Update draft-ietf-oauth-cross-device-security.md

PieterKas · web-flow · commit b96c0461973e · 2025-06-08T17:45:25.000-04:00
diff --git a/draft-ietf-oauth-cross-device-security.md b/draft-ietf-oauth-cross-device-security.md
@@ -1,16 +1,18 @@
 ---
+stand_alone: true
 ipr: trust200902
 cat: bcp
 submissiontype: IETF
-area: Security
-wg: OAuth Working Group
+area: sec
+wg: oauth
 
 docname: draft-ietf-oauth-cross-device-security-latest
+
 title: "Cross-Device Flows: Security Best Current Practice"
 abbrev: "CDFS"
 lang: en
 kw: ["security", "oauth2", "best current practice"]
-
+# date: 2022-02-02 -- date is filled in automatically by xml2rfc if not given
 author:
 - name: Pieter Kasselmann
   org: SPIRL
@@ -25,9 +27,17 @@ author:
 normative:
  RFC2119: # Key words for use in RFCs to Indicate Requirement Levels
  RFC6749: # OAuth 2.0 Authorization Framework
+ RFC8693: # OAuth 2.0 Token Exchange
+ RFC7523: # JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
  RFC7636: # Proof Key for Code Exchange by OAuth Public Clients
  RFC8174: # Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words
+ RFC8707: # Resource Indicators for OAuth 2.0
+ RFC8414: # OAuth 2.0 Authorization Server Metadata
+ RFC8725: # JSON Web Token Best Current Practices
+ RFC2046: # Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types
+ RFC6838: # Media Type Specifications and Registration Procedures
  RFC8628: # OAuth 2.0 Device Authorization Grant
+ RFC9635: # Grant Negotiation and Authorization Protocol (GNAP)
  CIBA:
     title: "OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0"
     author:
@@ -44,116 +54,9 @@ normative:
     date: 2021-09
     target: https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html
 
- FIDOCTAP22:
-  title: "Client to Authenticator Protocol (CTAP)"
-  author:
-    - initials: "J."
-      surname: "Bradley"
-      fullname: "John Bradley"
-      organization: "Yubico"
-    - initials: "M."
-      surname: "Jones"
-      fullname: "Michael B. Jones"
-      organization: "Microsoft"
-    - initials: "A."
-      surname: "Kumar"
-      fullname: "Akshay Kumar"
-      organization: "Microsoft"
-    - initials: "R."
-      surname: "Lindemann"
-      fullname: "Rolf Lindemann"
-      organization: "Nok Nok Labs"
-    - initials: "S."
-      surname: "Verrept"
-      fullname: "Johan Verrept"
-      organization: "OneSpan"
-    - initials: "D."
-      surname: "Waite"
-      fullname: "David Waite"
-      organization: "Ping Identity"
-  date: 2025-02
-  target: "https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html"
-
- W3CWebAuthn:
-  title: "Web Authentication: An API for accessing Public Key Credentials Level 3"
-  author:
-    - initials: "T."
-      surname: "Cappalli"
-      fullname: "Tim Cappalli"
-      organization: "Okta"
-    - initials: "M."
-      surname: "Jones"
-      fullname: "Michael B. Jones"
-      organization: "Microsoft"
-    - initials: "A."
-      surname: "Kumar"
-      fullname: "Akshay Kumar"
-      organization: "Microsoft"
-    - initials: "E."
-      surname: "Lundberg"
-      fullname: "Emil Lundberg"
-      organization: "Yubico"
-    - initials: "M."
-      surname: "Miller"
-      fullname: "Matthew Miller"
-      organization: "Cisco"
-  date: 2025-01
-  target: "https://www.w3.org/TR/2025/WD-webauthn-3-20250127/"
-
-IEEE802154:
-  title: "IEEE Std 802.15.4-2020: IEEE Standard for Low-Rate Wireless Networks"
-  author:
-    -
-      organization: "Institute of Electrical and Electronics Engineers"
-  date: 2020
-  seriesinfo:
-    - name: "IEEE"
-      value: "802.15.4-2020"
-  target: "https://standards.ieee.org/standard/802_15_4-2020.html"
-
- CAEP:
-  title: "OpenID Continuous Access Evaluation Profile 1.0 - draft 01"
-  author:
-    - initials: "A."
-      surname: "Tulshibagwale"
-      fullname: "Atul Tulshibagwale"
-      organization: "Google"
-    - initials: "T."
-      surname: "Cappalli"
-      fullname: "Tim Cappalli"
-      organization: "Microsoft"
-  date: 2021-06
-  target: "https://openid.net/specs/openid-caep-specification-1_0-01.html"
-
-SSF:
-  title: "OpenID Shared Signals and Events Framework Specification 1.0"
-  author:
-    - initials: "A."
-      surname: "Tulshibagwale"
-      fullname: "Atul Tulshibagwale"
-      organization: "Google"
-    - initials: "T."
-      surname: "Cappalli"
-      fullname: "Tim Cappalli"
-      organization: "Microsoft"
-    - initials: "M."
-      surname: "Scurtescu"
-      fullname: "Marius Scurtescu"
-      organization: "Coinbase"
-    - initials: "A."
-      surname: "Backman"
-      fullname: "Annabelle Backman"
-      organization: "Amazon"
-    - initials: "J."
-      surname: "Bradley"
-      fullname: "John Bradley"
-      organization: "Yubico"
-  date: 2021-06
-  target: "https://openid.net/specs/openid-sse-framework-1_0-01.html"
 
