<!DOCTYPE html> <html lang="en" > <head> <meta name="viewport" content="width=device-width,initial-scale=1"> <title>Aikya | Site under maintenance</title> <style> body { background: #081421; color: #d3d7de; font-family: "Courier new"; font-size: 18px; line-height: 1.5em; cursor: default; } .code-area { position: absolute; width: 320px; min-width: 320px; top: 50%; left: 50%; -webkit-transform: translate(-50%, -50%); transform: translate(-50%, -50%); } .code-area > span { display: block; } @media screen and (max-width: 320px) { .code-area { font-size: 5vw; min-width: auto; width: 95%; margin: auto; padding: 5px; padding-left: 10px; line-height: 6.5vw; } } </style> </head> <body> <div class="code-area"> <span style="color: #777;font-style:italic;"> // Site Under Maintenance. </span> <span> <span style="color:#d65562;"> if </span> (<span style="color:#4ca8ef;">!</span><span style="font-style: italic;color:#bdbdbd;">happy</span>) { </span> <span> <span style="padding-left: 15px;color:#2796ec"> <i style="width: 10px;display:inline-block"></i>throw </span> <span> (<span style="color: #a6a61f">"(╯°□°)╯︵ ┻━┻"</span>); </span> <span style="display:block">}</span> </span> </div> </script> </body> </html> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8" /> <link rel="shortcut icon" href="%PUBLIC_URL%/favicon.ico" /> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /> <meta name="theme-color" content="#000000" />  <link rel="manifest" href="%PUBLIC_URL%/manifest.json" />  <title>designdev</title> </head> <body> <noscript> You need to enable JavaScript to run this app. </noscript> <div id="root"></div>  </body> </html> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html lang="en" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head profile="http://www.w3.org/2006/03/hcard http://dublincore.org/documents/2008/08/04/dc-html/"> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" /> <meta name="description" content="Delegated Recovery Specification" /> <meta name="Keywords" content="Facebook,Delegated Recovery Specification, Delegated Account Recovery" /> <title>Delegated Account Recovery</title> <style type="text/css" title="Xml2Rfc (sans serif)"> /*<![CDATA[*/ a { text-decoration: none; } /* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */ a.info { /* This is the key. */ position: relative; z-index: 24; text-decoration: none; } a.info:hover { z-index: 25; color: #FFF; background-color: #900; } a.info span { display: none; } a.info:hover span.info { /* The span will display just on :hover state. */ display: block; position: absolute; font-size: smaller; top: 2em; left: -5em; width: 15em; padding: 2px; border: 1px solid #333; color: #900; background-color: #EEE; text-align: left; } a.smpl { color: black; } a:hover { text-decoration: underline; } a:active { text-decoration: underline; } address { margin-top: 1em; margin-left: 2em; font-style: normal; } body { color: black; font-family: verdana, helvetica, arial, sans-serif; font-size: 10pt; max-width: 55em; } cite { font-style: normal; } dd { margin-right: 2em; } dl { margin-left: 2em; } ul.empty { list-style-type: none; } ul.empty li { margin-top: .5em; } dl p { margin-left: 0em; } dt { margin-top: .5em; } h1 { font-size: 14pt; line-height: 21pt; page-break-after: avoid; } h1.np { page-break-before: always; } h1 a { color: #333333; } h2 { font-size: 12pt; line-height: 15pt; page-break-after: avoid; } h3, h4, h5, h6 { font-size: 10pt; page-break-after: avoid; } h2 a, h3 a, h4 a, h5 a, h6 a { color: black; } img { margin-left: 3em; } li { margin-left: 2em; margin-right: 2em; } ol { margin-left: 2em; margin-right: 2em; } ol p { margin-left: 0em; } p { margin-left: 2em; margin-right: 2em; } pre { margin-left: 3em; background-color: