Re: [OAUTH-WG] [apps-discuss] Apps Area review of draft-ietf-oauth-v2-threatmodel-01
Justin Richer <jricher@mitre.org> Tue, 24 January 2012 13:58 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6351321F852D for <oauth@ietfa.amsl.com>; Tue, 24 Jan 2012 05:58:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2SHpMJDHNRpJ for <oauth@ietfa.amsl.com>; Tue, 24 Jan 2012 05:58:24 -0800 (PST)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id C9AC621F8523 for <oauth@ietf.org>; Tue, 24 Jan 2012 05:58:24 -0800 (PST)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 6B3A721B0470 for <oauth@ietf.org>; Tue, 24 Jan 2012 08:58:24 -0500 (EST)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 5ED9B21B0453 for <oauth@ietf.org>; Tue, 24 Jan 2012 08:58:24 -0500 (EST)
Received: from [129.83.50.12] (129.83.31.51) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.1.339.1; Tue, 24 Jan 2012 08:58:23 -0500
Message-ID: <4F1EB8C1.1020300@mitre.org>
Date: Tue, 24 Jan 2012 08:57:21 -0500
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:9.0) Gecko/20111229 Thunderbird/9.0
MIME-Version: 1.0
To: oauth@ietf.org
References: <6.2.5.6.2.20120123134319.0a76c338@resistor.net> <4F1DF8AE.8000009@mtcc.com>
In-Reply-To: <4F1DF8AE.8000009@mtcc.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.51]
Subject: Re: [OAUTH-WG] [apps-discuss] Apps Area review of draft-ietf-oauth-v2-threatmodel-01
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jan 2012 13:58:25 -0000
Keep in mind that a major purpose of this document is to encourage best practices by well-meaning developers. We want to make it clear for people who want to do the right thing what the right thing to do is. No document in the world will make ill-meaning developers do the right thing. -- Justin On 01/23/2012 07:17 PM, Michael Thomas wrote: > On 01/23/2012 01:47 PM, S Moonesamy wrote: >> >> Minor Issues: >> >> 4.4.1.4 2nd bullet. The explanation of why this wouldn't work for >> native clients wasn't comprehensible to me. I'm suspicious of any >> such claims because I can emulate most things a browser can do in a >> mobile client. Perhaps this would be obvious to someone who is an >> OAuth2 implementor. > > Actually I'd say that it is *not* obvious because I joined the working > group mailing list as an oauth deployer who had precisely questions > along these lines expecting that I was *wrong* in worrying about this > attack. > > I'd also say in this section and others like it dealing with native apps > that saying: > > " Assumption: It is not the task of the authorization server to > protect the end-user's > device from malicious software" > > Is wrong headed. It's not the authorization server's task to protect > the end user, > but the authorization server *surely* has an interest in protecting > *itself* from > rogue clients. An attack by a malicious client is an attack against > the end user > *and* the authorization server. > >> >> 4.4.1.9 I think where it says "iFrame" it might mean "WebView", i.e. a >> Web Browser control embedded in the native app. If that's not what it >> means, I don't understand what it's saying. If this is true, then the >> second bullet point is probably wrong. > > I agree, and don't think the first bullet makes any sense either: > > "Native applications SHOULD use external browsers instead of > embedding browsers in an iFrame when requesting end-user > authorization" > > Who exactly is the attacker here? If it's the native app itself, then > this isn't a countermeasure at all because the rogue client will ignore > this SHOULD. If it's not the native app, then what is the an external > browser doing that an embedded browser cannot? > > I don't understand the third bullet in this one either, but if only works > in older browsers it's probably not worth mentioning. > > > Mike > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] [apps-discuss] Apps Area review of dra… S Moonesamy
- Re: [OAUTH-WG] [apps-discuss] Apps Area review of… Michael Thomas
- Re: [OAUTH-WG] [apps-discuss] Apps Area review of… Justin Richer
- Re: [OAUTH-WG] [apps-discuss] Apps Area review of… Michael Thomas
- Re: [OAUTH-WG] [apps-discuss] Apps Area review of… Torsten Lodderstedt
- Re: [OAUTH-WG] [apps-discuss] Apps Area review of… John Bradley
- Re: [OAUTH-WG] [apps-discuss] Apps Area review of… Torsten Lodderstedt
- Re: [OAUTH-WG] [apps-discuss] Apps Area review of… Torsten Lodderstedt
- Re: [OAUTH-WG] [apps-discuss] Apps Area review of… André DeMarre
- Re: [OAUTH-WG] [apps-discuss] Apps Area review of… Igor Faynberg
- Re: [OAUTH-WG] [apps-discuss] Apps Area review of… Peter Wolanin
- Re: [OAUTH-WG] [apps-discuss] Apps Area review of… Mark Mcgloin