Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

Mike Jones <> Sat, 20 February 2016 09:52 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 114981A86F6 for <>; Sat, 20 Feb 2016 01:52:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MxWpg5StWuJt for <>; Sat, 20 Feb 2016 01:52:47 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 687EE1A8034 for <>; Sat, 20 Feb 2016 01:52:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Bq5K1fQjdK2rS9HDSBO7yI3KixHRnlQb7zPaSBxqz+c=; b=GSfHSyWLM0APtowupyo2Dgt7eBhmgK8FqdkK0L/HrFU7JdmuOwGhnuplO3S7L0RTFX5BoiXj9Iw80lkrWs9mWTsytM9LXPsi9jDmvLwRyINopdXOi9IfcwC+RmMUh57A1F/3gCo/74FER8WmAtFNZPCByB5G7PYBpYyYoxWTaFk=
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.1.409.15; Sat, 20 Feb 2016 09:52:43 +0000
Received: from ([]) by ([]) with mapi id 15.01.0409.017; Sat, 20 Feb 2016 09:52:43 +0000
From: Mike Jones <>
To: Hannes Tschofenig <>, William Denniss <>, "Phil Hunt (IDM)" <>
Thread-Topic: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption
Date: Sat, 20 Feb 2016 09:52:43 +0000
Message-ID: <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
x-originating-ip: []
x-ms-office365-filtering-correlation-id: 6f6bf752-80ed-4b95-29b3-08d339db9454
x-microsoft-exchange-diagnostics: 1; BY2PR03MB441; 5:5UwnXNy9v7aWJud+kJvj6cwVX2LEtcaIyRTCa64IPB84Q994KdRg45nzkv0sK6VyOFUpLPV2zkxOhdbl3xLBn5wtmDeE7lfZfbSRSJo/sOlXHVfrinES0aH/fiCzArjDGA2TdTq4u3tF4WVJpH2k+g==; 24:JjcwLtQnFF5lH2Fyv++5ONsnugnYGtw4vfFFTuvWHPsgQfPTGB8N73cSr71joZiBD7fNfxhapnViZPIt/zhrKuuE8la7mDbsYpk3SE9mFas=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB441;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(61426038)(61427038); SRVR:BY2PR03MB441; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB441;
x-forefront-prvs: 0858FF8026
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(24454002)(13464003)(479174004)(377454003)(5003600100002)(40100003)(3280700002)(1096002)(3846002)(10290500002)(586003)(4326007)(1220700001)(2950100001)(122556002)(92566002)(3660700001)(102836003)(2906002)(66066001)(54356999)(50986999)(77096005)(76176999)(93886004)(6116002)(2900100001)(8990500004)(86612001)(5008740100001)(5001960100002)(189998001)(19580395003)(5005710100001)(11100500001)(5004730100002)(10400500002)(99286002)(5002640100001)(19580405001)(33656002)(74316001)(86362001)(87936001)(5001770100001)(76576001); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB441;; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Feb 2016 09:52:43.6036 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB441
Archived-At: <>
Cc: "" <>
Subject: Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 20 Feb 2016 09:52:50 -0000

We can and will bring more of the threat descriptions into the full document.  For what it's worth, in the initial versions we referenced the German researcher's threat descriptions but intentionally didn't try to repeat them in detail in the spec, so that people would read their research publications if they wanted to know more.  The researchers did the hard work to discover the problems and deserved credit for them.

Have you read both of their publications?  If not, do yourself a favor and do.  They're actually both very readable and quite informative.

				-- Mike

-----Original Message-----
From: OAuth [] On Behalf Of Hannes Tschofenig
Sent: Saturday, February 20, 2016 1:47 AM
To: William Denniss <>; Phil Hunt (IDM) <>
Subject: Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

Just a quick reply to two of your remarks:

On 02/20/2016 09:49 AM, William Denniss wrote:
> The security researcher documents are only informative references

I think they should be informative references since the motivate the reason for doing the work but there is nothing in these publications that raises interoperability concerns.

I believe the solution documents need to be descriptive enough that they explain the threats so that a reader who does not read through the informative reference section still understands what's going on.

> For my own knowledge: what are some of the use-cases that are subject 
> to these attacks? I'm not convinced every RP that talks to more than
> 1 AS is at risk today. What are some risky situations that exist which 
> are mitigated by this draft?

This is something I criticized in my review as well. IMHO the documents could do a better job in describing the threats and particularly the assumptions that need to hold in order for the attacks to work. Without those it will be difficult to inform readers when this is a concern and what level of risk this represents.