[Openid-specs-ab] Candidate OpenID Connect errata correction drafts published

Tom Jones thomasclinganjones at gmail.com
Sat Sep 23 20:31:41 UTC 2023 

Security Considerations

While it is possible to assign handlers to URIs, and it is possible that
the o/s could help the user select the correct handler, it is not possible
to guarantee that the handler for a given URI has not been completely taken
over by a subsequently installed native app. At the time this was written
there appears to be no fool-proof mitigation for this vulnerability.


Be the change you want to see in the world ..tom


On Sat, Sep 23, 2023 at 1:19 PM Michael Jones <michael_b_jones at hotmail.com>
wrote:

> Thanks for writing this feedback, Tom.  Can you propose the additional
> security considerations text that you’d like to see included?
>
>
>
>                                                        Thanks,
>
>                                                        -- Mike
>
>
>
> *From:* Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> *On
> Behalf Of *Tom Jones via Openid-specs-ab
> *Sent:* Monday, August 14, 2023 9:54 PM
> *To:* Artifact Binding/Connect Working Group <
> openid-specs-ab at lists.openid.net>
> *Cc:* Tom Jones <thomasclinganjones at gmail.com>
> *Subject:* Re: [Openid-specs-ab] Candidate OpenID Connect errata
> correction drafts published
>
>
>
> I read thru the oidc errata - mostly good.
>
> One concern is section 16;23 which describes the iOS ability to assign
> handlers. The paragraph is correct, but there are severe security
> considerations to this solution that are not included in the document
> anywhere. Specifically it is too easy to get the user to reassign the
> pointer to malware. It is easy to get users to do this in my experience, so
> security considerations are warranted.  I did not yet file an issue to see
> if anyone agreed with me, and then I would do it.
>
>
> Let's not lead the user into danger. ..tom
>
>
>
>
>
> On Mon, Aug 14, 2023 at 10:39 AM Andrii Deinega via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
> https://mailarchive.ietf.org/arch/msg/oauth/9DdkE2P0RrUZMeZAbdf3NrMfy0w/
> is a link to a discussion on the "pragma" response header in OAuth 2 WG.
>
>
>
> Regards,
>
> Andrii
>
>
>
> On Mon, Aug 14, 2023 at 10:23 AM Andrii Deinega <andrii.deinega at gmail.com>
> wrote:
>
> Hi Michael,
>
>
>
> Two very minor things.
>
>
>
> 1. The pragma HTTP response header can be removed from all examples from
> all specs. Take a look at an old discussion in the OAuth 2 WG. OAuth 2.1
> spec does not have any references to it either.
>
> 2. The no-store is the strongest cache directive and it already includes
> no-cache. Hence, the use of "Cache-Control: no-store" in all examples
> should be enough.
>
>
>
> Regards,
>
> Andrii
>
>
>
>
>
> On Sun, Aug 13, 2023 at 3:23 PM Michael Jones via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
> I’ve published drafts incorporating all the proposed errata corrections
> for the OpenID Connect family of specifications.  This is a major step
> along the way both towards publishing our second errata set for OpenID
> Connect and for submission to ISO as Publicly Available Specification (PAS)
> standards.
>
>
>
> The drafts incorporating the errata corrections are:
>
>    - https://openid.net/specs/openid-connect-core-1_0-32.html
>    - https://openid.net/specs/openid-connect-discovery-1_0-35.html
>    - https://openid.net/specs/openid-connect-registration-1_0-37.html
>    - https://openid.net/specs/openid-connect-backchannel-1_0-11.html
>
>
>
> The History sections of the specs describe each of the changes made.  If
> you want to see the precise changes incorporated, I suggest using your
> favorite HTML-capable diff tool (such as Microsoft Word) and comparing the
> baseline docs below to the ones above:
>
>
>
>    - https://openid.net/specs/openid-connect-core-1_0-errata1.html
>    - https://openid.net/specs/openid-connect-discovery-1_0-errata1.html
>    - https://openid.net/specs/openid-connect-registration-1_0-errata1.html
>    - https://openid.net/specs/openid-connect-backchannel-1_0-final.html
>
>
>
> Diffs are also possible for the .txt and .xml versions of the specs; just
> substitute “html” in the URLs above for “txt” or “xml” and use your
> favorite diff tool.
>
>
>
> I plan to ask for working group review of these changes during tomorrow’s
> working group call.  Following the working group review, we’ll hold the
> foundation-wide 45-day proposed errata review and then the approval vote.
>
>
>
>                                                        -- Mike
>
>
>
> P.S.  Our two Implementer’s Guides were also updated in parallel to keep
> them current with the versions incorporating errata corrections.  The
> corresponding versions are:
>
>    - https://openid.net/specs/openid-connect-basic-1_0-44.html
>    - https://openid.net/specs/openid-connect-implicit-1_0-27.html
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20230923/d4b5e5cc/attachment.html>

More information about the Openid-specs-ab mailing list