Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23

2024-01-04 Thread Axel.Nennker
day, 3. January 2024 at 19:53 To: Nennker, Axel <mailto:axel.nenn...@telekom.de> Cc: mail=40danielfett...@dmarc.ietf.org<mailto:mail=40danielfett...@dmarc.ietf.org> <mailto:mail=40danielfett...@dmarc.ietf.org>, oauth@ietf.org<mailto:oauth@ietf.org> <mailto:oauth@ietf.o

Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23

2024-01-03 Thread Axel.Nennker
th mailto:oauth-boun...@ietf.org>> on behalf of Daniel Fett mailto:mail=40danielfett...@dmarc.ietf.org>> Date: Wednesday, 3. January 2024 at 17:48 To: oauth@ietf.org<mailto:oauth@ietf.org> mailto:oauth@ietf.org>> Subject: Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-secu

Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23

2024-01-03 Thread Justin Richer
behalf of Daniel Fett mailto:mail=40danielfett...@dmarc.ietf.org>> Date: Wednesday, 3. January 2024 at 17:48 To: oauth@ietf.org<mailto:oauth@ietf.org> mailto:oauth@ietf.org>> Subject: Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23 Hi Axel, It is to be expected

Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23

2024-01-03 Thread Axel.Nennker
PKCE [RFC7636<https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#RFC7636>]." do not go well together. //Axel From: OAuth on behalf of Daniel Fett Date: Wednesday, 3. January 2024 at 17:48 To: oauth@ietf.org Subject: Re: [OAUTH-WG] Sh

Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23

2024-01-03 Thread Daniel Fett
CE? //Axel *From: *OAuth on behalf of Daniel Fett *Date: *Wednesday, 3. January 2024 at 14:01 *To: *oauth@ietf.org *Subject: *Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23 Hi Axel, I would be happy to see OAuth move away from state as a CSRF protection mechanism in t

Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23

2024-01-03 Thread Axel.Nennker
ry 2024 at 14:01 To: oauth@ietf.org Subject: Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23 Hi Axel, I would be happy to see OAuth move away from state as a CSRF protection mechanism in the future, but there is not too much to be gained from relying solely on PKCE right

Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23

2024-01-03 Thread Daniel Fett
iel Fett *Date: *Thursday, 28. December 2023 at 14:38 *To: *oauth@ietf.org *Subject: *Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23 Hi Hannes, thanks again for your feedback! It is incorporated in the editor's copy now. - https://oauthstuff.github.io/draft-iet

Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23

2024-01-02 Thread Axel.Nennker
CSRF protection provided by PKCE." Kind regards Axel From: OAuth on behalf of Daniel Fett Date: Thursday, 28. December 2023 at 14:38 To: oauth@ietf.org Subject: Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23 Hi Hannes, thanks again for your feedback! It is

Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23

2023-12-28 Thread Daniel Fett
Hi Hannes, thanks again for your feedback! It is incorporated in the editor's copy now. - https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html - Diff to published version: https://author-tools.ietf.org/api/iddiff?doc_1=draft-ietf-oauth-security-

[OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23

2023-10-04 Thread Tschofenig, Hannes
Hi all, here are some comments as part of my shepherd review of the OAuth Security BCP. First, I want to send a big "Thanks" to everyone in the group for the work on this document and to the authors in particular. It has taken us a while to come up with such an impressive list of security recom