[Openid-specs-fapi] Issue #33: John's Security Section Review Result (openid/fapi)
Nat Sakimura
issues-reply at bitbucket.org
Wed Sep 28 06:27:28 UTC 2016
New issue 33: John's Security Section Review Result
https://bitbucket.org/openid/fapi/issues/33/johns-security-section-review-result
Nat Sakimura:
# 5.2.1 - bullet 2.
12 characters --- entropy language needed. Ref. Connect at least 128bits
Perhaps use OIDC 16.19. Symmetric Key Entropy
add for the confidential clients
RSA: 2K ~ 120bits
Sym: 128 bits 32 octs
Eliptic Curve: min key length of 160 bits
# 5.2.1 - 3rd last bullet
Constrain the length of the validity of code. 15 seconds after the redirect was initiated to the client.
Put it in the last NOTE as well.
# 5.2.2 Public Client
Change the first two bullets to:
* shall support RFC7636 or the mechanisms defined in Part 4.
* shall use S256 as the code challenge method for the RFC7636;
Replace BCP NAPPS with OAuth 2.0 for Native Apps [O2fNA]
# 6.2.1 Protected resources provisions
s/shall mandate TLS 1.2 as defined in RFC5246 or later /shall mandate TLS 1.2or later as defined in RFC5246/
add
if it decides to provide access to javascript clients.
NOTE: Providing access to Javascript clients and not has different security properites.
to
Further, itshould support the use of Cross Origin Resource Sharing (CORS) [CORS] and or other methods as appropriate to enable Java Script Clients to access the endpoint;
# 6.2.2 Client provisions
- First bullet -- same as in 6.2.1.
Minimum entropy of opaque access token. 128 bits
check security considerations as well.
security these API with small entropy access tokens would ...
non monotonically increasing or .. guessable.
5.1.4.2.2 of RFC6819
Put NOTE: User-Agent and DDA-FinancialId is not a security feature.
TLS Mutual Auth to the token endpoint
JWS Assertion Client Auth to the token endpoint --> OIDC.
Responsible: Nat
More information about the Openid-specs-fapi
mailing list