lightyellow; padding: .25em; } pre.text2 { border-style: dotted; border-width: 1px; background-color: #f0f0f0; width: 69em; } pre.inline { background-color: white; padding: 0em; } pre.text { border-style: dotted; border-width: 1px; background-color: #f8f8f8; width: 69em; } pre.drawing { border-style: solid; border-width: 1px; background-color: #f8f8f8; padding: 2em; } table { margin-left: 2em; } table.tt { vertical-align: top; } table.full { border-style: outset; border-width: 1px; } table.headers { border-style: outset; border-width: 1px; } table.tt td { vertical-align: top; } table.full td { border-style: inset; border-width: 1px; } table.tt th { vertical-align: top; } table.full th { border-style: inset; border-width: 1px; } table.headers th { border-style: none none inset none; border-width: 1px; } table.left { margin-right: auto; } table.right { margin-left: auto; } table.center { margin-left: auto; margin-right: auto; } caption { caption-side: bottom; font-weight: bold; font-size: 9pt; margin-top: .5em; } table.header { border-spacing: 1px; width: 95%; font-size: 10pt; color: white; } td.top { vertical-align: top; } td.topnowrap { vertical-align: top; white-space: nowrap; } table.header td { background-color: gray; width: 50%; } table.header a { color: white; } td.reference { vertical-align: top; white-space: nowrap; padding-right: 1em; } thead { display:table-header-group; } ul.toc, ul.toc ul { list-style: none; margin-left: 1.5em; margin-right: 0em; padding-left: 0em; } ul.toc li { line-height: 150%; font-weight: bold; font-size: 10pt; margin-left: 0em; margin-right: 0em; } ul.toc li li { line-height: normal; font-weight: normal; font-size: 9pt; margin-left: 0em; margin-right: 0em; } li.excluded { font-size: 0pt; } ul p { margin-left: 0em; } .comment { background-color: yellow; } .center { text-align: center; } .error { color: red; font-style: italic; font-weight: bold; } .figure { font-weight: bold; text-align: center; font-size: 9pt; } .filename { color: #333333; font-weight: bold; font-size: 12pt; line-height: 21pt; text-align: center; } .fn { font-weight: bold; } .hidden { display: none; } .left { text-align: left; } .right { text-align: right; } .title { color: #990000; font-size: 18pt; line-height: 18pt; font-weight: bold; text-align: center; margin-top: 36pt; } .vcardline { display: block; } .warning { font-size: 14pt; background-color: yellow; } @media print { .noprint { display: none; } a { color: black; text-decoration: none; } table.header { width: 90%; } td.header { width: 50%; color: black; background-color: white; vertical-align: top; font-size: 12pt; } ul.toc a::after { content: leader('.') target-counter(attr(href), page); } ul.ind li li a { content: target-counter(attr(href), page); } .print2col { column-count: 2; -moz-column-count: 2; column-fill: auto; } } @page { @top-left { content: "Unofficial Draft"; } @top-right { content: "December 2010"; } @top-center { content: "Abbreviated Title"; } @bottom-left { content: "Doe"; } @bottom-center { content: "Expires June 2011"; } @bottom-right { content: "[Page " counter(page) "]"; } } @page:first { @top-left { content: normal; } @top-right { content: normal; } @top-center { content: normal; } } /*]]>*/ </style> <link href="#rfc.toc" rel="Contents"> <link href="#rfc.section.1" rel="Chapter" title="1 Introduction"> <link href="#rfc.section.1.1" rel="Chapter" title="1.1 Notational Conventions"> <link href="#rfc.section.1.1.1" rel="Chapter" title="1.1.1 Presentation Language"> <link href="#rfc.section.1.2" rel="Chapter" title="1.2 Challenges with Existing Account Recovery Solutions"> <link href="#rfc.section.1.2.1" rel="Chapter" title="1.2.1 Recovery Questions"> <link href="#rfc.section.1.2.2" rel="Chapter" title="1.2.2 Password