[OpenID-specs-EAP] WGLC for OpenID Connect EAP ACR Values spec
Brian Campbell
bcampbell at pingidentity.com
Tue Apr 8 17:17:06 UTC 2025
I'd think any security considerations need to say that the RP really needs
to check that the received ACR meets its requirements. Relying on the
content of the request and a successful response from the OP isn't
sufficient in enough/most cases so shouldn't ever be relied on.
On Mon, Apr 7, 2025 at 11:51 AM Michael Jones via Openid-specs-eap <
openid-specs-eap at lists.openid.net> wrote:
> I’ve created https://bitbucket.org/openid/eap/pull-requests/2, which adds
> Security Considerations on preventing downgrade attacks by using signed
> requests.
>
>
>
> -- Mike
>
>
>
> *From:* Openid-specs-eap <openid-specs-eap-bounces at lists.openid.net> *On
> Behalf Of *Michael Jones via Openid-specs-eap
> *Sent:* Saturday, March 29, 2025 3:54 PM
> *To:* Andrii Deinega <andrii.deinega at gmail.com>
> *Cc:* Joni Brennan <jonibrennan at gmail.com>; leifj at sunet.se;
> openid-specs-eap at lists.openid.net
> *Subject:* Re: [OpenID-specs-EAP] WGLC for OpenID Connect EAP ACR Values
> spec
>
>
>
> We could add a reference to RFC 9191 in the Security Considerations, and
> in particular, cite the Downgrade Attack
> <https://www.rfc-editor.org/rfc/rfc9101.html#name-downgrade-attack>
> considerations. What do others think?
>
>
>
> -- Mike
>
>
>
> *From:* Andrii Deinega <andrii.deinega at gmail.com>
> *Sent:* Thursday, March 27, 2025 3:13 PM
> *To:* Michael Jones <michael_b_jones at hotmail.com>
> *Cc:* Joni Brennan <jonibrennan at gmail.com>; leifj at sunet.se;
> openid-specs-eap at lists.openid.net; Dean Saxe <dean.saxe at beyondidentity.com
> >
> *Subject:* Re: [OpenID-specs-EAP] WGLC for OpenID Connect EAP ACR Values
> spec
>
>
>
> Mike, I’m curious whether the security considerations section in this spec
> should recommend passing request parameters (especially those that include
> acr_values) as JWT-Secured Authorization Requests (JAR)
> <https://www.rfc-editor.org/rfc/rfc9101.html>, or as Pushed Authorization
> Requests (PAR) <https://datatracker.ietf.org/doc/html/rfc9126>.
>
>
>
> Otherwise, parameter acr_values could be removed without detection on an
> OP side.
>
>
>
> PARs and encrypted JARs also allow to hide from others what's specifically
> requested from an RP to an OP.
>
>
>
> All the best,
>
> Andrii
>
>
>
>
>
> On Thu, Mar 27, 2025 at 7:53 AM Dean Saxe via Openid-specs-eap <
> openid-specs-eap at lists.openid.net> wrote:
>
> I support progressing this spec to final.
>
>
>
> -dhs
>
> --
>
> Dean H. Saxe, CIDPRO <https://idpro.org/cidpro/> (he/him)
>
> Principal Engineer
>
> Office of the CTO
>
> Beyond Identity
>
> dean.saxe at beyondidentity.com
>
>
>
>
>
>
>
>
>
> On Mar 25, 2025 at 5:49:29 PM, Michael Jones via Openid-specs-eap <
> openid-specs-eap at lists.openid.net> wrote:
>
> This message starts a 2-week Working Group Last Call for the OpenID
> Connect Extended Authentication Profile (EAP) ACR Values 1.0
> <https://openid.net/specs/openid-connect-eap-acr-values-1_0.html>
> specification, prior to submitting it to Foundation-wide review for Final
> status. The Context Class values “phr” and “phrh” are now registered in
> the IANA “Level of Assurance (LoA) Profiles” registry at
> https://www.iana.org/assignments/loa-profiles/.
>
>
>
> The WGLC ends on Tuesday, April 8th. Please reply-all to this e-mail
> indicating whether you support progressing the specification to Final
> status.
>
>
>
> After it becomes Final, we anticipate closing the EAP working group
> <https://openid.net/wg/eap/>.
>
>
>
> Thanks,
>
> -- Mike
>
>
>
> *From:* Michael Jones
> *Sent:* Sunday, March 23, 2025 11:07 PM
> *To:* openid-specs-eap at lists.openid.net
> *Cc:* leifj at sunet.se; Joni Brennan <jonibrennan at gmail.com>; John Bradley <
> ve7jtb at ve7jtb.com>
> *Subject:* Context Class values added to OpenID EAP ACR Values spec
>
>
>
> I’ve updated the OpenID Connect Extended Authentication Profile (EAP) ACR
> Values 1.0
> <https://openid.net/specs/openid-connect-eap-acr-values-1_0.html>
> specification to add the Context Class values needed to enable registration
> of the two ACR values indicating that phishing-resistant authentication or
> phishing-resistant-hardware-backed authentication is being requested or has
> been performed. Thanks to Leif Johansson for explaining how to create the
> Context Class files. They can both be found at
> https://bitbucket.org/openid/eap/src/master/.
>
>
>
> The IANA registrations have been requested – with tracking number [IANA
> #1415585].
>
>
>
> Once these registrations occur, unless working group members want other
> updates to the spec, we should be able to take the specification to Final
> status.
>
>
>
> -- Mike
>
>
>
> _______________________________________________
> Openid-specs-eap mailing list
> Openid-specs-eap at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-eap
>
> _______________________________________________
> Openid-specs-eap mailing list
> Openid-specs-eap at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-eap
>
> _______________________________________________
> Openid-specs-eap mailing list
> Openid-specs-eap at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-eap
>
--
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately
by e-mail and delete the message and any file attachments from your
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-eap/attachments/20250408/ca0c6842/attachment.htm>
More information about the Openid-specs-eap
mailing list