[OAUTH-WG] OAuth Security Workshop 2020 — Trondheim — July 22–24, 2020

Dear OAuthians, The fifth edition of the annual OAuth Security Workshop will take place on July 22–24, 2020 in Trondheim, Norway. Registration, Call for Sessions, and hotel booking are now open. The aim of the OAuth Security Workshop (OSW) is to improve the security of OAuth and related Intern

Re: [OAUTH-WG] review draft-ietf-oauth-security-topics-13 [3/3]

On Tue, Nov 19, 2019 at 10:38 AM Torsten Lodderstedt < tors...@lodderstedt.net> wrote: > Hi Hans, > > > On 18. Nov 2019, at 04:11, Hans Zandbelt > wrote: > > > > Hi, > > > > Please find my feedback from page 21 onwards below. > > > > Hans. > > > > Overall I would argue there's room for a very con

Re: [OAUTH-WG] review draft-ietf-oauth-security-topics-13 [3/3]

> On 19. Nov 2019, at 17:10, Hans Zandbelt wrote: > > > > On Tue, Nov 19, 2019 at 10:38 AM Torsten Lodderstedt > wrote: > Hi Hans, > > > On 18. Nov 2019, at 04:11, Hans Zandbelt wrote: > > > > Hi, > > > > Please find my feedback from page 21 onwards below. > > > > Hans. > > > > Overa

Re: [OAUTH-WG] review draft-ietf-oauth-security-topics-13 [3/3]

How about: - don't use the Implicit or Resource Owner Password Credentials grant types - perform exact matching of redirect URIs and make then Client/AS specific - use PKCE Hans. On Tue, Nov 19, 2019 at 5:58 PM Torsten Lodderstedt wrote: > > > > On 19. Nov 2019, at 17:10, Hans Zandbelt > wro

Re: [OAUTH-WG] review draft-ietf-oauth-security-topics-13 [3/3]

Oh, I see where you are heading. We potentially can cut some bells and whistles out of the current text. > Am 19.11.2019 um 18:06 schrieb Hans Zandbelt : > >  > How about: > > - don't use the Implicit or Resource Owner Password Credentials grant types > - perform exact matching of redirect UR

Re: [OAUTH-WG] review draft-ietf-oauth-security-topics-13 [3/3]

" don't use the Implicit or Resource Owner Password Credentials grant types" I cannot overstate how strongly I would support this recommendation in particular! Best regards Rob On Tue, 19 Nov 2019 at 10:07, Hans Zandbelt wrote: > How about: > > - don't use the Implicit or Resource Owner Pass

Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt

Thanks for the reply, Brian. Collecting my thoughts up here rather than responding blow by blow. Public key signatures are simpler in some respects, more complex in others. There are currently 10 public key JWS signature schemes defined (ES256/384/512, RS256/384/512, PS256/384/512, EdDSA) - do

[OAUTH-WG] WGLC review of OAuth 2.0 Security Best Current Practice by Mike Jones

I did a complete read of draft-ietf-oauth-security-topics-13. My review comments follow, divided into substantive and editorial sections. SUBSTANTIVE 2. Attacker Model, (A1) - Attacker description (A1) actually describes two kin

[OAUTH-WG] IETF 106 IETF video stream

Hi, I can hear an audio stream but no video has been started yet? Best, *Filip* ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth