Re: [OAUTH-WG] OAuth Security -- Next Steps

2016-07-27 Thread Brian Campbell
Agree. The BCP would be larger in scope than just mix-up. And given that approach, I don't know if it makes sense to have a document specific to mix-up. On Mon, Jul 25, 2016 at 11:43 AM, Anthony Nadalin wrote: > Sounds about right, but I would imagine that the BCP would cover any issue > that ar

Re: [OAUTH-WG] Working Group Last Call on "OAuth 2.0 for Native Apps"

2016-07-27 Thread Brian Campbell
I likewise believe there is a lot of value in this work and support the document moving forward. I reviewed -03 and have just a couple nits: Loopback URI Redirection in section 3 (which the author is already aware of becaus

Re: [OAUTH-WG] Working Group Last Call on "Authentication Method Reference Values"

2016-07-27 Thread Vladimir Dzhuvinov
On 18/07/16 17:30, Hannes Tschofenig wrote: > Hi all, > > this is a Last Call for comments on the "Authentication Method Reference > Values" specification. > > The document can be found here: > https://tools.ietf.org/html/draft-ietf-oauth-amr-values-01 > > Please have your comments in no later th

Re: [OAUTH-WG] URGENT: WPAD attack exposes URL contents evenoverHTTPS

2016-07-27 Thread ve7jtb
With the mix up attack we assumed that the attacker is able to modify the request. In that case checking nonce in the code flow is not sufficient as the attacker can modify nonce. In this attack the attacker as I understand it can only view request and response, so checking nonce in code wil

Re: [OAUTH-WG] URGENT: WPAD attack exposes URL contents even overHTTPS

2016-07-27 Thread Brian Campbell
Yeah, in a Connect "code" only flow, the nonce is optional but if the client/RP sends and checks it, that should mitigate this. On Wed, Jul 27, 2016 at 1:19 AM, nov matake wrote: > In Connect, if RP verifies nonce value in ID Token issued from Token > Endpoint, code cut & paste attack can be mit

Re: [OAUTH-WG] URGENT: WPAD attack exposes URL contents even over HTTPS

2016-07-27 Thread Stephen Farrell
Is there any information as to what percentage of browsers have a vulnerable configuration? That's not clear to me and seems relevant. My impression was that wpad wasn't that widely enabled in browsers nowadays, but that may well be wrong. S. On 27/07/16 01:15, Dick Hardt wrote: > http://arstech

Re: [OAUTH-WG] URGENT: WPAD attack exposes URL contents even overHTTPS

2016-07-27 Thread nov matake
In Connect, if RP verifies nonce value in ID Token issued from Token Endpoint, code cut & paste attack can be mitigated in "code" flow, not in "code id_token", can't it? In pure OAuth2 senario, I also think PKCE would be the simplest solution. 2016-07-27 15:45 GMT+09:00 tors...@lodderstedt.net :