[Openid-specs-ab] Defining a Hardened (Mix-up and Cut-and-Paste Proof) OpenID Connect Profile
Torsten Lodderstedt
torsten at lodderstedt.net
Wed Apr 27 17:23:54 UTC 2016
*** Sorry. I did it again. ***
Hi William,
may interested parties at remote locations contribute as well?
best regards,
Torsten.
PS: where had the OIDF workshop been announced? I don't remember a
posting on this list.
Am 27.04.2016 um 19:22 schrieb Torsten Lodderstedt:
>
> Hi Denniss,
>
> may interested parties at remote locations contribute as well?
>
> best regards,
> Torsten.
>
> PS: where had the OIDF workshop been announced? I don't remember a
> posting on this list.
>
> Am 25.04.2016 um 23:53 schrieb William Denniss:
>> We discussed this topic at the OIDF workshop today. The consensus was
>> that we should publish a formal-ish (board reviewed) blog post /
>> bulletin with implementation advice on how to mitigate Mix-up and
>> Cut-and-Paste in Connect.
>>
>> Interested parties can meet tomorrow at IIW to draft this text.
>>
>> On Sat, Apr 23, 2016 at 7:57 AM, John Bradley <ve7jtb at ve7jtb.com
>> <mailto:ve7jtb at ve7jtb.com>> wrote:
>>
>> I think there are two discussions.
>>
>> One is what the OAuth WG should do and that should be on the
>> OAuth list.
>>
>> There is a separate discussion about what Connect should
>> recommend untill OAuth addresses the issue.
>>
>> I think the latter was how this thread started.
>>
>> We not be should not wait for OAuth to recommend something before
>> we explain the existing mitigations in Connect.
>>
>> The touchier topic is should we add anything new before OAuth
>> decides.
>>
>> To Brian's point about the AS not identifying itself in the
>> response, that was the recommended change from the Darmstadt
>> meeting. I am however hesitant to take that up as a Connect
>> only fix even though it would work just fine for Connect.
>>
>> John B.
>>
>> On Apr 23, 2016 9:04 AM, "Brian Campbell"
>> <bcampbell at pingidentity.com <mailto:bcampbell at pingidentity.com>>
>> wrote:
>>
>> Just noticed a typo in my previous message. I meant to write
>> "omission" rather than "commission" there. Should have said:
>>
>> My view is still that the attack is enabled by an *omission*
>> in OAuth of the AS identifying itself in the authorization
>> response. I think the fix should be at that layer too.
>> Progress in the OAuth WG isn't exactly promising though...
>>
>> On Sat, Apr 23, 2016 at 5:36 AM, Torsten Lodderstedt
>> <torsten at lodderstedt.net> wrote:
>>
>> Am 15.04.2016 um 19:05 schrieb Brian Campbell:
>>
>> My view is still that the attack is enabled by an
>> commission in OAuth of the AS identifying itself in
>> the authorization response. I think the fix should be
>> at that layer too. Progress in the OAuth WG isn't
>> exactly promising though...
>>
>> Why don`t we bring this discussion to the OAuth WG? It`s
>> nearly the same group of people as on this list.
>>
>>
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> <mailto:Openid-specs-ab at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>>
>>
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160427/39d4774f/attachment.html>
More information about the Openid-specs-ab
mailing list