IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011

Eran Hammer-Lahav <eran@hueniverse.com> Thu, 05 January 2012 00:05 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D901711E80D7 for <oauth@ietfa.amsl.com>; Wed, 4 Jan 2012 16:05:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kuGWNAoKxp2T for <oauth@ietfa.amsl.com>; Wed, 4 Jan 2012 16:05:21 -0800 (PST)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id 5F84D11E80D6 for <oauth@ietf.org>; Wed, 4 Jan 2012 16:05:21 -0800 (PST)
Received: (qmail 21495 invoked from network); 5 Jan 2012 00:05:15 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 5 Jan 2012 00:05:15 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Wed, 4 Jan 2012 17:05:14 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Michael Thomas <mike@mtcc.com>, Torsten Lodderstedt <torsten@lodderstedt.net>
Date: Wed, 04 Jan 2012 17:05:04 -0700
Thread-Topic: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011
Thread-Index: AczLOj5/vFTqXYWhQJWpkTNRCwYjxwAAdI6Q
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723453A72D09B9@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <CALaySJKhYQQdmjvWBLS3mwzzrDt35jfDn2xZCuDOk=hpwEUiKQ@mail.gmail.com> <CAC4RtVDyiuqCGO25nZQEVxi0uchTi2gu_peh=+FwmWwZsQ=LEQ@mail.gmail.com> <CAC4RtVCvnz7n9Ei08h7QRruesJ=GeOMOOvBkNAVmcc8_gzg7QQ@mail.gmail.com> <8AB6F5CC-E9A2-4A07-9AA0-83FB7C67A221@oracle.com> <4EEA3951.5010904@mtcc.com> <OF6C9EBE7C.1B053FE3-ON80257968.003C02DF-80257968.003CAA12@ie.ibm.com> <4EEB5BDD.7080401@mtcc.com> <4F038CB9.1040403@mtcc.com> <F674B8D6-54D6-4B39-A494-9D7EB6E058D6@oracle.com> <4F0394D6.1090006@mtcc.com> <OFD88021B6.E1FD29B9-ON8025797B.004036CF-8025797B.00404EA6@ie.ibm.com> <4F04AAAE.6080702@mtcc.com> <4F04ACE4.1070006@stpeter.im> <4F04B101.3070708@mtcc.com> <OF0587BA9E.B7B40207-ON8025797B.00702BFB-8025797B.007103EA@ie.ibm.com> <CALaySJLcFGyt97OVFZY34kZSjp2bKRqiH_JSDQQaO-aTjSWh2g@mail.gmail.com> <4F04BF70.3010501@mtcc.com> <4F04CF60.1050000@lodderstedt.net> <4F04E362.5070406@mtcc.com>
In-Reply-To: <4F04E362.5070406@mtcc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Barry Leiba <barryleiba@computer.org>, oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2012 00:05:22 -0000

> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> Of Michael Thomas
> Sent: Wednesday, January 04, 2012 3:40 PM

> My concern is that putting on a veneer of "security" will lull people into
> thinking "Oh, it's safe to enter my credentials here because this is really
> twitterbook, not evilapp!". When I had to ask them directly to put their
> twitterbook credentials into my app, there at least wasn't any confusion that
> I had access to them.

This is ridiculous (e.g. the fact we are still discussing this).

First, end users know nothing about security or OAuth. Second, evil apps can create this veneer of security by faking a redirection flow with or without OAuth. Suggesting that OAuth (which is a de-facto web pattern for over a decade) makes anything worse is patently false.

The only thing we can possibly add to the threat model document is to mention that "OAuth does not provide any protection against malicious applications and that the end user is solely responsible for the trustworthiness of any native application installed". That is accurate (and completely obvious to the target audience of this document). It is not very helpful but if it will make you feel better (since no one else here seems to share your concerns), I have no objection to such one line added.

And again, to highlight the absurdity of your security claim, it is equally important to warn developers in earthquake-prone countries to put enough distance between the Approve and Deny buttons so that the user will not accidentally hit Approve during a tremor.

EHL

v2.23.0 | Report a Bug | By Email