As an editorial note, the text referenced (section 5.2.4) by Joseph, "If FIDO2/WebAuthn support is not available, Channel Initiated Backchannel Authentication (CIBA) provides an alternative.." should reference "Client Initiated Backchannel Authentication (CIBA)". This reference is correct in the other sections of the document.
BR, Bjorn On Tue, Oct 25, 2022 at 3:49 AM Joseph Heenan <jos...@authlete.com> wrote: > Hi Pieter / Daniel / Filip > > It’s great to see this document moving forward. > > I may have missed it, but it may be worth being move explicit that one > solution is to avoid using cross-device flows for same-device scenarios? > It’s sort of obvious, but questions like “well CIBA works for both > cross-device and same-device, can’t I save myself effort by only > implementing CIBA and not bothering with standard redirect-based OAuth > flows?” are commonly asked. > > Also, in this text: > > "If FIDO2/WebAuthn support is not available, Channel Initiated Backchannel > Authentication (CIBA) provides an alternative, provided that the underlying > devices can receive push notifications.” > > It might be best to use a term other than ‘push notifications’ there or > otherwise rewording this, as there are alternatives. e.g. I think there’s > at least one CIBA implementation out there that can use email to notify the > user of an authorization request. > > Thanks > > Joseph > > > On 19 Oct 2022, at 15:55, Pieter Kasselman <pieter.kasselman= > 40microsoft....@dmarc.ietf.org> wrote: > > > > Hi All > > > > Following on from the discussions at IETF 113, the OAuth Security > Workshop, Identiverse and IETF 114, Daniel, Filip and I created a draft > document capturing some of the attacks that we are seeing on cross device > flows, including Device Authorization Grant (aka Device Code Flow). > > > > These attacks exploit the unauthenticated channel between devices to > trick users into granting authorization by using social engineering > techniques to change the context in which authorization is requested. > > > > The purpose of the document is to serve as guidance on best practices > when designing and implementing scenarios that require cross device flows. > We would appreciate any feedback or comments on the document, or any other > mitigations or techniques that can be used to mitigate these attacks. Links > to the documents are below. We also hope to discuss this at IETF 115 in > London in a few weeks' time. > > > > > ----------------------------------------------------------------------------------------------------- > > A new version of I-D, draft-kasselman-cross-device-security-00.txt > > has been successfully submitted by Pieter Kasselman and posted to the > IETF repository. > > > > Name: draft-kasselman-cross-device-security > > Revision: 00 > > Title: Cross Device Flows: Security Best Current Practice > > Document date: 2022-10-19 > > Group: Individual Submission > > Pages: 25 > > URL: > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_archive_id_draft-2Dkasselman-2Dcross-2Ddevice-2Dsecurity-2D00.txt&d=DwIGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6tOf9bN5lnuu0jl9p1INnD0&m=laLdZ6c7CRHmE3mvQ2aDBaT2pwnLrnv5tpBSlWrkhQh12iyjLjJHa81GBcZn8pUc&s=xGpRQKj7UudEOCRHx2eWl0xhVQ1D5i4SH8sehvDPpCY&e= > > > Status: > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_archive_id_draft-2Dkasselman-2Dcross-2Ddevice-2Dsecurity-2D00.txt&d=DwIGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6tOf9bN5lnuu0jl9p1INnD0&m=laLdZ6c7CRHmE3mvQ2aDBaT2pwnLrnv5tpBSlWrkhQh12iyjLjJHa81GBcZn8pUc&s=xGpRQKj7UudEOCRHx2eWl0xhVQ1D5i4SH8sehvDPpCY&e= > > > Html: > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_archive_id_draft-2Dkasselman-2Dcross-2Ddevice-2Dsecurity-2D00.html&d=DwIGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6tOf9bN5lnuu0jl9p1INnD0&m=laLdZ6c7CRHmE3mvQ2aDBaT2pwnLrnv5tpBSlWrkhQh12iyjLjJHa81GBcZn8pUc&s=Sn0l7u31WG8K0mcGdKvUMraqQsXlGLzj_Ek6bm_qMBs&e= > > > Htmlized: > https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_html_draft-2Dkasselman-2Dcross-2Ddevice-2Dsecurity&d=DwIGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6tOf9bN5lnuu0jl9p1INnD0&m=laLdZ6c7CRHmE3mvQ2aDBaT2pwnLrnv5tpBSlWrkhQh12iyjLjJHa81GBcZn8pUc&s=TIQiF6Tn_sL0gchPWuET0N1NzdX4NNU_br6SWEoc_fc&e= > > > > > > > Abstract: > > This document describes threats against cross-device flows along with > > near term mitigations, protocol selection guidance and the analytical > > tools needed to evaluate the effectiveness of these mitigations. It > > serves as a security guide to system designers, architects, product > > managers, security specialists, fraud analysts and engineers > > implementing cross-device flows. > > > > > > > > > > The IETF Secretariat > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwIGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6tOf9bN5lnuu0jl9p1INnD0&m=laLdZ6c7CRHmE3mvQ2aDBaT2pwnLrnv5tpBSlWrkhQh12iyjLjJHa81GBcZn8pUc&s=DSum4-_qXZwEKnhYE43SP8fE_YzNpYlGTBUPzJCz8Ok&e= > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwIGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6tOf9bN5lnuu0jl9p1INnD0&m=laLdZ6c7CRHmE3mvQ2aDBaT2pwnLrnv5tpBSlWrkhQh12iyjLjJHa81GBcZn8pUc&s=DSum4-_qXZwEKnhYE43SP8fE_YzNpYlGTBUPzJCz8Ok&e= > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
