IETF Logo Mail Archive

Re: [OAUTH-WG] Username and Password flow: no captcha?

Dick Hardt <dick.hardt@gmail.com> Mon, 07 June 2010 18:40 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1B3F33A67D6 for <oauth@core3.amsl.com>; Mon, 7 Jun 2010 11:40:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.204
X-Spam-Level:
X-Spam-Status: No, score=-1.204 tagged_above=-999 required=5 tests=[AWL=-0.095, BAYES_05=-1.11, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E1DPgwQ67NsK for <oauth@core3.amsl.com>; Mon, 7 Jun 2010 11:40:26 -0700 (PDT)
Received: from mail-pz0-f195.google.com (mail-pz0-f195.google.com [209.85.222.195]) by core3.amsl.com (Postfix) with ESMTP id A43D43A67A7 for <oauth@ietf.org>; Mon, 7 Jun 2010 11:40:25 -0700 (PDT)
Received: by pzk33 with SMTP id 33so4515058pzk.17 for <oauth@ietf.org>; Mon, 07 Jun 2010 11:40:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:mime-version :content-type:from:in-reply-to:date:cc:message-id:references:to :x-mailer; bh=3aC83b5dPidZ4Op6FIDLMbDR5O79i1jz5NN4neu46yQ=; b=iPc8t+YMwj3GU8byb15rgewohvfkp2hk1PLqo3JgkmlFjhBifreW1gzqc8okYTfUHO BC7Ol9SQ86LrISFI1q3PX+OE7HQn7b2XVAc7J9KdnnFgFRuHBOruoKxSCLwJxCUGh7vg cRGlL/TJOSC+XLYcfAHCiqQdw0DSkY+hBZtTw=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer; b=vdpAI3ZA5fjDdVywEMmkbaLKHPVgc2Ki18Q858KhuMyCOHdA0Scm9bEIttLYjcsq5+ 5J4+4bZ56Q3FsdWpp/5SRSqH4BHpa2/+8gqOyIRpewx7sX4joUMdEfD4Umr3Mi+Ib97k memgaHQZKNhMN1tR8fP+djfPkA8CLzFqjzOAY=
Received: by 10.140.247.5 with SMTP id u5mr561306rvh.62.1275936023570; Mon, 07 Jun 2010 11:40:23 -0700 (PDT)
Received: from [10.0.1.15] (c-24-130-32-55.hsd1.ca.comcast.net [24.130.32.55]) by mx.google.com with ESMTPS id g14sm4946967rvb.13.2010.06.07.11.40.21 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 07 Jun 2010 11:40:22 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: multipart/alternative; boundary="Apple-Mail-1--871406722"
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <067D69D3-6E06-4B53-B9AB-A39B3DE9E957@facebook.com>
Date: Mon, 07 Jun 2010 11:40:20 -0700
Message-Id: <82D12A9F-B304-439D-80F9-943ECB5F8BBF@gmail.com>
References: <AANLkTint78W8GC5Jctc0je5dsmuY-Ket2aqI00tjl-NC@mail.gmail.com> <AANLkTilXJM7rphv02DvFsmMgSdjO0twY1nVIPGwduC6m@mail.gmail.com> <067D69D3-6E06-4B53-B9AB-A39B3DE9E957@facebook.com>
To: Luke Shepard <lshepard@facebook.com>
X-Mailer: Apple Mail (2.1078)
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Username and Password flow: no captcha?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jun 2010 18:40:32 -0000

Background: The username / password flow can be used to brute force attack a system to find valid credentials. A captcha is presented to slow the attack down -- similar to what happens when you log in with an invalid password on a webpage.

The captcha would be displayed by the app for the user to enter in if the AS thinks it is getting attacked from that IP or whatever. The captcha does not require a web browser -- it actually does make sense for most of the Facebook clients. 

The captcha was dropped because there were a number of aspects that had not been standardized, so it was decided to drop it from the core.


On 2010-06-07, at 11:30 AM, Luke Shepard wrote:

> The username/password flow is designed to work in a situation where there is no web browser available. At least at Facebook, none of our clients implement captcha - it doesn't really make sense in many contexts.
> 
> A provider is still welcome to offer a non-standard captcha support but it shouldn't be part of the core spec.
> 
> On Jun 7, 2010, at 8:40 AM, Andrew Arnott andrewarnott@gmail.com wrote:
> 
>> In WRAP, there was a CAPTCHA in this profile, but I don't see it in the latest OAuth 2.0 draft.  Since I've already implemented the CAPTCHA stuff from WRAP, I'll leave it there if the OAuth 2.0 is likely to pick it up, or rip it out now if OAuth 2.0 decided it wasn't necessary.
>> 
>> Does anyone from the WG have something they can say on the subject?
>> --
>> Andrew Arnott
>> "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
>> 
>> <ATT00001..txt>
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email