OAuth 2.0 Security Best Current Practice
draft-ietf-oauth-security-topics-25

• Status
• IESG evaluation record
• IESG writeups
• Email expansions
• History

Approval announcement
Draft of message to be sent after approval:

Announcement

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: Hannes Tschofenig <hannes.tschofenig@arm.com>, The IESG <iesg@ietf.org>, draft-ietf-oauth-security-topics@ietf.org, hannes.tschofenig@arm.com, oauth-chairs@ietf.org, oauth@ietf.org, rdd@cert.org, rfc-editor@rfc-editor.org
Subject: Protocol Action: 'OAuth 2.0 Security Best Current Practice' to Best Current Practice (draft-ietf-oauth-security-topics-25.txt)

The IESG has approved the following document:
- 'OAuth 2.0 Security Best Current Practice'
  (draft-ietf-oauth-security-topics-25.txt) as Best Current Practice

This document is the product of the Web Authorization Protocol Working Group.

The IESG contact persons are Paul Wouters and Roman Danyliw.

A URL of this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/

Ballot Text

Technical Summary

   This document describes best current security practice for OAuth 2.0.
   It updates and extends the threat model and security advice given in
   [RFC6749], [RFC6750], and [RFC6819] to incorporate practical
   experiences gathered since OAuth 2.0 was published and covers new
   threats relevant due to the broader application of OAuth 2.0.  It
   further deprecates some modes of operation that are deemed less
   secure or even insecure.

Working Group Summary

   Was there anything in the WG process that is worth noting?
   For example, was there controversy about particular points 
   or were there decisions where the consensus was
   particularly rough? 

Document Quality

   Are there existing implementations of the protocol?  Have a 
   significant number of vendors indicated their plan to
   implement the specification?  Are there any reviewers that
   merit special mention as having done a thorough review,
   e.g., one that resulted in important changes or a
   conclusion that the document had no substantive issues?  If
   there was a MIB Doctor, Media Type, or other Expert Review,
   what was its course (briefly)?  In the case of a Media Type
   Review, on what date was the request posted?

Personnel

   The Document Shepherd for this document is Hannes Tschofenig. The
   Responsible Area Director is Roman Danyliw.

IANA Note

  (Insert IANA Note here or remove section)

RFC Editor Note