<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">The OpenID workshop was Monday at Microsoft.<div class=""><br class=""></div><div class="">We didn’t have remote access. I think it was announced on the general list with the eventbrite registration.</div><div class=""><br class=""></div><div class="">It may not have gone to the Connect list.</div><div class=""><br class=""></div><div class="">John B.</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Apr 27, 2016, at 10:23 AM, Torsten Lodderstedt <<a href="mailto:torsten@lodderstedt.net" class="">torsten@lodderstedt.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta content="text/html; charset=windows-1252" http-equiv="Content-Type" class="">
<div bgcolor="#FFFFFF" text="#000000" class=""><p class="">*** Sorry. I did it again. ***<br class="">
</p><p class="">Hi William,</p><p class="">may interested parties at remote locations contribute as well?</p>
best regards,<br class="">
Torsten.<br class="">
<br class="">
PS: where had the OIDF workshop been announced? I don't remember a
posting on this list.<br class="">
<br class="">
<div class="moz-cite-prefix">Am 27.04.2016 um 19:22 schrieb Torsten
Lodderstedt:<br class="">
</div>
<blockquote cite="mid:22adf439-b342-dc7b-6b61-228b2a7eedf4@lodderstedt.net" type="cite" class="">
<meta content="text/html; charset=windows-1252" http-equiv="Content-Type" class=""><p class="">Hi Denniss,</p><p class="">may interested parties at remote locations contribute as well?</p>
best regards,<br class="">
Torsten.<br class="">
<br class="">
PS: where had the OIDF workshop been announced? I don't remember a
posting on this list.<br class="">
<br class="">
<div class="moz-cite-prefix">Am 25.04.2016 um 23:53 schrieb
William Denniss:<br class="">
</div>
<blockquote cite="mid:CAAP42hDzJGYBOoR5O+6fqnyxQh0_Hz+P5VFCzpCSO6Lvi0VA1A@mail.gmail.com" type="cite" class="">
<div dir="ltr" class="">We discussed this topic at the OIDF workshop
today. The consensus was that we should publish a formal-ish
(board reviewed) blog post / bulletin with implementation
advice on how to mitigate Mix-up and Cut-and-Paste in Connect.
<div class=""><br class="">
</div>
<div class="">Interested parties can meet tomorrow at IIW to draft this
text.</div>
</div>
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On Sat, Apr 23, 2016 at 7:57 AM, John
Bradley <span dir="ltr" class=""><<a moz-do-not-send="true" href="mailto:ve7jtb@ve7jtb.com" target="_blank" class="">ve7jtb@ve7jtb.com</a>></span>
wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr" class="">I think there are two discussions. </p><p dir="ltr" class="">One is what the OAuth WG should do and that
should be on the OAuth list.</p><p dir="ltr" class="">There is a separate discussion about what
Connect should recommend untill OAuth addresses the
issue. </p><p dir="ltr" class="">I think the latter was how this thread
started. </p><p dir="ltr" class="">We not be should not wait for OAuth to
recommend something before we explain the existing
mitigations in Connect.</p><p dir="ltr" class="">The touchier topic is should we add anything
new before OAuth decides. <br class="">
<br class="">
To Brian's point about the AS not identifying itself in
the response, that was the recommended change from the
Darmstadt meeting. I am however hesitant to take that
up as a Connect only fix even though it would work just
fine for Connect. <br class="">
<br class="">
John B. </p>
<div class="gmail_quote">On Apr 23, 2016 9:04 AM, "Brian
Campbell" <<a moz-do-not-send="true" href="mailto:bcampbell@pingidentity.com" target="_blank" class="">bcampbell@pingidentity.com</a>>
wrote:<br type="attribution" class="">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr" class="">Just noticed a typo in my previous
message. I meant to write "omission" rather than
"commission" there. Should have said:<br class="">
<br class="">
<span class="">My view is still that the attack is enabled by
an </span><span class=""><b class="">omission</b> in OAuth of the
AS identifying itself in the authorization
response. I think the fix should be at that layer
too. Progress in the OAuth WG isn't exactly
promising though... </span><br class="">
<span class="">
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On Sat, Apr 23, 2016 at
5:36 AM, Torsten Lodderstedt <span dir="ltr" class=""><<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:torsten@lodderstedt.net"></a><a class="moz-txt-link-abbreviated" href="mailto:torsten@lodderstedt.net">torsten@lodderstedt.net</a>></span>
wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex"><span class="">Am
15.04.2016 um 19:05 schrieb Brian
Campbell:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex"> My view is
still that the attack is enabled by an
commission in OAuth of the AS
identifying itself in the authorization
response. I think the fix should be at
that layer too. Progress in the OAuth WG
isn't exactly promising though... <br class="">
</blockquote>
</span> Why don`t we bring this discussion
to the OAuth WG? It`s nearly the same group
of people as on this list.<br class="">
</blockquote>
</div>
<br class="">
</div>
</span></div>
</blockquote>
</div>
<br class="">
_______________________________________________<br class="">
Openid-specs-ab mailing list<br class="">
<a moz-do-not-send="true" href="mailto:Openid-specs-ab@lists.openid.net" class="">Openid-specs-ab@lists.openid.net</a><br class="">
<a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br class="">
<br class="">
</blockquote>
</div>
<br class="">
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<br class="">
<pre wrap="" class="">_______________________________________________
Openid-specs-ab mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br class="">
</blockquote>
<br class="">
</div>
</div></blockquote></div><br class=""></div></body></html>