Hi folks, we updated the Cross-Device Flows: Security Best Current Practice based on feedback received after IETF 116.
Updates include: - Introduced Cross-Device Consent Phishing as a label for the types of attacks described in this document. - Updated labels for different types of flows (User-Transferred Session Data Pattern, Backchannel-Transferred Session Pattern, User-Transferred Authorization Data Pattern) - Adopted consistent use of hyphenation in using "cross-device" - Consistent use of "Authorization Device" - Update Reference to Secure Signals Framework to reflect name change from Secure Signals and Events - Described difference between proximity enforced and proximity-less cross-device flows - Fixed typos and grammar edits - Capitalised Initiating Device and Authorization Device - General editorial pass Rifaat, we would like to request a time on the agenda to discuss the pros/cons and any concerns that may arise from introducing normative requirements (see https://mailarchive.ietf.org/arch/msg/oauth/dhQQsJjHqMnmUdTaUsKyEQ3uuLw/ ), as well as outstanding open issues (https://github.com/oauth-wg/oauth-cross-device-security/issues) and propose proposed next steps for this draft. Cheers Pieter -----Original Message----- From: OAuth <oauth-boun...@ietf.org> On Behalf Of internet-dra...@ietf.org Sent: Monday, July 10, 2023 10:20 AM To: i-d-annou...@ietf.org Cc: oauth@ietf.org Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-02.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : Cross-Device Flows: Security Best Current Practice Authors : Pieter Kasselman Daniel Fett Filip Skokan Filename : draft-ietf-oauth-cross-device-security-02.txt Pages : 43 Date : 2023-07-10 Abstract: This document describes threats against cross-device flows along with near term mitigations, protocol selection guidance and the analytical tools needed to evaluate the effectiveness of these mitigations. It serves as a security guide to system designers, architects, product managers, security specialists, fraud analysts and engineers implementing cross-device flows. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-02.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-cross-device-security-02 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
