Hi all I don’t believe the CISA report linked from this page has been discussed in the OAuth group yet:
https://www.cisa.gov/resources-tools/resources/cyber-safety-review-board-releases-report-microsoft-online-exchange-incident-summer-2023 Of particular note is that IETF and I think implicitly (as OIDC is built on top of OAuth) the OAuth WG is called out: "CSPs and relevant standards bodies, such as OpenID Foundation (OIDF), Organization for the Advancement of Structured Information Standards (OASIS), and The Internet Engineering Task Force (IETF), should develop or update profiles for core digital identity standards such as OIDC and Security Assertion Markup Language (SAML) to include requirements and/or security considerations around key rotation, stateful credentials, credential linking, and key scope.” From Page 22, 2.1.4, "DIGITAL IDENTITY STANDARDS AND GUIDANCE”, recommendation 13. (Bold emphasis added by myself.) Recommendation 11 explicitly recommends DPoP which is nice. Recommendation 12 is also perhaps in scope for this group, though I can’t say I understand how to action it: "Relevant standards bodies should refine and update these standards to account for a threat model of advanced nation-state attackers targeting core CSP identity systems." Thanks Joseph
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
