Releases: oauth-wg/oauth-cross-device-security
Releases · oauth-wg/oauth-cross-device-security
draft-ietf-oauth-cross-device-security-08
- Editorial updates.
draft-ietf-oauth-cross-device-security-07
Includes feedback from Working Group Last Call. Changes include:
- Clarification of FIDO\WebAuthn section.
- Updated langugage in section on FIDO to allow for use of FIDO keys on consumption devices.
- Clarified origin of QR Code.
- Editorial updates
- Updated examples to be consistent.
- Made diagram description clearer.
- Added CTAP 2.2 Draft.
- Added additional guidance on geolocation inaccuracies.
- Added Roy Williams to acknowledgements
- Clarified that authorization servers can detect
- Consistent use of "smart TV"
- Fixed references
draft-ietf-oauth-cross-device-security-06
Corrected typos
draft-ietf-oauth-cross-device-security-05
- Added section to provide actionable guidance to implementers on how to use this document.
- Expanded section on formal analysis to include completed research projects.
- Added reference to OpenID for Verifiable Presentations.
draft-ietf-oauth-cross-device-security-04
Corrected formatting issue that prevented the document history from displaying correctly.
draft-ietf-oauth-cross-device-security-03
- Introduced normative SHOULD, RECOMMENDED and MAY when applied to actions the Authorization Server, Resource Server or Client may implement.
- Added User Education as a standalone mitigation.
- Added Maryam Mehrnezhad, Marco Pernpruner and Giada Sciarretta to the contributors list.
- Added Request Binding with Out-of-Band Data as an additional mitigation (feedback received at OSW 2023)
- Adopted the OpenID Foundation terminology from [CIBA] and changed Initiating Device to Consumption Device
- Added Fake Helpdesk and Consent Request Overload examples (new variations of attacks observed in the wild)
- Replaced "Authenticated Flow" mitigation name with "Authenticate-then-Intitiate"
- Added Cross-Device Session Transfer pattern (feedback received at OSW 2023)
What's Changed
- Capitalise SHOULD, MAY and RECOMMENDED where appropriate by @PieterKas in #75
- Fix punctuation, typos and hyphenation by @marcopernpruner in #81
- Inconsistency on "Authorization Device" by @marcopernpruner in #83
- Added User Education as an explicit mitigations by @PieterKas in #88
- Additional UX mitigation by @PieterKas in #90
- Additional mitigation by @PieterKas in #91
- Added contributors by @PieterKas in #102
- Added Out-of-Band User Entered Data Mitigation by @PieterKas in #101
- Refined the trusted devices section. by @PieterKas in #103
- Changed Terminology from Initiating Device to Consumption Device by @PieterKas in #106
- Fix header level for Request Binding with Out-of-Band Data by @marcopernpruner in #108
- Added Fake Helpdesk attack example by @PieterKas in #110
- Added Example B.9 by @PieterKas in #109
- Adding support for session transfer by @PieterKas in #112
- Alternative name for Authenticated Flow by @PieterKas in #111
- Restructure User Experience mitigation by @marcopernpruner in #107
- Editorial changes in intro and concepts section by @danielfett in #114
- Additional editorial changes by @danielfett in #115
- Fix editorial issues by @marcopernpruner in #113
New Contributors
- @marcopernpruner made their first contribution in #81
Full Changelog: draft-ietf-oauth-cross-device-security-02...draft-ietf-oauth-cross-device-security-03
Contributors
danielfett, marcopernpruner, and PieterKas
Assets 2
draft-ietf-oauth-cross-device-security-02
- Introduced Cross-Device Consent Phishing as a label for the types of attacks described in this document.
- Updated labels for different types of flows (User-Transferred Session Data Pattern, Backchannel-Transferred Session Pattern, User-Transferred Authorization Data Pattern)
- Adopted consistent use of hyphenation in using "cross-device"
- Consistent use of "Authorization Device"
- Update Reference to Secure Signals Framework to reflect name change from Secure Signals and Events
- Described difference between proximity enforced and proximity-less cross-device flows
- Fixed typos and grammar edits
- Capitalised Initiating Device and Authorization Device
- General editorial pass
draft-ietf-oauth-cross-device-security-01
Added additional diagrams and descriptions to distinguish between different cross-device flow patterns.
Added short description on limitations of each mitiagtion.
Added acknowledgement of additional contributors.
Fixed document history format.
draft-ietf-oauth-cross-device-security-00: fix build process
https://github.com/martinthomson/i-d-template/issues/356