[Openid-specs-fapi] Issue #33: John's Security Section Review Result (openid/fapi)

[Nat Sakimura]

New issue 33: John's Security Section Review Result
https://bitbucket.org/openid/fapi/issues/33/johns-security-section-review-result

Nat Sakimura:

# 5.2.1 - bullet 2. 

  12 characters --- entropy language needed. Ref. Connect at least 128bits
   Perhaps use OIDC 16.19.  Symmetric Key Entropy

   add for the confidential clients
     RSA: 2K ~ 120bits
     Sym: 128 bits 32 octs
     Eliptic Curve: min key length of 160 bits

# 5.2.1 - 3rd last bullet

Constrain the length of the validity of code. 15 seconds after the redirect was initiated to the client. 

Put it in the last NOTE as well. 

# 5.2.2 Public Client

Change the first two bullets to: 

* shall support RFC7636 or the mechanisms defined in Part 4. 
* shall use S256 as the code challenge method for the RFC7636;

Replace BCP NAPPS with OAuth 2.0 for Native Apps [O2fNA]

# 6.2.1 Protected resources provisions

s/shall mandate TLS 1.2 as defined in RFC5246 or later /shall mandate TLS 1.2or later as defined in RFC5246/

add 

    if it decides to provide access to javascript clients. 
    
    NOTE: Providing access to Javascript clients and not has different security properites. 

to

    Further, itshould support the use of Cross Origin Resource Sharing (CORS) [CORS] and or other methods as appropriate to enable Java Script Clients to access the endpoint;


# 6.2.2 Client provisions

- First bullet -- same as in 6.2.1.

Minimum entropy of opaque access token. 128 bits
  check security considerations as well. 
  
  security these API with small entropy access tokens would ... 
  
  non monotonically increasing or .. guessable. 
  5.1.4.2.2 of RFC6819
  
Put NOTE: User-Agent and DDA-FinancialId is not a security feature. 

TLS Mutual Auth to the token endpoint
JWS Assertion Client Auth to the token endpoint --> OIDC. 



Responsible: Nat