Re: [OAUTH-WG] problem statement
Michael Thomas <mike@mtcc.com> Wed, 07 September 2011 20:15 UTC
Return-Path: <mike@mtcc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BF5621F8CF0 for <oauth@ietfa.amsl.com>; Wed, 7 Sep 2011 13:15:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.745
X-Spam-Level:
X-Spam-Status: No, score=-1.745 tagged_above=-999 required=5 tests=[AWL=-0.566, BAYES_00=-2.599, SARE_ADULT2=1.42]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yRqDuNGqV964 for <oauth@ietfa.amsl.com>; Wed, 7 Sep 2011 13:15:27 -0700 (PDT)
Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id BC37C21F8AD9 for <oauth@ietf.org>; Wed, 7 Sep 2011 13:15:27 -0700 (PDT)
Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id p87KHDHa022635 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 7 Sep 2011 13:17:14 -0700
Message-ID: <4E67D149.8080200@mtcc.com>
Date: Wed, 07 Sep 2011 13:17:13 -0700
From: Michael Thomas <mike@mtcc.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0
MIME-Version: 1.0
To: Kristoph <kristoph@gmail.com>
References: <4E665B25.6090709@mtcc.com> <4E6667D1.3080404@mtcc.com> <1315334677.26387.YahooMailNeo@web31809.mail.mud.yahoo.com> <4E666B65.30701@mtcc.com> <29815937-0FB9-463B-B6E4-8FCAF7B3CD8C@hueniverse.com> <4E666E73.3050502@mtcc.com> <CAMrm-MJHKTxaj1iEm_Lr=X92sOiWZcYN4F6dNqb5w5gh4OPndQ@mail.gmail.com> <4E6671FA.3090503@gmail.com> <4E667469.2040007@mtcc.com> <1315337809.3136.38.camel@ground> <4E667953.9020906@mtcc.com> <71A460EE-1E2C-4165-99A8-5A97D6E9365C@jkemp.net> <4E667E2E.7090304@mtcc.com> <80A88920-A1EF-4A1C-A97E-F99379923CFB@jkemp.net> <4E66845E.7090906@mtcc.com> <E3DEC4C8-6BB0-44EE-821A-7589F5DC6462@jkemp.net> <4E669D3C.5000900@gmail.com> <7D4DF72E-B211-4D41-B447-4CF04E9CB1D8@hueniverse.com> <4E67A710.9070505@alcatel-lucent.com> <4E67A942.1070200@mtcc.com> <90C41DD21FB7C64BB94121FBBC2E7234518A4F274E@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4E67C501.3060001@mtcc.com> <4E67C6C9.1070704@stpete! r.im> <4E67C893.5060505@mtcc.com> <E37B0B59-787B-4F23-B708-596235235C79@gmail.co! m>
In-Reply-To: <E37B0B59-787B-4F23-B708-596235235C79@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=3859; t=1315426635; x=1316290635; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20<mike@mtcc.com> |Subject:=20Re=3A=20[OAUTH-WG]=20problem=20statement |Sender:=20 |To:=20Kristoph=20<kristoph@gmail.com> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=EcLeK9UrxgXTPkZovhKC9qBoLdDxJy1ZJ9p873rFT1Y=; b=ZwONiG7aZZUXXp1kPXAg1QCNQ6NIonmQb4NEkP0J1HcUjKHhrq0LKGzaI8 7WApccm2Ro5modQ/OGdoyCQLymKEILZRU7R06QgWlR1vWLgmnRVQBgMR+FoY Yk+CapAWTkOJg5qQl4SWvEz1hYVUAL8b7NMiCSFalmnbeGlOXGjG4=;
Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] problem statement
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Sep 2011 20:15:28 -0000
On 09/07/2011 12:56 PM, Kristoph wrote: > Mike, > > I am an implementer of this specification. I am struggling to understand what it is you are trying to communicate. > > The only thing I can discern is that you believe there is a large cadre of software architects / developers who you think have the skill to read and understand this specification, design and implement an OAuth 2.0 server, and yet not understand that a rogue embedded UA would compromise the end users credentials. Is that basically your concern? > I think that the fine point of a rogue embedded UA will be lost on people, yes. Especially those who are specing out the higher level authentication service deployment. We have both Twitter and Facebook out there in the wild who are subject to this attack right now. Are they aware of the attack? I really don't know. Mike > ]{ > > On Sep 7, 2011, at 12:40 PM, Michael Thomas wrote: > > >> On 09/07/2011 12:32 PM, Peter Saint-Andre wrote: >> >>> On 9/7/11 1:24 PM, Michael Thomas wrote: >>> >>> >>>> On 09/07/2011 12:12 PM, Eran Hammer-Lahav wrote: >>>> >>>> [more browbeating elided] >>>> >>>> >>>> >>>>> In fact, you guys have convinced me that OAuth gives inferior >>>>> protection at >>>>> >>>>> >>>>>> considerable expense for all concerned. >>>>>> >>>>>> >>>>>> >>>>> an irresponsible and serious offense - the kind of baseless FUD that >>>>> can cause real damage to important work. >>>>> >>>>> >>>>> >>>> I have written down at least 3 or 4 times why I think it's inferior. >>>> Nobody attacking the messenger including yourself has answered >>>> it. There's FUD here, but not from me. >>>> >>>> >>> Mike, did you propose text to address the concern? Per recent discussion >>> I think the threat-model document is the right place for it, so please >>> take a look at that spec to see where your proposed text can slot in. >>> >>> >> Yes, I outlined what I think should be done at a minimum. I've >> also been told by the editor that he won't consider it. Barry >> has said that he won't consider it either. Unless the working >> group is open to changes, I'm not going to waste my time crafting >> the actual changes. So this is your call. >> >> Here's