Hints"> <link href="#rfc.section.1.2.3" rel="Chapter" title="1.2.3 Email Recovery"> <link href="#rfc.section.1.2.4" rel="Chapter" title="1.2.4 Federated Authentication"> <link href="#rfc.section.1.2.5" rel="Chapter" title="1.2.5 Alternate Methods"> <link href="#rfc.section.1.3" rel="Chapter" title="1.3 Relationship to Other Protocols"> <link href="#rfc.section.1.4" rel="Chapter" title="1.4 Goals"> <link href="#rfc.section.1.5" rel="Chapter" title="1.5 Roles"> <link href="#rfc.section.1.6" rel="Chapter" title="1.6 Protocol Flow"> <link href="#rfc.section.1.6.1" rel="Chapter" title="1.6.1 Establishing a Delegated Recovery Capability"> <link href="#rfc.section.1.6.2" rel="Chapter" title="1.6.2 Exercising a Delegated Recovery Capability"> <link href="#rfc.section.1.7" rel="Chapter" title="1.7 TLS Version"> <link href="#rfc.section.1.8" rel="Chapter" title="1.8 HTTP Redirections"> <link href="#rfc.section.1.9" rel="Chapter" title="1.9 Application User Agents"> <link href="#rfc.section.2" rel="Chapter" title="2 Fetching Configuration"> <link href="#rfc.section.3" rel="Chapter" title="3 Protocol Endpoints"> <link href="#rfc.section.3.1" rel="Chapter" title="3.1 Save Token Endpoint"> <link href="#rfc.section.3.1.1" rel="Chapter" title="3.1.1 Processing Instructions"> <link href="#rfc.section.3.2" rel="Chapter" title="3.2 Save Token Return Endpoint"> <link href="#rfc.section.3.3" rel="Chapter" title="3.3 Save Token Async API Endpoint"> <link href="#rfc.section.3.3.1" rel="Chapter" title="3.3.1 Asynchronous Message Contract"> <link href="#rfc.section.3.4" rel="Chapter" title="3.4 Recover Account Endpoint"> <link href="#rfc.section.3.5" rel="Chapter" title="3.5 Recover Account Return Endpoint"> <link href="#rfc.section.3.6" rel="Chapter" title="3.6 Token Status Endpoint"> <link href="#rfc.section.3.6.1" rel="Chapter" title="3.6.1 Processing Instructions"> <link href="#rfc.section.3.6.2" rel="Chapter" title="3.6.2 Security Considerations"> <link href="#rfc.section.4" rel="Chapter" title="4 Token Generation"> <link href="#rfc.section.4.1" rel="Chapter" title="4.1 Recovery Token"> <link href="#rfc.section.4.1.1" rel="Chapter" title="4.1.1 Internal Structure"> <link href="#rfc.section.4.1.2" rel="Chapter" title="4.1.2 Opaque Data"> <link href="#rfc.section.4.1.3" rel="Chapter" title="4.1.3 Signature"> <link href="#rfc.section.4.2" rel="Chapter" title="4.2 Counter-Signed Recovery Token"> <link href="#rfc.section.4.2.1" rel="Chapter" title="4.2.1 Internal Structure"> <link href="#rfc.section.4.2.2" rel="Chapter" title="4.2.2 Counter-Signed Recovery Token Signature"> <link href="#rfc.section.5" rel="Chapter" title="5 Use in Key Recovery"> <link href="#rfc.section.6" rel="Chapter" title="6 Security Considerations"> <link href="#rfc.section.6.1" rel="Chapter" title="6.1 Deterministic Use of ECDSA"> <link href="#rfc.section.6.2" rel="Chapter" title="6.2 User Notification"> <link href="#rfc.section.6.3" rel="Chapter" title="6.3 Additional Verification"> <link href="#rfc.section.6.3.1" rel="Chapter" title="6.3.1 At the Recovery Provider"> <link href="#rfc.section.6.3.2" rel="Chapter" title="6.3.2 At the Account Provider"> <link href="#rfc.section.6.4" rel="Chapter" title="6.4 Low Friction Tokens and Delegated Multi-Factor Authentication"> <link href="#rfc.section.6.5" rel="Chapter" title="6.5 Cross-Site Request Forgery"> <link href="#rfc.section.6.6" rel="Chapter" title="6.6 Breach Detection"> <link href="#rfc.section.6.7" rel="Chapter" title="6.7 Clock Skew"> <link href="#rfc.section.6.8" rel="Chapter" title="6.8 Key Loss and Compromise"> <link href="#rfc.section.6.9" rel="Chapter" title="6.9 TLS or HTTPS Certificate Compromise"> <link href="#rfc.section.6.10" rel="Chapter" title="6.10 Token Leakage"> <link