draft-ietf-oauth-cross-device-security-14

Changes

Updates to text and diagrams to provide additional clarity based on IETF Last Call feedback

Details

• Clarify exploitation of unauthenticated channel in OAuth by @PieterKas in #206
• Enhance limitations section with VPN guidance by @PieterKas in #205
• Clarify limitations of short-lived user codes by @PieterKas in #204
• Enhance document with glossary reference and CDCP details by @PieterKas in #209
• Eliminate duplicate patterns in cross-device security document by @PieterKas in #220
• Update User-Transferred Authorization Data Pattern details by @PieterKas in #221
• Enhance security discussion on authorization requests by @PieterKas in #222
• Clarify cross-device flow use cases and descriptions by @PieterKas in #223
• Refine mitigations and proximity establishment details by @PieterKas in #224
• Clarify limitations of trusted devices in cross-device flows by @PieterKas in #225
• Forward reference to FIDO in wireless proximity section by @PieterKas in #226
• Editoria updates by @PieterKas in #227
• Clarify Authenticat-the-Initiate mitigation by @PieterKas in #228
• Update Diagrams: 1 of 4 by @PieterKas in #229
• Update Diagram 2 of 4 by @PieterKas in #230
• Update Diagram 3 of 4 by @PieterKas in #233
• Update Diagram 4 of 4 by @PieterKas in #234
• Writing Nits by @PieterKas in #235
• Cross references between use case and exploit examples by @PieterKas in #236

Full Changelog: draft-ietf-oauth-cross-device-security-13...draft-ietf-oauth-cross-device-security-14

draft-ietf-oauth-cross-device-security-13

Address Area Director (AD) feedback - details below:

What's Changed

• Add IANA Considerations section by @PieterKas in #186
• Add security considerations by @PieterKas in #187
• Fix references by @PieterKas in #190
• Correct capitalization of 'SHOULD not' to 'SHOULD NOT' by @PieterKas in #191
• Adress AD Nits by @PieterKas in #196
• Refine cross-device flow descriptions and headings by @PieterKas in #197
• Remove repetitive text about what an AS can (and can't) do. by @PieterKas in #198
• Clarify limits of authenticate-then-initiate mitigations by @PieterKas in #199

Full Changelog: draft-ietf-oauth-cross-device-security-12...draft-ietf-oauth-cross-device-security-13

draft-ietf-oauth-cross-device-security-12

Fixed references to point to final versions of specifications

What's Changed

• Fixed FIDO CTAP V2.2 URL by @PieterKas in #178
• Update SSF Reference by @PieterKas in #179
• CAEP Reference Update by @PieterKas in #180
• Fix IEEE reference by @PieterKas in #177
• Update IEEE Reference by @PieterKas in #181

Full Changelog: draft-ietf-oauth-cross-device-security-11...draft-ietf-oauth-cross-device-security-12

draft-ietf-oauth-cross-device-security-11

Includes formatting and editorial changes to clarify existing text.

What's Changed

• Fixing Labels by @PieterKas in #170
• Editorial Updates - Issue 164 by @PieterKas in #171
• Devices not sharing a network by @PieterKas in #172
• Clarify authorization server role in establishing proximity by @PieterKas in #173
• Add Dan Moore to acknowledgement by @PieterKas in #175
• Authorization Server only mitigations by @PieterKas in #174

Full Changelog: draft-ietf-oauth-cross-device-security-10...draft-ietf-oauth-cross-device-security-11

draft-ietf-oauth-cross-device-security-10

Addresses shepherd feedback

• Shepherd feedback: Describe unauthenticated channel.
• Shepherd feedback: Separate normative and informative references.
• Shepherd feedback: Update FIDO/WebAuthn references

draft-ietf-oauth-cross-device-security-09

• Affiliation change to allow publication to Datatracker.
• No content changes - re-published to avoid expiry while waiting on shepherd review.

draft-ietf-oauth-cross-device-security-08

• Editorial updates.

draft-ietf-oauth-cross-device-security-07

Includes feedback from Working Group Last Call. Changes include:

1. Clarification of FIDO\WebAuthn section.
2. Updated langugage in section on FIDO to allow for use of FIDO keys on consumption devices.
3. Clarified origin of QR Code.
4. Editorial updates
5. Updated examples to be consistent.
6. Made diagram description clearer.
7. Added CTAP 2.2 Draft.
8. Added additional guidance on geolocation inaccuracies.
9. Added Roy Williams to acknowledgements
10. Clarified that authorization servers can detect
11. Consistent use of "smart TV"
12. Fixed references

draft-ietf-oauth-cross-device-security-06

Corrected typos

draft-ietf-oauth-cross-device-security-05

• Added section to provide actionable guidance to implementers on how to use this document.
• Expanded section on formal analysis to include completed research projects.
• Added reference to OpenID for Verifiable Presentations.