IETF Logo Mail Archive

Re: [OAUTH-WG] problem statement

Michael Thomas <mike@mtcc.com> Wed, 07 September 2011 01:56 UTC

Return-Path: <mike@mtcc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D20921F8E4B for <oauth@ietfa.amsl.com>; Tue, 6 Sep 2011 18:56:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VuAH8w9+U04b for <oauth@ietfa.amsl.com>; Tue, 6 Sep 2011 18:55:59 -0700 (PDT)
Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id A485C21F8E53 for <oauth@ietf.org>; Tue, 6 Sep 2011 18:55:59 -0700 (PDT)
Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id p871vkx0024515 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 6 Sep 2011 18:57:46 -0700
Message-ID: <4E66CF9A.8000905@mtcc.com>
Date: Tue, 06 Sep 2011 18:57:46 -0700
From: Michael Thomas <mike@mtcc.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0
MIME-Version: 1.0
To: William Mills <wmills@yahoo-inc.com>
References: <4E665B25.6090709@mtcc.com> <CD0B1909-8298-4CC3-B273-7B26E71EAB31@hueniverse.com> <4E666512.7010701@mtcc.com> <F4839FCD-CA73-4450-AD12-E07D46BB7746@hueniverse.com> <4E6667D1.3080404@mtcc.com> <1315334677.26387.YahooMailNeo@web31809.mail.mud.yahoo.com> <4E666B65.30701@mtcc.com> <29815937-0FB9-463B-B6E4-8FCAF7B3CD8C@hueniverse.com> <4E666E73.3050502@mtcc.com> <CAMrm-MJHKTxaj1iEm_Lr=X92sOiWZcYN4F6dNqb5w5gh4OPndQ@mail.gmail.com> <4E6671FA.3090503@gmail.com> <4E667469.2040007@mtcc.com> <1315337809.3136.38.camel@ground> <4E667953.9020906@mtcc.com> <71A460EE-1E2C-4165-99A8-5A97D6E9365C@jkemp.net> <4E667E2E.7090304@mtcc.com> <80A88920-A1EF-4A1C-A97E-F99379923CFB@jkemp.net> <4E66845E.7090906@mtcc.com> <E3DEC4C8-6BB0-44EE-821A-7589F5DC6462@jkemp.net> <4E669D3C.5000900@gmail.com> <4E66B964.2060808@stpeter.im> <4E66BFF0.9020008@gmail.com> <4E66C407.9090209@stpeter.im> <4E66C521.5070804@mtcc.com> <1315358847.25169.YahooMailNeo@web31809.mail.mud.yahoo.com>
In-Reply-To: <1315358847.25169.YahooMailNeo@web31809.mail.mud.yahoo.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2557; t=1315360667; x=1316224667; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20<mike@mtcc.com> |Subject:=20Re=3A=20[OAUTH-WG]=20problem=20statement |Sender:=20 |To:=20William=20Mills=20<wmills@yahoo-inc.com> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=vh45YxbmDbVRsOqCC69q6ZJLXEbfhZ5OqY4VsaIR+2s=; b=enhvbIIUdreqLrk4jzcm4OY2omzse+7nIcptUpIOk20uewghqA8ZTTs/+s 435KyeCxXtnsgjqKL2feAc7F8z5EBSHNF055LMKkauWnCtPcGTz4BdfrfM2X mwP1Bs2Cl5996vdhc1FnNs5GtcI1OWxUtID6UiO0eth0McRvwAAEU=;
Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] problem statement
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Sep 2011 01:56:00 -0000

On 09/06/2011 06:27 PM, William Mills wrote:
> I think the only potential mitigation OAuth can offer is that the 
> authenticating sites can do more due dilligence about the clients they 
> allow.  I say this knowing that it's not likely to happen in most 
> cases, but it's possible.  Sites *can* limit the clients they allow, 
> *but* it doesn't really work for installed clients on the desktop, 
> software copy protection being the hard problem that it has proved to be.

Yeah, I agree that it would be hard for the authenticating side to
do much, mainly because it's hard for them to tell if the app is
doing something untoward. I wonder if triggering DOM keypress
events gets propagated up to external webview code and you could
set some honeypots or steganography... hmm. I'm sorry but I'm still
very new to thinking about this problem space.

>
> Nobody dismisses the problem you're talking about, it's definitely a 
> problem.  What you have not do is provided any concrete way in which 
> OAuth can mitigate it beyond it's present state.

At this point, it would be just nice for the industry to know that the issue
even *exists*. Hence my puzzlement at the overt hostility from some 
quarters.

>
> I personally want OAuth 2.0 to get out the door.  What you seem to be 
> asking for (if we really go there) is a far more comprehensive and 
> general security considerations section that's goign to cover a huge 
> swath of space not specific to OAuth.  I don't think what you're 
> asking for is specific to OAuth, so I don't think it's appropriate to 
> take this spec there.

I have no dog in this race. I was just very puzzled by the lack of 
discussion
about the lack of applicability of the protocol in either the protocol 
document
or in the threats. It made me wonder whether this scenario had even been
considered. I'm still not sure if it had been.

> If you really think you've got something here, draft language and 
> propose it.  That takes this from the theory of the problem to 
> specifics.  It's got to be concrete though and actionable.  The recent 
> discussions around CSRF identified a problem of CSRF in the auth 
> server, and the new language addresses that in an actionable way.
>

Like I said in my first message: the documents lack any clear description of
the problem they are trying to address, any implicit assumptions about the
trust of the various elements, and the applicability of the protocol. That
should be part of the abstract and introduction, IMO.

Mike

v2.23.0 | Report a Bug | By Email