[Openid-specs-ab] Defining a Hardened (Mix-up and Cut-and-Paste Proof) OpenID Connect Profile

Torsten Lodderstedt torsten at lodderstedt.net
Wed Apr 27 17:22:34 UTC 2016


Hi Denniss,

may interested parties at remote locations contribute as well?

best regards,
Torsten.

PS: where had the OIDF workshop been announced? I don't remember a 
posting on this list.

Am 25.04.2016 um 23:53 schrieb William Denniss:
> We discussed this topic at the OIDF workshop today. The consensus was 
> that we should publish a formal-ish (board reviewed) blog post / 
> bulletin with implementation advice on how to mitigate Mix-up and 
> Cut-and-Paste in Connect.
>
> Interested parties can meet tomorrow at IIW to draft this text.
>
> On Sat, Apr 23, 2016 at 7:57 AM, John Bradley <ve7jtb at ve7jtb.com 
> <mailto:ve7jtb at ve7jtb.com>> wrote:
>
>     I think there are two discussions.
>
>     One is what the OAuth WG should do and that should be on the OAuth
>     list.
>
>     There is a separate discussion about what Connect should recommend
>     untill OAuth addresses the issue.
>
>     I think the latter was how this thread started.
>
>     We not be should not wait for OAuth to recommend something before
>     we explain the existing mitigations in Connect.
>
>     The touchier topic is should we add anything new before OAuth
>     decides.
>
>     To Brian's point about the AS not identifying itself in the
>     response,  that was the recommended change from the Darmstadt
>     meeting.   I am however hesitant to take that up as a Connect only
>     fix even though it would work just fine for Connect.
>
>     John B.
>
>     On Apr 23, 2016 9:04 AM, "Brian Campbell"
>     <bcampbell at pingidentity.com <mailto:bcampbell at pingidentity.com>>
>     wrote:
>
>         Just noticed a typo in my previous message. I meant to write
>         "omission" rather than "commission" there. Should have said:
>
>         My view is still that the attack is enabled by an *omission*
>         in OAuth of the AS identifying itself in the authorization
>         response. I think the fix should be at that layer too.
>         Progress in the OAuth WG isn't exactly promising though...
>
>         On Sat, Apr 23, 2016 at 5:36 AM, Torsten Lodderstedt
>         <torsten at lodderstedt.net <mailto:torsten at lodderstedt.net>> wrote:
>
>             Am 15.04.2016 um 19:05 schrieb Brian Campbell:
>
>                 My view is still that the attack is enabled by an
>                 commission in OAuth of the AS identifying itself in
>                 the authorization response. I think the fix should be
>                 at that layer too. Progress in the OAuth WG isn't
>                 exactly promising though...
>
>             Why don`t we bring this discussion to the OAuth WG? It`s
>             nearly the same group of people as on this list.
>
>
>
>     _______________________________________________
>     Openid-specs-ab mailing list
>     Openid-specs-ab at lists.openid.net
>     <mailto:Openid-specs-ab at lists.openid.net>
>     http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160427/7551c28c/attachment.html>


More information about the Openid-specs-ab mailing list