[OAUTH-WG] New Draft: OAuth 2.0 Security BCP Update - Request for Early Feedback

Mon, 16 Jun 2025 21:41:20 -0700 

Dear OAuth WG,
We've just published a new I-D draft-wuertele-oauth-security-topics-update-01 to update RFC 9700 [1]. As briefly discussed and agreed upon at IETF 122 [2], since the publication of RFC 9700, two new classes of attacks have been discovered that warrant updates to the current best practices: 


- Audience Injection Attacks, which have been presented and discussed in 
the January interim meeting [3], and at OSW 2025.
- New Mix-Up Variants, which were presented and discussed in depth at 
OSW 2025 [4], and with the original RFC 9700 authors.



We would like to kindly invite the working group to review this draft 
and provide early feedback, especially on Section 2, which contains the 
newly identified attacks and corresponding defenses.



The draft is still in an early state and not yet fully polished, but we 
are very interested in receiving any feedback at this stage, and in 
particular on the following points:


- Does the structure of Section 2 make sense overall?

- Are the attack descriptions in Section 2 clear and sufficient to 
understand the threats?

- Are the defense descriptions understandable and actionable?

- What should be the title of this document? There already is some 
discussion on this in issue #1 [5].
- Which existing RFCs should this document formally update (beyond RFC 
9700)? See also issue #4 [6].



Feedback is very welcome both on the mailing list and as GitHub issues 
(including comments/thoughts on the existing issues).


Looking forward to your thoughts and feedback!

Best regards,
Pedram, Kaixuan, Adonis, and Tim


[1] 
https://datatracker.ietf.org/doc/draft-wuertele-oauth-security-topics-update
[2] 
https://datatracker.ietf.org/doc/minutes-122-oauth-202503180600/#updating-security-bcp---pedram-hosseyni-10-min

[3] https://datatracker.ietf.org/meeting/interim-2025-oauth-04/session/oauth
[4] https://talks.secworkshop.events/osw2025/talk/WG9TEW

[5] 
https://github.com/SECtim/draft-wuertele-oauth-security-topics-update/issues/1
[6] 
https://github.com/SECtim/draft-wuertele-oauth-security-topics-update/issues/4


_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]














    











					Reply via email to