[OAUTH-WG] Mailing List for submitting OAuth Security and Vulnerability Reports

2016-01-12 Thread Hannes Tschofenig
Hi all, you may have seen (from the announcement sent by the secretary) that we have requested the creation of a new mailing list, namely . We want to use this list as an "entry point" for others to submit vulnerability reports and other security problems related to OAuth. Because of the nature o

Re: [OAUTH-WG] OAuth 2.0 Mix-Up Mitigation

2016-01-12 Thread George Fletcher
If the endpoints are statically configured, does that in and of itself protect against most of the malicious endpoint attacks? There are other ways a client could protect against this malicious endpoint injection. However, I thought the point of the spec was to protect a client that truly suppo

Re: [OAUTH-WG] Mailing List for submitting OAuth Security and Vulnerability Reports

2016-01-12 Thread Aaron Parecki
If you send me a short sentence I can add a note on the oauth.net site with this information as well. Aaron Parecki aaronparecki.com @aaronpk On Tue, Jan 12, 2016 at 7:52 AM, Hannes Tschofenig < hannes.tschofe...@gmx.net> wrote: > Hi all, > > you may have seen

[OAUTH-WG] Mix-Up About The Mix-Up Mitigation

2016-01-12 Thread Brian Campbell
The "IdP Mix-Up" and "Malicious Endpoint" attacks (as well as variations on them) take advantage of the fact that there's nothing in the OAuth authorization response to the client's redirect_uri that identifies the authorization server. As a result, a variety of techniques can be used to trick the

Re: [OAUTH-WG] Mix-Up About The Mix-Up Mitigation

2016-01-12 Thread Mike Jones
John Bradley and I went over this today and I'm already planning on simplifying the draft along the lines described. I would have written this earlier but I've been busy at a NIST meeting today. John has also stated writing a note about how cut-and-paste does and doesn't apply here but hasn't f

Re: [OAUTH-WG] Mix-Up About The Mix-Up Mitigation

2016-01-12 Thread Justin Richer
+1 to Brian’s point, and points to Mike for promising to address this. I wasn’t able to attend the meeting in Darmstadt, but I’ve been following the discussion and original papers. Let’s take this one piece at a time and not overreach with a solution. In particular, the whole “late binding disc

Re: [OAUTH-WG] Mix-Up About The Mix-Up Mitigation

2016-01-12 Thread Phil Hunt (IDM)
I am in agreement with Brian. I understand what Mike is trying to do is safer, but I too am concerned that the escalation in knowledge/skills for oauth clients is significant. This may not be the same concern as for OIDC where we can expect more sophistication. Phil > On Jan 12, 2016, at 2