Thanks for the feedback Dan. I have created a couple of GitHub issues to address all of these.
1. https://github.com/oauth-wg/oauth-cross-device-security/issues/164 2. https://github.com/oauth-wg/oauth-cross-device-security/issues/165 3. https://github.com/oauth-wg/oauth-cross-device-security/issues/166 4. https://github.com/oauth-wg/oauth-cross-device-security/issues/167 5. https://github.com/oauth-wg/oauth-cross-device-security/issues/168 Cheers Pieter On Tue, Jul 1, 2025 at 7:42 PM Dan Moore <[email protected]> wrote: > Hi folks, > > This was a super useful document. I thought all the examples and > delineations were very helpful in making a tough topic understandable. > > A few comments/nits: > > Links in this section > https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-10.html#name-defending-against-cross-dev > don't point to the correct anchor/aren't processed. > > In the Examples section (3.3) there were some inconsistencies: > > - this section is "Cross-Device Session Transfer Pattern" rather than > "Session Transfer Pattern": > https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-10.html#section-3.3.5 > doing so makes it consistent with the other parenthesized pattern names, > which all refer to the specific pattern name used above. > - same issue with > https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-10.html#section-3.3.7 > > In section 4.3, some of the parenthesized text doesn't tie back to the > patterns: > - this section: > https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-10.html#section-4.3.6 > - this section: > https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-10.html#section-4.3.8 > > These are the only ones with the "suffix" exploit, everything else is a > "pattern". > > Typo: > https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-10.html#section-5-5 > has an upper case S in server: "An authorization Server" it should be > lowercase for consistency. > > In this section, > https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-10.html#name-mitigating-against-cross-de > I'd modify this sentence: > 'End-users have "expertise elsewhere" and are typically not security > experts and don't understand the protocols and systems they interact with.' > to use commas > 'End-users have "expertise elsewhere", are typically not security experts, > and don't understand the protocols and systems they interact with.' > > In this section > https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-10.html#section-6.1.1-2.3.1 > I'd add that the shared network check breaks down if the consumption device > (TV) is on wifi and the authorization device (mobile phone) is on the > mobile network, a common situation. > > In this section: > https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-10.html#section-6.1.1-1 > When the doc suggests "There are a couple of ways to establish proximity" > is it worth being explicit that the authorization server is the entity that > is responsible for this? It is implied. > > The mitigations section was great! I wondered if it made sense to break > mitigations out further between those that the authorization server can > implement (limited scopes, short lived tokens) and those that require work > across other systems (such as content filtering, trusted devices). An > alternative might be including that info in the table in 6.1.18. > > This section has some extra hash marks: > > https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-10.html#name-ietf-oauth-20-device-author > . Saw the same with 6.2.2 and 6.2.3. > > There are some busted internal anchor links here: > https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-10.html#section-6.3-6.2.1 > > Thanks, > Dan > > > On Tue, Jun 17, 2025 at 8:34 AM Pieter Kasselman <[email protected]> wrote: > >> Dear chairs >> >> Thanks for the shepherd feedback on the Cross-Device Flows: Security Best >> Current Practice draft provided at IETF 122. >> >> The below draft includes updates to address the feedback received. >> >> Please advise on the next steps for this draft. >> >> Cheers >> >> Pieter >> >> On Tue, Jun 17, 2025 at 3:19 PM <[email protected]> wrote: >> >>> Internet-Draft draft-ietf-oauth-cross-device-security-10.txt is now >>> available. >>> It is a work item of the Web Authorization Protocol (OAUTH) WG of the >>> IETF. >>> >>> Title: Cross-Device Flows: Security Best Current Practice >>> Authors: Pieter Kasselmann >>> Daniel Fett >>> Filip Skokan >>> Name: draft-ietf-oauth-cross-device-security-10.txt >>> Pages: 58 >>> Dates: 2025-06-17 >>> >>> Abstract: >>> >>> This document describes threats against cross-device flows along with >>> practical mitigations, protocol selection guidance, and a summary of >>> formal analysis results identified as relevant to the security of >>> cross-device flows. It serves as a security guide to system >>> designers, architects, product managers, security specialists, fraud >>> analysts and engineers implementing cross-device flows. >>> >>> The IETF datatracker status page for this Internet-Draft is: >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/ >>> >>> There is also an HTML version available at: >>> >>> https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-10.html >>> >>> A diff from the previous version is available at: >>> >>> https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-cross-device-security-10 >>> >>> Internet-Drafts are also available by rsync at: >>> rsync.ietf.org::internet-drafts >>> >>> >>> _______________________________________________ >>> OAuth mailing list -- [email protected] >>> To unsubscribe send an email to [email protected] >>> >> _______________________________________________ >> OAuth mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> > > > > > >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
