Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

2021-03-15 Thread Neil Madden
There is now a draft from the W3C explicitly addressing Spectre and its impacts on web security. I think we should aim to incorporate the guidance for “dynamic subresources” [1], and in particular the first item in the list, which is recommendations for "Application-internal resources (private A

[OAUTH-WG] Security of OAuth on Andriod [Was: Re: Token Mediating and session Information Backend For Frontend (TMI BFF)]

2021-03-15 Thread Neil Madden
I want to come back to this topic as a new thread. As I understand things, the difference on Android is that any app can claim to be a generic web browser and so claim to handle all URIs. Whereas on iOS only specifically vetted apps can claim to be web browsers. Is that correct? If so, this doe

Re: [OAUTH-WG] DPoP Interim Meeting

2021-03-15 Thread Denis
All, On December, the 2nd, 2020, I sent two emails to the OAuth mailing list. Their titles were: * [OAUTH-WG] Proposed text for a Privacy considerations section in draft-ietf-oauth-dpop-02 * [OAUTH-WG] Proposed changes to draft-ietf-oauth-dpop-02 AFAIR, I have not seen a response to thes

Re: [OAUTH-WG] DPoP Interim Meeting

2021-03-15 Thread Brian Campbell
https://mailarchive.ietf.org/arch/msg/oauth/VDAFrjPK5rFQqVUw9KWc3GhpIbs/ was in response to the second email you mention. It also touched on the subject of your first email, which I felt was more than sufficient response. Some changes were made to the draft sauce as a result as well: https://githu

Re: [OAUTH-WG] DPoP Interim Meeting

2021-03-15 Thread Brian Campbell
"draft sauce" in the previous message should have said, "draft souce" apologies for any inconvenience this may have caused On Mon, Mar 15, 2021 at 9:45 AM Brian Campbell wrote: > https://mailarchive.ietf.org/arch/msg/oauth/VDAFrjPK5rFQqVUw9KWc3GhpIbs/ > was in response to the second email you m

Re: [OAUTH-WG] DPoP Interim Meeting

2021-03-15 Thread Brian Campbell
"draft souce" in the previous message should have said, "draft source" hopefully this will be the last message from me on this topic On Mon, Mar 15, 2021 at 12:55 PM Brian Campbell wrote: > "draft sauce" in the previous message should have said, "draft souce" > > apologies for any inconvenienc

Re: [OAUTH-WG] OAuth mTLS and JWK use/key_ops

2021-03-15 Thread Benjamin Kaduk
On Mon, Mar 08, 2021 at 01:19:46PM +, Neil Madden wrote: > > > > On 8 Mar 2021, at 12:50, Neil Madden wrote: > > > > An interesting question was raised by our developers around the > > interpretation of JWK “use” and “key_ops” constraints when publishing a > > self-signed certificate for

[OAUTH-WG] I-D Action: draft-ietf-oauth-v2-1-02.txt

2021-03-15 Thread internet-drafts
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : The OAuth 2.1 Authorization Framework Authors : Dick Hardt Aaron Parecki