Hi Dmitry,
I think you are right that it's probably worthwhile to allow for a
distinction in a protected resource error response. I'm inclined to say
that a new error code such as "invalid_dpop_proof" to use with the 401
response containing the DPoP WWW-Authenticate header is the most
straightforw
Hi All,
I think those are valid points, but they can be better addressed on
identity management forums like idsa or idpro.
https://www.idsalliance.org/
https://idpro.org/
On Mon, Aug 9, 2021 at 5:55 PM Warren Parad wrote:
> I definitely see that there is room for a potential attack depending
I definitely see that there is room for a potential attack depending on the
internal implementation. Wouldn't that be only relevant internally to the
auth server though? Would adding a feature flag to the discovery document
or visibility into configuration help reduce the attack surface? Perhaps, I
@wpa...@rhosys.ch - Using forgot password and registration verification
links or codes could be used as vectors of attack.
One possible point of insecurity that I have seen is this: after a user
verifies their code or link, they are often sent to another page where they
enter more information (suc
I think it would be prudent to potentially ask *why?* What problem is
necessary to be solved by discussing/standardizing these particular
features? There could be, but without understanding, knowing how best to
tackle it is a challenging conversation without the right context.
Warren Parad
Founde
I think the first step would be finding the appropriate IETF group. I don't
think this is in scope for OAuth-WG as this topic seems to be about account
management and user credentials.
From: Kevat Shah
Sent: Monday, August 9, 2021 16:14
To: mich...@palage.com
Cc
How would that work? Would we need to work with W3C to ensure conformity of
standards?
On Mon, Aug 9, 2021, 4:11 PM wrote:
> Although the IETF has been involved in Best Commercial Practices (BCP)
> (see https://www.ietf.org/rfc/bcp-index.txt ) which I think was the
> subject of Kevat’s original
Although the IETF has been involved in Best Commercial Practices (BCP) (see
https://www.ietf.org/rfc/bcp-index.txt ) which I think was the subject of
Kevat's original email.
So perhaps this is a subject matter that could co-exist in both the IETF and
W3C?
From: OAuth On Behalf Of T
I don't think there is explicit ownership, but generally password and magic
link type "stuff" happens in W3C.
There are existing work efforts around standardizing password reset endpoint
discovery, password complexity schemas, etc.
From: Kevat Shah
Sent: Monday,
That's a good point. Is it fair to assume that W3C owns the standards for
most (if not all) standards related to Identity Providers? Or does it make
sense for IETF to start setting these standards in cases where W3C
standards don't exist?
- Kevat
On Mon, Aug 9, 2021, 2:56 PM Tim Cappalli
wrote:
I believe this topic would be more W3C scope, not IETF.
tim
From: OAuth on behalf of Kevat Shah
Sent: Sunday, August 8, 2021 16:37
To: oauth@ietf.org
Subject: [OAUTH-WG] Specifications for Identity Providers
Some people who received this message don't often ge
11 matches
Mail list logo