what I wrote previously: >> >> [...] >> >> Second, I'd say that [section 9] is a good first step, but the text there >> should be explicit and not pussy-foot around the fact that it >> means embedded UA's in phone apps and other examples. It >> should also make clear that the "challenge" (ack, ptui) involves >> untrusted apps stealing the user's credentials by simply snooping >> on the UA itself. If there is reasonable mitigation, then by all means >> add text about it. This is important because I do not think that >> many people grok the seriousness of the issue, and most especially >> people who would deploy oauth authentication services. >> >> Third, I think that the introduction needs to have an applicability >> statement of *when/where/what* oauth can be used. That is, >> do not beat around the bush about the need for the UA to be >> trustable because that is a basic the assumption that oauth makes. >> As inconvenient as that may be, it would be far worse for people >> in the industry to not fully understand the threat. >> >> Fourth, it would be *really* nice to hear from folks at Facebook >> and Twitter who have deployed oauth and oauth-like flows with >> their experience here, and most especially if they understood the >> threat ahead of their deployment, and what they do to mitigate >> it if anything. >> >> >> Mike >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >>
- Re: [OAUTH-WG] problem statement Paul Madsen
- Re: [OAUTH-WG] problem statement Eran Hammer-Lahav
- Re: [OAUTH-WG] problem statement John Kemp
- Re: [OAUTH-WG] problem statement Michael Thomas
- [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement Igor Faynberg
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement William Mills
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement Eran Hammer-Lahav
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement William Mills
- Re: [OAUTH-WG] problem statement Eran Hammer-Lahav
- Re: [OAUTH-WG] problem statement Justin Richer
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement Eran Hammer-Lahav
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement Jill Burrows
- Re: [OAUTH-WG] problem statement Eran Hammer-Lahav
- Re: [OAUTH-WG] problem statement Aiden Bell
- Re: [OAUTH-WG] problem statement Melinda Shore
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement Eran Hammer-Lahav
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement Aiden Bell
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement Justin Richer
- Re: [OAUTH-WG] problem statement Igor Faynberg
- Re: [OAUTH-WG] problem statement Igor Faynberg
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement Igor Faynberg
- Re: [OAUTH-WG] problem statement John Kemp
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement John Kemp
- Re: [OAUTH-WG] problem statement William Mills
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement John Kemp
- Re: [OAUTH-WG] problem statement Melinda Shore
- Re: [OAUTH-WG] problem statement Eran Hammer-Lahav
- Re: [OAUTH-WG] problem statement Aiden Bell
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement Eran Hammer-Lahav
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement Eran Hammer-Lahav
- Re: [OAUTH-WG] problem statement Melinda Shore
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement Eran Hammer-Lahav
- Re: [OAUTH-WG] problem statement Peter Saint-Andre
- Re: [OAUTH-WG] problem statement Melinda Shore
- Re: [OAUTH-WG] problem statement Peter Saint-Andre
- Re: [OAUTH-WG] problem statement Eran Hammer-Lahav
- Re: [OAUTH-WG] problem statement Peter Saint-Andre
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement Eran Hammer-Lahav
- Re: [OAUTH-WG] problem statement William Mills
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement Eran Hammer-Lahav
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement Manger, James H
- Re: [OAUTH-WG] problem statement Justin Richer
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement Igor Faynberg
- Re: [OAUTH-WG] problem statement John Kemp
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement Igor Faynberg
- Re: [OAUTH-WG] problem statement David Waite
- Re: [OAUTH-WG] problem statement Phil Hunt
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement Melinda Shore
- Re: [OAUTH-WG] problem statement Peter Saint-Andre
- Re: [OAUTH-WG] problem statement Eran Hammer-Lahav
- Re: [OAUTH-WG] problem statement Aiden Bell
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement Aiden Bell
- Re: [OAUTH-WG] problem statement Peter Saint-Andre
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement Eran Hammer-Lahav
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement Melinda Shore
- Re: [OAUTH-WG] problem statement Ben Niven-Jenkins
- Re: [OAUTH-WG] problem statement Michael Thomas
- Re: [OAUTH-WG] problem statement David Recordon
- Re: [OAUTH-WG] problem statement Thomas Hardjono
- Re: [OAUTH-WG] problem statement Phil Hunt