[OAUTH-WG] Re: Shepherd Review for OAuth 2.0 Protected Resource Metadata draft

Sat, 06 Jul 2024 05:07:29 -0700 

> A fair question is whether allowing clients to choose from among
>  supported authentication methods represents an opportunity for a
> downgrade attack.
>  Since resource servers will only enumerate authentication methods
> acceptable to them, by definition,
>  any choice made by the client from among them is one that the resource
> server is OK with.
>  Thus, the resource server allowing the use of different supported
> authentication methods
>  does not represent an opportunity for a downgrade attack.
>

A resource server could be configured to accept a method that is considered
secure at one time, that might be considered insecure later on.
A resource server could also be misconfigured with insecure methods.

For this reason, I still think that a discussion of a potential downgrade
attack is warranted in the security consideration section.

Regards,
 Rifaat





On Sat, Jul 6, 2024 at 12:30 AM Michael Jones <michael_b_jo...@hotmail.com>
wrote:

> The PR
> https://github.com/oauth-wg/draft-ietf-oauth-resource-metadata/pull/45 is
> intended to address these shepherd review comments.  Please review.
>
>
>
>                                                                 Thanks,
>
>                                                                 -- Mike
>
>
>
> *From:* Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com>
> *Sent:* Thursday, July 4, 2024 5:30 AM
> *To:* oauth <oauth@ietf.org>
> *Subject:* [OAUTH-WG] Shepherd Review for OAuth 2.0 Protected Resource
> Metadata draft
>
>
>
> Mike, Phil, Aaron,
>
>
>
> The following is my shepherd review for OAuth 2.0 Protected Resource
> Metadata
> https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-05.html
>
> *Comments/Questions*
>
> 5.4. Compatibility with other authentication methods
>
> Would this not open the door for potential downgrade attacks if the list
> of authentication methods include weaker methods?
> I think this should be discussed in the Security Consideration section.
>
>
> *Nits*
>
> Section 1, second sentence:
> “This specification is intentionally as parallel as possible …”
> It feels like there is a missing word after “intentionally”; maybe
> “designed”, “specified”?
>
> Regards,
>
>  Rifaat
>
>
>

_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org

Reply via email to