draft-ietf-oauth-cross-device-security-03

• Introduced normative SHOULD, RECOMMENDED and MAY when applied to actions the Authorization Server, Resource Server or Client may implement.
• Added User Education as a standalone mitigation.
• Added Maryam Mehrnezhad, Marco Pernpruner and Giada Sciarretta to the contributors list.
• Added Request Binding with Out-of-Band Data as an additional mitigation (feedback received at OSW 2023)
• Adopted the OpenID Foundation terminology from [CIBA] and changed Initiating Device to Consumption Device
• Added Fake Helpdesk and Consent Request Overload examples (new variations of attacks observed in the wild)
• Replaced "Authenticated Flow" mitigation name with "Authenticate-then-Intitiate"
• Added Cross-Device Session Transfer pattern (feedback received at OSW 2023)

What's Changed

• Capitalise SHOULD, MAY and RECOMMENDED where appropriate by @PieterKas in #75
• Fix punctuation, typos and hyphenation by @marcopernpruner in #81
• Inconsistency on "Authorization Device" by @marcopernpruner in #83
• Added User Education as an explicit mitigations by @PieterKas in #88
• Additional UX mitigation by @PieterKas in #90
• Additional mitigation by @PieterKas in #91
• Added contributors by @PieterKas in #102
• Added Out-of-Band User Entered Data Mitigation by @PieterKas in #101
• Refined the trusted devices section. by @PieterKas in #103
• Changed Terminology from Initiating Device to Consumption Device by @PieterKas in #106
• Fix header level for Request Binding with Out-of-Band Data by @marcopernpruner in #108
• Added Fake Helpdesk attack example by @PieterKas in #110
• Added Example B.9 by @PieterKas in #109
• Adding support for session transfer by @PieterKas in #112
• Alternative name for Authenticated Flow by @PieterKas in #111
• Restructure User Experience mitigation by @marcopernpruner in #107
• Editorial changes in intro and concepts section by @danielfett in #114
• Additional editorial changes by @danielfett in #115
• Fix editorial issues by @marcopernpruner in #113

New Contributors

• @marcopernpruner made their first contribution in #81

Full Changelog: draft-ietf-oauth-cross-device-security-02...draft-ietf-oauth-cross-device-security-03

draft-ietf-oauth-cross-device-security-02

• Introduced Cross-Device Consent Phishing as a label for the types of attacks described in this document.
• Updated labels for different types of flows (User-Transferred Session Data Pattern, Backchannel-Transferred Session Pattern, User-Transferred Authorization Data Pattern)
• Adopted consistent use of hyphenation in using "cross-device"
• Consistent use of "Authorization Device"
• Update Reference to Secure Signals Framework to reflect name change from Secure Signals and Events
• Described difference between proximity enforced and proximity-less cross-device flows
• Fixed typos and grammar edits
• Capitalised Initiating Device and Authorization Device
• General editorial pass

draft-ietf-oauth-cross-device-security-01

Added additional diagrams and descriptions to distinguish between different cross-device flow patterns.
Added short description on limitations of each mitiagtion.
Added acknowledgement of additional contributors.
Fixed document history format.

draft-ietf-oauth-cross-device-security-00: fix build process

https://github.com/martinthomson/i-d-template/issues/356