# OAuth Virtual Interim Meeting - 29.09.2025   {#oauth-virtual-interim-meeting---29092025}

# Updating Security BCP   {#updating-security-bcp}

https://datatracker.ietf.org/doc/draft-wuertele-oauth-security-topics-update/

Adonis Fung started the presentation and presented the history.

Adonis describes the COAT attack - Cross-tool OAuth Account Takeover.

Kaiuan Luo continues the presentation by talking about the second type
of attack, the Cross-user OAuth Session Fixation attack.

Aaron: These are specific recommendations for specific attacks. So, call
them find a name that is narrow in scope. I do not want to make it look
it replaces the Security BCP RFC.

Deb: Would this specification replacce the Security BCP RFC.

Adonis: I agree. I do not think we replace the entire draft.  
We would like to get some specific directions.

Brian: A BCP can reference multiple BCP. This is new content - new
security considerations. I imagine this being new security
considerations for OAuth in deployment x,y,z.

Deb: It is possible to stack this underneath the BCP. I think this is
possible. You will always the next new attack. Publish early and publish
often.

Filip: I do not think this applies to the work I am doing. I do not want
to want everything that is a security vulnerability and stuff everything
under the BCP.

Discussion about how to progress. Rifaat and Hannes will issue an
adoption call and will discuss with Deb about the document management
part. Group is also invited to provide input on the document management
aspects.