Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011

Michael Thomas <mike@mtcc.com> Mon, 16 January 2012 16:04 UTC

Return-Path: <mike@mtcc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A608421F8694 for <oauth@ietfa.amsl.com>; Mon, 16 Jan 2012 08:04:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.589
X-Spam-Level:
X-Spam-Status: No, score=-2.589 tagged_above=-999 required=5 tests=[AWL=0.010, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id defbmmnsiAzp for <oauth@ietfa.amsl.com>; Mon, 16 Jan 2012 08:04:00 -0800 (PST)
Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id 261E421F8693 for <oauth@ietf.org>; Mon, 16 Jan 2012 08:04:00 -0800 (PST)
Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id q0GG3sD2023635 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Mon, 16 Jan 2012 08:03:55 -0800
Message-ID: <4F144A6A.7010706@mtcc.com>
Date: Mon, 16 Jan 2012 08:03:54 -0800
From: Michael Thomas <mike@mtcc.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0
MIME-Version: 1.0
To: Mark Mcgloin <mark.mcgloin@ie.ibm.com>
References: <CALaySJKhYQQdmjvWBLS3mwzzrDt35jfDn2xZCuDOk=hpwEUiKQ@mail.gmail.com> <OF6C9EBE7C.1B053FE3-ON80257968.003C02DF-80257968.003CAA12@ie.ibm.com> <4EEB5BDD.7080401@mtcc.com> <4F038CB9.1040403@mtcc.com> <F674B8D6-54D6-4B39-A494-9D7EB6E058D6@oracle.com> <4F0394D6.1090006@mtcc.com> <OFD88021B6.E1FD29B9-ON8025797B.004036CF-8025797B.00404EA6@ie.ibm.com> <4F04AAAE.6080702@mtcc.com> <4F04ACE4.1070006@stpeter.im> <4F04B101.3070708@mtcc.com> <OF0587BA9E.B7B40207-ON8025797B.00702BFB-8025797B.007103EA@ie.ibm.com> <CALaySJLcFGyt97OVFZY34kZSjp2bKRqiH_JSDQQaO-aTjSWh2g@mail.gmail.com> <4F04BF70.3 <90C41DD21FB7C64BB94121FBBC2E723453A72D09B9@P3PW5EX1MB01.EX1.SECURESERVER.NET> <OF8B311AA2.ACF026F4-ON8025797C.00460040-8025797C.004D16DC <1325780942.63316.YahooMailNeo@web31809.mail.mud.yahoo.com> <OFF0355D8B.8B5DEE1F-ON8025797D.004D7295-80257987.004C40B9@ie.ibm.com>
In-Reply-To: <OFF0355D8B.8B5DEE1F-ON8025797D.004D7295-80257987.004C40B9@ie.ibm.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1743; t=1326729836; x=1327593836; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20<mike@mtcc.com> |Subject:=20Re=3A=20[OAUTH-WG]=20WGLC=20on=20draft-ietf-oau th-v2-threatmodel-01,=20ends=209=0A=20Dec=202011 |Sender:=20 |To:=20Mark=20Mcgloin=20<mark.mcgloin@ie.ibm.com> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=oJuHUQoaL7eOBctkiGgGypRMqsd9lDxPnsUV+J978U0=; b=snfQKuJBU9giFdWR/4u8zoSfWSxozDyxvGZKo2ec3lCt91cTM5j2x4nzoi zbhPfY48bL52M3s1g+D04pcKqi+kmKa2BoQhvxhXKjTtK5uIQ+Zmqcsf0d5g tPpzzbAWPPPPQzz1GLMpeQiAtwzGLkb4TXnPIrPe4AlcgUGeHToxY=;
Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jan 2012 16:04:00 -0000

On 01/16/2012 05:52 AM, Mark Mcgloin wrote:
> Countermeasures:

First off the title: it says Countermeasures. Therefore, anything here
must be a real and meaningful "countermeasure".

>
> 1. The OAuth flow is designed so that client applications never need to
> know user passwords. Client applications SHOULD avoid directly asking users
> for the their credentials.

This is not a countermeasure. It is a request that bad guys be good.

Strike it entirely.

> In addition, end users could be educated about
> phishing attacks and best practices, such as only accessing trusted
> clients, as OAuth does not provide any protection against malicious
> applications and the end user is solely responsible for the trustworthiness
> of any native application installed

This is not a credible countermeasure. End users know nothing
about this, and I'd venture to say that includes you and me too.

Strike it entirely.

> 2. Client applications could be validated prior to publication in an
> application market for users to access. That validation is out of scope for
> OAuth but could include validating that the client application handles user
> authentication in an appropriate way

This may be a valid countermeasure, but there needs to be some
reason to believe that it is not just a hope and a prayer put here
just to feel good.

If it cannot be substantiated, strike it entirely.

> 3. Client developers should not write client applications that collect
> authentication information directly from users and should instead delegate
> this task to a trusted system component, e.g. the system-browser.

This is not a valid countermeasure. It expects bad guys to be good.

Strike it entirely.

Mike