> Following on from the discussions at IETF 113, the OAuth Security >> Workshop, Identiverse and IETF 114, Daniel, Filip and I created a draft >> document capturing some of the attacks that we are seeing on cross device >> flows, including Device Authorization Grant (aka Device Code Flow). >> >> These attacks exploit the unauthenticated channel between devices to >> trick users into granting authorization by using social engineering >> techniques to change the context in which authorization is requested. >> >> The purpose of the document is to serve as guidance on best practices >> when designing and implementing scenarios that require cross device flows. >> We would appreciate any feedback or comments on the document, or any other >> mitigations or techniques that can be used to mitigate these attacks. Links >> to the documents are below. We also hope to discuss this at IETF 115 in >> London in a few weeks' time. >> >> >> ----------------------------------------------------------------------------------------------------- >> A new version of I-D, draft-kasselman-cross-device-security-00.txt >> has been successfully submitted by Pieter Kasselman and posted to the >> IETF repository. >> >> Name: draft-kasselman-cross-device-security >> Revision: 00 >> Title: Cross Device Flows: Security Best Current Practice >> Document date: 2022-10-19 >> Group: Individual Submission >> Pages: 25 >> URL: >> https://www.ietf.org/archive/id/draft-kasselman-cross-device-security-00.txt >> Status: >> https://www.ietf.org/archive/id/draft-kasselman-cross-device-security-00.txt >> Html: >> https://www.ietf.org/archive/id/draft-kasselman-cross-device-security-00.html >> Htmlized: >> https://datatracker.ietf.org/doc/html/draft-kasselman-cross-device-security >> >> >> Abstract: >> This document describes threats against cross-device flows along with >> near term mitigations, protocol selection guidance and the analytical >> tools needed to evaluate the effectiveness of these mitigations. It >> serves as a security guide to system designers, architects, product >> managers, security specialists, fraud analysts and engineers >> implementing cross-device flows. >> >> >> >> >> The IETF Secretariat >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