href="#rfc.section.7" rel="Chapter" title="7 Implementation Notes"> <link href="#rfc.section.8" rel="Chapter" title="8 IANA Considerations"> <link href="#rfc.section.9" rel="Chapter" title="9 Acknowledgements"> <link href="#rfc.references" rel="Chapter" title="10 Normative References"> <link href="#rfc.appendix.A" rel="Chapter" title="A Initial Algorithm Registry Contents"> <link href="#rfc.authors" rel="Chapter"> <meta name="generator" content="xml2rfc version 2.8.2 - https://tools.ietf.org/tools/xml2rfc" /> <link rel="schema.dct" href="http://purl.org/dc/terms/" /> <meta name="dct.creator" content="Hill, B., Ed." /> <meta name="dct.identifier" content="urn:ietf:id:draft-hill-delegated-recovery" /> <meta name="dct.issued" scheme="ISO8601" content="2017-10-26" /> <meta name="dct.abstract" content="Delegated Account Recovery allows an application to delegate the capability to recover an account (e.g. in the event of a credential loss or compromise) to an account controlled by the same user or entity at a third party service provider." /> <meta name="description" content="Delegated Account Recovery allows an application to delegate the capability to recover an account (e.g. in the event of a credential loss or compromise) to an account controlled by the same user or entity at a third party service provider." /> </head> <body> <table class="header"> <tbody> <tr> <td class="left">Facebook, Inc.</td> <td class="right">B. Hill, Ed.</td> </tr> <tr> <td class="left">Unofficial Draft</td> <td class="right">Facebook, Inc.</td> </tr> <tr> <td class="left"></td> <td class="right">October 26, 2017</td> </tr> <tr> <td class="left">Expires: April 29, 2018</td> <td class="right"></td> </tr> </tbody> </table> <p class="title">Delegated Account Recovery<br /> <span class="filename">draft-hill-delegated-recovery</span></p> <h1 id="rfc.abstract"><a href="#rfc.abstract">Abstract</a></h1> <p>Delegated Account Recovery allows an application to delegate the capability to recover an account (e.g. in the event of a credential loss or compromise) to an account controlled by the same user or entity at a third party service provider.</p> <h1 id="rfc.status"><a href="#rfc.status">Status of This Memo</a></h1> <p>This Unofficial Draft will expire on April 29, 2018.</p> <h1 id="rfc.copyrightnotice"><a href="#rfc.copyrightnotice">Copyright Notice</a></h1> <p>Copyright (c) 2016-2017 Facebook, Inc. and the persons identified as the document authors and published under the Creative Commons Attribution 4.0 International license.</p> <hr class="noprint" /> <h1 class="np" id="rfc.toc"><a href="#rfc.toc">Table of Contents</a></h1> <ul class="toc"> <li>1. <a href="#rfc.section.1">Introduction</a> </li> <ul><li>1.1. <a href="#rfc.section.1.1">Notational Conventions</a> </li> <ul><li>1.1.1. <a href="#rfc.section.1.1.1">Presentation Language</a> </li> </ul><li>1.2. <a href="#rfc.section.1.2">Challenges with Existing Account Recovery Solutions</a> </li> <ul><li>1.2.1. <a href="#rfc.section.1.2.1">Recovery Questions</a> </li> <li>1.2.2. <a href="#rfc.section.1.2.2">Password Hints</a> </li> <li>1.2.3. <a href="#rfc.section.1.2.3">Email Recovery</a> </li> <li>1.2.4. <a href="#rfc.section.1.2.4">Federated Authentication</a> </li> <li>1.2.5. <a href="#rfc.section.1.2.5">Alternate Methods</a> </li> </ul><li>1.3. <a href="#rfc.section.1.3">Relationship to Other Protocols</a> </li> <li>1.4. <a href="#rfc.section.1.4">Goals</a> </li> <li>1.5. <a href="#rfc.section.1.5">Roles</a> </li> <li>1.6. <a href="#rfc.section.1.6">Protocol Flow</a> </li> <ul><li>1.6.1. <a href="#rfc.section.1.6.1">Establishing a Delegated Recovery Capability</a> </li> <li>1.6.2. <a href="#rfc.section.1.6.2">Exercising a Delegated Recovery Capability</a> </li> </ul><li>1.7. <a