[Openid-specs-ab] Defining a Hardened (Mix-up and Cut-and-Paste Proof) OpenID Connect Profile

William Denniss wdenniss at google.com
Mon Apr 25 21:53:04 UTC 2016


We discussed this topic at the OIDF workshop today. The consensus was that
we should publish a formal-ish (board reviewed) blog post / bulletin with
implementation advice on how to mitigate Mix-up and Cut-and-Paste in
Connect.

Interested parties can meet tomorrow at IIW to draft this text.

On Sat, Apr 23, 2016 at 7:57 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:

> I think there are two discussions.
>
> One is what the OAuth WG should do and that should be on the OAuth list.
>
> There is a separate discussion about what Connect should recommend untill
> OAuth addresses the issue.
>
> I think the latter was how this thread started.
>
> We not be should not wait for OAuth to recommend something before we
> explain the existing mitigations in Connect.
>
> The touchier topic is should we add anything new before OAuth decides.
>
> To Brian's point about the AS not identifying itself in the response,
> that was the recommended change from the Darmstadt meeting.   I am however
> hesitant to take that up as a Connect only fix even though it would work
> just fine for Connect.
>
> John B.
> On Apr 23, 2016 9:04 AM, "Brian Campbell" <bcampbell at pingidentity.com>
> wrote:
>
>> Just noticed a typo in my previous message. I meant to write "omission"
>> rather than "commission" there. Should have said:
>>
>> My view is still that the attack is enabled by an *omission* in OAuth of
>> the AS identifying itself in the authorization response. I think the fix
>> should be at that layer too. Progress in the OAuth WG isn't exactly
>> promising though...
>>
>> On Sat, Apr 23, 2016 at 5:36 AM, Torsten Lodderstedt <
>> torsten at lodderstedt.net> wrote:
>>
>>> Am 15.04.2016 um 19:05 schrieb Brian Campbell:
>>>
>>>> My view is still that the attack is enabled by an commission in OAuth
>>>> of the AS identifying itself in the authorization response. I think the fix
>>>> should be at that layer too. Progress in the OAuth WG isn't exactly
>>>> promising though...
>>>>
>>> Why don`t we bring this discussion to the OAuth WG? It`s nearly the same
>>> group of people as on this list.
>>>
>>
>>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160425/91fc1c79/attachment.html>


More information about the Openid-specs-ab mailing list