Re: [OAUTH-WG] Shepherd review of draft-ietf-oauth-v2-threatmodel

Michael Thomas <mike@mtcc.com> Tue, 24 April 2012 17:37 UTC

Return-Path: <mike@mtcc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0605421F8867 for <oauth@ietfa.amsl.com>; Tue, 24 Apr 2012 10:37:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.549
X-Spam-Level:
X-Spam-Status: No, score=-2.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8RjlQp3Jb052 for <oauth@ietfa.amsl.com>; Tue, 24 Apr 2012 10:37:13 -0700 (PDT)
Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id 1226B21F8861 for <oauth@ietf.org>; Tue, 24 Apr 2012 10:37:12 -0700 (PDT)
Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id q3OHb9Dd011135 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 24 Apr 2012 10:37:09 -0700
Message-ID: <4F96E4C5.7070601@mtcc.com>
Date: Tue, 24 Apr 2012 10:37:09 -0700
From: Michael Thomas <mike@mtcc.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <CALaySJLy6jpuPqxQXfKfpx0TpcK1gav1NtcTOoh+NOr11JSCbw@mail.gmail.com> <4F8DE789.4030704@mtcc.com> <CALaySJK1ej_HkP5Jz26XT-KjULirD2iFfVOpRkHgPZp-CbJCrg@mail.gmail.com> <4F957EA7.3060004@mtcc.com> <OF3ECF645E.478720A4-ON802579EA.002D0B13-802579EA.002D8D07@ie.ibm.com> <4F96A99F.7010303@mtcc.com> <85556C53-99DD-47A2-A0D5-2F86DD2B668F@oracle.com> <0CBAEB56DDB3A140BA8E8C124C04ECA2FFC41C@P3PWEX2MB008.ex2.secureserver.net> <580607FC-28EC-4BBA-8CBA-C63D2FA52C8E@oracle.com>
In-Reply-To: <580607FC-28EC-4BBA-8CBA-C63D2FA52C8E@oracle.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=829; t=1335289030; x=1336153030; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20<mike@mtcc.com> |Subject:=20Re=3A=20[OAUTH-WG]=20Shepherd=20review=20of=20d raft-ietf-oauth-v2-threatmodel |Sender:=20 |To:=20Phil=20Hunt=20<phil.hunt@oracle.com> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=27/4JPFgtFq3rmXECUTw7d/7vxv7tBje+YW7kXbrpxY=; b=nM1sFBSLsm3M0yNwr442czNTylJFAIdnsz6SW948tMYANiHwHtxa4sMHQo SnA+OKbMp5qy9YbpCcNO2+V/kFuCiBrkm1hBKYQ1pHb/BH8riJt36uW+2/4n dVV/RT6Lf5yFvZ1wK3cxSp9IdkM8HQJPAIE4qb/ZGP01ywCICiENk=;
Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com
Cc: "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Shepherd review of draft-ietf-oauth-v2-threatmodel
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2012 17:37:14 -0000

On 04/24/2012 10:26 AM, Phil Hunt wrote:
> Michael feels the premise for the document is "borked" because his comments are not included.  However, there are those of us that feel the document instead needs to be sharply edited back to focus even tighter on OAuth specific issues.

Actually, my last call comments were for two different things:

1) remove mitigation bullets that are either wrong, ineffective,
     or smarmy platitudes (cf 'borked').
2) make perfectly clear that embedded webviews and native clients
     which widely use oauth today do not protect users from rogue clients
     gaining access to their credentials. My bullet added to Barry's edits
     on this point was mainly to reinforce that authentication servers
     have a part to play too.

I would think you'd be happy for #1 :)

Mike