[Openid-specs-ab] Candidate OpenID Connect errata correction drafts published

Michael Jones michael_b_jones at hotmail.com
Sat Sep 23 22:33:19 UTC 2023 

See https://bitbucket.org/openid/connect/issues/2066/additional-security-considerations-for

From: Tom Jones <thomasclinganjones at gmail.com>
Sent: Saturday, September 23, 2023 1:32 PM
To: Michael Jones <michael_b_jones at hotmail.com>
Cc: Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net>
Subject: Re: [Openid-specs-ab] Candidate OpenID Connect errata correction drafts published

Security Considerations

While it is possible to assign handlers to URIs, and it is possible that the o/s could help the user select the correct handler, it is not possible to guarantee that the handler for a given URI has not been completely taken over by a subsequently installed native app. At the time this was written there appears to be no fool-proof mitigation for this vulnerability.


Be the change you want to see in the world ..tom


On Sat, Sep 23, 2023 at 1:19 PM Michael Jones <michael_b_jones at hotmail.com<mailto:michael_b_jones at hotmail.com>> wrote:
Thanks for writing this feedback, Tom.  Can you propose the additional security considerations text that you’d like to see included?

                                                       Thanks,
                                                       -- Mike

From: Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net>> On Behalf Of Tom Jones via Openid-specs-ab
Sent: Monday, August 14, 2023 9:54 PM
To: Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>>
Cc: Tom Jones <thomasclinganjones at gmail.com<mailto:thomasclinganjones at gmail.com>>
Subject: Re: [Openid-specs-ab] Candidate OpenID Connect errata correction drafts published

I read thru the oidc errata - mostly good.
One concern is section 16;23 which describes the iOS ability to assign handlers. The paragraph is correct, but there are severe security considerations to this solution that are not included in the document anywhere. Specifically it is too easy to get the user to reassign the pointer to malware. It is easy to get users to do this in my experience, so security considerations are warranted.  I did not yet file an issue to see if anyone agreed with me, and then I would do it.

Let's not lead the user into danger. ..tom


On Mon, Aug 14, 2023 at 10:39 AM Andrii Deinega via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>> wrote:
https://mailarchive.ietf.org/arch/msg/oauth/9DdkE2P0RrUZMeZAbdf3NrMfy0w/ is a link to a discussion on the "pragma" response header in OAuth 2 WG.

Regards,
Andrii

On Mon, Aug 14, 2023 at 10:23 AM Andrii Deinega <andrii.deinega at gmail.com<mailto:andrii.deinega at gmail.com>> wrote:
Hi Michael,

Two very minor things.

1. The pragma HTTP response header can be removed from all examples from all specs. Take a look at an old discussion in the OAuth 2 WG. OAuth 2.1 spec does not have any references to it either.
2. The no-store is the strongest cache directive and it already includes no-cache. Hence, the use of "Cache-Control: no-store" in all examples should be enough.

Regards,
Andrii


On Sun, Aug 13, 2023 at 3:23 PM Michael Jones via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>> wrote:
I’ve published drafts incorporating all the proposed errata corrections for the OpenID Connect family of specifications.  This is a major step along the way both towards publishing our second errata set for OpenID Connect and for submission to ISO as Publicly Available Specification (PAS) standards.

The drafts incorporating the errata corrections are:

  *   https://openid.net/specs/openid-connect-core-1_0-32.html
  *   https://openid.net/specs/openid-connect-discovery-1_0-35.html
  *   https://openid.net/specs/openid-connect-registration-1_0-37.html
  *   https://openid.net/specs/openid-connect-backchannel-1_0-11.html

The History sections of the specs describe each of the changes made.  If you want to see the precise changes incorporated, I suggest using your favorite HTML-capable diff tool (such as Microsoft Word) and comparing the baseline docs below to the ones above:


  *   https://openid.net/specs/openid-connect-core-1_0-errata1.html
  *   https://openid.net/specs/openid-connect-discovery-1_0-errata1.html
  *   https://openid.net/specs/openid-connect-registration-1_0-errata1.html
  *   https://openid.net/specs/openid-connect-backchannel-1_0-final.html

Diffs are also possible for the .txt and .xml versions of the specs; just substitute “html” in the URLs above for “txt” or “xml” and use your favorite diff tool.

I plan to ask for working group review of these changes during tomorrow’s working group call.  Following the working group review, we’ll hold the foundation-wide 45-day proposed errata review and then the approval vote.

                                                       -- Mike

P.S.  Our two Implementer’s Guides were also updated in parallel to keep them current with the versions incorporating errata corrections.  The corresponding versions are:

  *   https://openid.net/specs/openid-connect-basic-1_0-44.html
  *   https://openid.net/specs/openid-connect-implicit-1_0-27.html

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
https://lists.openid.net/mailman/listinfo/openid-specs-ab
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
https://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20230923/b877e8ea/attachment-0001.html>

More information about the Openid-specs-ab mailing list