[Openid-specs-ab] Defining a Hardened (Mix-up and Cut-and-Paste Proof) OpenID Connect Profile

Wed Apr 27 17:33:49 UTC 2016

The OpenID workshop was Monday at Microsoft.

We didn’t have remote access.   I think it was announced on the general list with the eventbrite registration.

It may not have gone to the Connect list.

John B.

> On Apr 27, 2016, at 10:23 AM, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
> 
> *** Sorry. I did it again. ***
> Hi William,
> 
> may interested parties at remote locations contribute as well?
> 
> best regards,
> Torsten.
> 
> PS: where had the OIDF workshop been announced? I don't remember a posting on this list.
> 
> Am 27.04.2016 um 19:22 schrieb Torsten Lodderstedt:
>> Hi Denniss,
>> 
>> may interested parties at remote locations contribute as well?
>> 
>> best regards,
>> Torsten.
>> 
>> PS: where had the OIDF workshop been announced? I don't remember a posting on this list.
>> 
>> Am 25.04.2016 um 23:53 schrieb William Denniss:
>>> We discussed this topic at the OIDF workshop today. The consensus was that we should publish a formal-ish (board reviewed) blog post / bulletin with implementation advice on how to mitigate Mix-up and Cut-and-Paste in Connect.
>>> 
>>> Interested parties can meet tomorrow at IIW to draft this text.
>>> 
>>> On Sat, Apr 23, 2016 at 7:57 AM, John Bradley <ve7jtb at ve7jtb.com <mailto:ve7jtb at ve7jtb.com>> wrote:
>>> I think there are two discussions. 
>>> 
>>> One is what the OAuth WG should do and that should be on the OAuth list.
>>> 
>>> There is a separate discussion about what Connect should recommend untill OAuth addresses the issue. 
>>> 
>>> I think the latter was how this thread started. 
>>> 
>>> We not be should not wait for OAuth to recommend something before we explain the existing mitigations in Connect.
>>> 
>>> The touchier topic is should we add anything new before OAuth decides.  
>>> 
>>> To Brian's point about the AS not identifying itself in the response,  that was the recommended change from the Darmstadt meeting.   I am however hesitant to take that up as a Connect only fix even though it would work just fine for Connect. 
>>> 
>>> John B.
>>> 
>>> On Apr 23, 2016 9:04 AM, "Brian Campbell" <bcampbell at pingidentity.com <mailto:bcampbell at pingidentity.com>> wrote:
>>> Just noticed a typo in my previous message. I meant to write "omission" rather than "commission" there. Should have said:
>>> 
>>> My view is still that the attack is enabled by an omission in OAuth of the AS identifying itself in the authorization response. I think the fix should be at that layer too. Progress in the OAuth WG isn't exactly promising though... 
>>> 
>>> On Sat, Apr 23, 2016 at 5:36 AM, Torsten Lodderstedt < <mailto:torsten at lodderstedt.net>torsten at lodderstedt.net <mailto:torsten at lodderstedt.net>> wrote:
>>> Am 15.04.2016 um 19:05 schrieb Brian Campbell:
>>> My view is still that the attack is enabled by an commission in OAuth of the AS identifying itself in the authorization response. I think the fix should be at that layer too. Progress in the OAuth WG isn't exactly promising though... 
>>> Why don`t we bring this discussion to the OAuth WG? It`s nearly the same group of people as on this list.
>>> 
>>> 
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab <http://lists.openid.net/mailman/listinfo/openid-specs-ab>
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab <http://lists.openid.net/mailman/listinfo/openid-specs-ab>
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160427/a748b755/attachment.html>