 informative:
  RFC7662: # OAuth 2.0 Token Introspection
- RFC9635: # Grant Negotiation and Authorization Protocol (GNAP)
  Exploit1:
   title: "The Art of the Device Code Phish"
   author:
@@ -260,6 +163,73 @@ informative:
       - ins: B. de Medeiros
       - ins: C. Mortimore
 
+ IEEE802154:
+  title: "IEEE Std 802.15.4-2020: IEEE Standard for Low-Rate Wireless Networks"
+  author:
+    -
+      organization: "Institute of Electrical and Electronics Engineers"
+  date: 2020
+  seriesinfo:
+    - name: "IEEE"
+      value: "802.15.4-2020"
+  target: "https://standards.ieee.org/standard/802_15_4-2020.html"
+
+ W3CWebAuthn:
+  title: "Web Authentication: An API for accessing Public Key Credentials Level 3"
+  author:
+    - initials: "T."
+      surname: "Cappalli"
+      fullname: "Tim Cappalli"
+      organization: "Okta"
+    - initials: "M."
+      surname: "Jones"
+      fullname: "Michael B. Jones"
+      organization: "Microsoft"
+    - initials: "A."
+      surname: "Kumar"
+      fullname: "Akshay Kumar"
+      organization: "Microsoft"
+    - initials: "E."
+      surname: "Lundberg"
+      fullname: "Emil Lundberg"
+      organization: "Yubico"
+    - initials: "M."
+      surname: "Miller"
+      fullname: "Matthew Miller"
+      organization: "Cisco"
+  date: 2025-01
+  target: "https://www.w3.org/TR/2025/WD-webauthn-3-20250127/"
+
+ FIDOCTAP22:
+  title: "Client to Authenticator Protocol (CTAP)"
+  author:
+    - initials: "J."
+      surname: "Bradley"
+      fullname: "John Bradley"
+      organization: "Yubico"
+    - initials: "M."
+      surname: "Jones"
+      fullname: "Michael B. Jones"
+      organization: "Microsoft"
+    - initials: "A."
+      surname: "Kumar"
+      fullname: "Akshay Kumar"
+      organization: "Microsoft"
+    - initials: "R."
+      surname: "Lindemann"
+      fullname: "Rolf Lindemann"
+      organization: "Nok Nok Labs"
+    - initials: "S."
+      surname: "Verrept"
+      fullname: "Johan Verrept"
+      organization: "OneSpan"
+    - initials: "D."
+      surname: "Waite"
+      fullname: "David Waite"
+      organization: "Ping Identity"
+  date: 2025-02
+  target: "https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html"
+
  PCRSM2023:
   title: "An Automated Multi-Layered Methodology to Assist the Secure and Risk-Aware Design of Multi-Factor Authentication Protocols, IEEE Transactions on Dependable and Secure Computing (TDSC)"
   author:
@@ -314,6 +284,46 @@ informative:
   date: 2023
   target: "https://doi.org/10.1109/TDSC.2022.3151103"
 
+ CAEP:
+  title: "OpenID Continuous Access Evaluation Profile 1.0 - draft 01"
+  author:
+    - initials: "A."
+      surname: "Tulshibagwale"
+      fullname: "Atul Tulshibagwale"
+      organization: "Google"
+    - initials: "T."
+      surname: "Cappalli"
+      fullname: "Tim Cappalli"
+      organization: "Microsoft"
+  date: 2021-06
+  target: "https://openid.net/specs/openid-caep-specification-1_0-01.html"
+
+ SSF:
+  title: "OpenID Shared Signals and Events Framework Specification 1.0"
+  author:
+    - initials: "A."
+      surname: "Tulshibagwale"
+      fullname: "Atul Tulshibagwale"
+      organization: "Google"
+    - initials: "T."
+      surname: "Cappalli"
+      fullname: "Tim Cappalli"
+      organization: "Microsoft"
+    - initials: "M."
+      surname: "Scurtescu"
+      fullname: "Marius Scurtescu"
+      organization: "Coinbase"
+    - initials: "A."
+      surname: "Backman"
+      fullname: "Annabelle Backman"
+      organization: "Amazon"
+    - initials: "J."
+      surname: "Bradley"
+      fullname: "John Bradley"
+      organization: "Yubico"
+  date: 2021-06
+  target: "https://openid.net/specs/openid-sse-framework-1_0-01.html"
+
 --- abstract
 
 This document describes threats against cross-device flows