href="#rfc.section.1.7">TLS Version</a> </li> <li>1.8. <a href="#rfc.section.1.8">HTTP Redirections</a> </li> <li>1.9. <a href="#rfc.section.1.9">Application User Agents</a> </li> </ul><li>2. <a href="#rfc.section.2">Fetching Configuration</a> </li> <li>3. <a href="#rfc.section.3">Protocol Endpoints</a> </li> <ul><li>3.1. <a href="#rfc.section.3.1">Save Token Endpoint</a> </li> <ul><li>3.1.1. <a href="#rfc.section.3.1.1">Processing Instructions</a> </li> </ul><li>3.2. <a href="#rfc.section.3.2">Save Token Return Endpoint</a> </li> <li>3.3. <a href="#rfc.section.3.3">Save Token Async API Endpoint</a> </li> <ul><li>3.3.1. <a href="#rfc.section.3.3.1">Asynchronous Message Contract</a> </li> </ul><li>3.4. <a href="#rfc.section.3.4">Recover Account Endpoint</a> </li> <li>3.5. <a href="#rfc.section.3.5">Recover Account Return Endpoint</a> </li> <li>3.6. <a href="#rfc.section.3.6">Token Status Endpoint</a> </li> <ul><li>3.6.1. <a href="#rfc.section.3.6.1">Processing Instructions</a> </li> <li>3.6.2. <a href="#rfc.section.3.6.2">Security Considerations</a> </li> </ul></ul><li>4. <a href="#rfc.section.4">Token Generation</a> </li> <ul><li>4.1. <a href="#rfc.section.4.1">Recovery Token</a> </li> <ul><li>4.1.1. <a href="#rfc.section.4.1.1">Internal Structure</a> </li> <li>4.1.2. <a href="#rfc.section.4.1.2">Opaque Data</a> </li> <li>4.1.3. <a href="#rfc.section.4.1.3">Signature</a> </li> </ul><li>4.2. <a href="#rfc.section.4.2">Counter-Signed Recovery Token</a> </li> <ul><li>4.2.1. <a href="#rfc.section.4.2.1">Internal Structure</a> </li> <li>4.2.2. <a href="#rfc.section.4.2.2">Counter-Signed Recovery Token Signature</a> </li> </ul></ul><li>5. <a href="#rfc.section.5">Use in Key Recovery</a> </li> <li>6. <a href="#rfc.section.6">Security Considerations</a> </li> <ul><li>6.1. <a href="#rfc.section.6.1">Deterministic Use of ECDSA</a> </li> <li>6.2. <a href="#rfc.section.6.2">User Notification</a> </li> <li>6.3. <a href="#rfc.section.6.3">Additional Verification</a> </li> <ul><li>6.3.1. <a href="#rfc.section.6.3.1">At the Recovery Provider</a> </li> <li>6.3.2. <a href="#rfc.section.6.3.2">At the Account Provider</a> </li> </ul><li>6.4. <a href="#rfc.section.6.4">Low Friction Tokens and Delegated Multi-Factor Authentication</a> </li> <li>6.5. <a href="#rfc.section.6.5">Cross-Site Request Forgery</a> </li> <li>6.6. <a href="#rfc.section.6.6">Breach Detection</a> </li> <li>6.7. <a href="#rfc.section.6.7">Clock Skew</a> </li> <li>6.8. <a href="#rfc.section.6.8">Key Loss and Compromise</a> </li> <li>6.9. <a href="#rfc.section.6.9">TLS or HTTPS Certificate Compromise</a> </li> <li>6.10. <a href="#rfc.section.6.10">Token Leakage</a> </li> </ul><li>7. <a href="#rfc.section.7">Implementation Notes</a> </li> <li>8. <a href="#rfc.section.8">IANA Considerations</a> </li> <li>9. <a href="#rfc.section.9">Acknowledgements</a> </li> <li>10. <a href="#rfc.references">Normative References</a> </li> <li>Appendix A. <a href="#rfc.appendix.A">Initial Algorithm Registry Contents</a> </li> <li><a href="#rfc.authors">Author's Address</a> </li> </ul> <h1 id="rfc.section.1"> <a href="#rfc.section.1">1.</a> Introduction</h1> <h1 id="rfc.section.1.1"> <a href="#rfc.section.1.1">1.1.</a> Notational Conventions</h1> <p id="rfc.section.1.1.p.1">In this document, the key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in BCP 14, RFC 2119 <a href="#RFC2119" class="xref">[RFC2119]</a>.</p> <h1 id="rfc.section.1.1.1"> <a href="#rfc.section.1.1.1">1.1.1.</a> Presentation Language</h1> <p id="rfc.section.1.1.1.p.1">This document deals with the formatting of tokens in an external representation using a casually defined syntax drawing from that used in <a href="#RFC5246" class="xref">[RFC5246]</a> and resembling the programming la