Unicode.org mail system maintenance
Julian Bradfield
junicode at jcbradfield.org
Fri May 21 07:50:04 CDT 2021
On 2021-05-20, James Kass via Unicode <unicode at corp.unicode.org> wrote:
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics
>
><quote>
> 4.1.3. Countermeasures
>
> The complexity of implementing and managing pattern matching
> correctly obviously causes security issues. This document therefore
> advises to simplify the required logic and configuration by using
> exact redirect URI matching. This means the authorization server
> MUST compare the two URIs using simple string comparison as defined
> in [RFC3986], Section 6.2.1.
><end quote>
>
> I'm no expert on OAuth, but it appears that current recommendations
> require an exact match for domain names. Wildcard or partial domain
> name strings leave openings for attackers to exploit.
But what on earth does this have to do with mailing lists?
You don't use OAuth2 to connect to mail servers as an MTA, and Unicode
shouldn't be using OAuth2 when we manage our subscriptions.
What's completely unclear in the explanation is where OAuth2 enters
into mailing list administration.
More information about the Unicode
mailing list