Re: [OAUTH-WG] Operations Directorate Review of draft-ietf-oauth-v2-threatmodel-06
Barry Leiba <barryleiba@computer.org> Sun, 08 July 2012 15:37 UTC
Return-Path: <barryleiba@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC02821F8628; Sun, 8 Jul 2012 08:37:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.14
X-Spam-Level:
X-Spam-Status: No, score=-103.14 tagged_above=-999 required=5 tests=[AWL=-0.163, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IDuJ0HIl4muT; Sun, 8 Jul 2012 08:37:04 -0700 (PDT)
Received: from mail-qa0-f51.google.com (mail-qa0-f51.google.com [209.85.216.51]) by ietfa.amsl.com (Postfix) with ESMTP id EE6A521F8624; Sun, 8 Jul 2012 08:37:03 -0700 (PDT)
Received: by qaea16 with SMTP id a16so1165027qae.10 for <multiple recipients>; Sun, 08 Jul 2012 08:37:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=U4JtRVG/lHVmuOPbf/otro8Qse+D4riQHmXoD1qJNKU=; b=IU4F58ZCvBZmU3CUT5Bl3ylBeLv5Wj5cI7iPnOlODmZ5+hNvz9jOTwpsKaS37hSN5m /X6ccrmY4Rb9zpFgM8Rexc3mUJPt4RW+AHVcdH0yLPMOUp1pCiNgTZprS76buzZ5QDbw CV8c29lT1XZs4ADPiAjFJvKe8g4DOISEa1b6dIZbqNTgGB/oQgz6XR2khx9yIMfJVAur GXpyGbDFFJhIdJNLnNdaVcp2hISv1mE+Uyfq8JbEldv9bjb85hbL2SbaJ7WzUTj8FpzI kuMdaUerzgX+4XXP+88egFWFHoh7POlGlP1wWfO7ueSZl7MEt0ce3Qe0G1zv7cosxEdC vlFA==
MIME-Version: 1.0
Received: by 10.224.202.73 with SMTP id fd9mr5813148qab.23.1341761845866; Sun, 08 Jul 2012 08:37:25 -0700 (PDT)
Sender: barryleiba@gmail.com
Received: by 10.229.245.85 with HTTP; Sun, 8 Jul 2012 08:37:25 -0700 (PDT)
In-Reply-To: <EDC652A26FB23C4EB6384A4584434A0407CC334E@307622ANEX5.global.avaya.com>
References: <EDC652A26FB23C4EB6384A4584434A0407CC334E@307622ANEX5.global.avaya.com>
Date: Sun, 08 Jul 2012 11:37:25 -0400
X-Google-Sender-Auth: nN0X7Jxyz8vXIFKyQBIW6JLvrLc
Message-ID: <CALaySJ+0NCxXwBhfvF8-wQWcHBpYsYpYEUFbzUDJMsV+3qUiFQ@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: "Romascanu, Dan (Dan)" <dromasca@avaya.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: phil.hunt@yahoo.com, oauth@ietf.org, ops-dir@ietf.org
Subject: Re: [OAUTH-WG] Operations Directorate Review of draft-ietf-oauth-v2-threatmodel-06
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jul 2012 15:37:06 -0000
> 1. The relation between this document, OAuth 1.0 (RFC 5849) and OAuth > 2.0 is not clear. In the Introduction we find: > > This document gives additional security considerations for OAuth, > beyond those in the OAuth specification, based on a comprehensive > threat model for the OAuth 2.0 Protocol [I-D.ietf-oauth-v2]. > > (would be good to provide a referent for the 'OAuth specification' - > probably RFC 5489) It does have a citation, right there: [I-D.ietf-oauth-v2]. That is the OAuth specification. I suppose we could move the citation to be after the word "specification", though no one else has been confused by this. > but then says the document > > - Gives a comprehensive threat model for OAuth and describes the > respective counter measures to thwart those threats. > > So is the scope of the document the threats beyond what is described in > OAuth 1.0, or all the threats? It has nothing to do with OAuth 1.0, and I don't think it says that anywhere. It's OAuth 2.0, as noted in the citation. It expands on what's in the Security Considerations of the OAuth spec, and covers threats that are not described there as well. The OAuth spec has an informative reference to this document. > In any of the two cases some additional text is needed to clarify the > Scope. > > 2. The countermeasures to threats described in Section 5 can be divided > into several categories - user actions, operator actions, design > measures. Operators are typically responsible on some of them, and may > make recommendations to users on other. It would have been useful to > mark these accordingly, or maybe to include in Section 5 a table that > shows to what category/ies each measure belongs. For operators this > would have eased detecting the specific actions and recommendations to > users that concern them. I'll leave this for the authors. > 3. The OAuth and OAuth 2.0 documents need to be Normative References. > One cannot understand this document without understanding OAuth. By the first, I presume you're talking about RFC 5849, and this document has nothing whatever to do with that, and makes no claim to. For the other, you're right, and I missed this in my shepherd review. The authors appear to have made the mistake of thinking that all references from an Informational document are informative. Authors, have a look at the references and figure out which ones are central to the understanding of this document. Make those normative references. At the least, [I-D.ietf-oauth-v2] should be normative. Barry, document shepherd
- [OAUTH-WG] Operations Directorate Review of draft… Romascanu, Dan (Dan)
- Re: [OAUTH-WG] Operations Directorate Review of d… Barry Leiba
- Re: [OAUTH-WG] Operations Directorate Review of d… Romascanu, Dan (Dan)