Re: [OAUTH-WG] Updated Shepherd Write-Up for Native Apps document
John Bradley <ve7jtb@ve7jtb.com> Mon, 06 March 2017 20:32 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DB011299FE for <oauth@ietfa.amsl.com>; Mon, 6 Mar 2017 12:32:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kS_D3el98_W5 for <oauth@ietfa.amsl.com>; Mon, 6 Mar 2017 12:32:34 -0800 (PST)
Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 324EC1299FB for <oauth@ietf.org>; Mon, 6 Mar 2017 12:32:34 -0800 (PST)
Received: by mail-qk0-x22a.google.com with SMTP id 1so174009453qkl.3 for <oauth@ietf.org>; Mon, 06 Mar 2017 12:32:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=PJjVa0wL6JMZ6IthBOk4+1QHODpZRPw/7nX3c46/2+M=; b=euCN719QEZK9yKjkkCdGdbI7IJW7HLyIv2GApQ/HLlaIeVZyHjpwoxsdzfHhTSekL4 84xaPzvTQOwZ/w/fWf03vRz4tBcnN3Pc2y0F+SUygUXHjf3liPAf9tZBykcaedWHFOyW WqDJkEKJjAgqQgmRdkHWUeYWcutKqdthHVzloHv1t1h9/nKQeMxZ0myJacZu7DreVsjv yFaLNirFNwWZJ1jhRBPQlk6rB4XaGbg0n+Jot120ieG9s9LWSBUrkmDeyTkeoUbC5ybB GkAeXpbsS/i+Jro0Sz6vhqSJa2SRbuYYz67Kt5FlQ7k2ZzLOYcnVVXHdLHFX9vFazwJB FD8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=PJjVa0wL6JMZ6IthBOk4+1QHODpZRPw/7nX3c46/2+M=; b=Cy0vkCKSs/tRY4W0K7NCbKW/d99O6aCZBpp9gh3wiGvpyuMe2LKbzxD/bIo6sNasvF 7dGXkJy/QE7+6KwWJbItKprq2xwStXkiQkjVtUYvXnINFB3HwRe/GM9XP4TNvx7KktWq 5H9uRoA9V/V59LqTkMXnrVl9d0HypJLk+XiI3JFn57CQz3cAOkyn2c3ta2MDoySCucCA b43v3RvhgzEhTOs4apumQxB5dJp9LxDlWBA5HYHBVd5zIzVrfVi4sPQa0JEyFhHt2EKp YABiXb4OAJKshki124F6e9rYT+vEKbxNzszgLx7vdyop1xUFxJgrTQjIVElqLWsmHwil JJbg==
X-Gm-Message-State: AMke39kNpy46isCdxk0jrtw6IhpDSTvBdbZwiyWtJ17x9TcalEq6rO6MZw0q2s6YTZjSd9AP
X-Received: by 10.55.197.82 with SMTP id p79mr15866723qki.24.1488832353097; Mon, 06 Mar 2017 12:32:33 -0800 (PST)
Received: from [192.168.86.130] ([191.115.68.238]) by smtp.gmail.com with ESMTPSA id x19sm11128831qtc.23.2017.03.06.12.32.31 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 06 Mar 2017 12:32:32 -0800 (PST)
From: John Bradley <ve7jtb@ve7jtb.com>
Message-Id: <5BB041E0-86DB-4881-85AC-44F9DD2217B4@ve7jtb.com>
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Mon, 06 Mar 2017 17:32:29 -0300
In-Reply-To: <b72bbbd0-b467-9b77-7432-19a177e8299a@gmx.net>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
References: <b72bbbd0-b467-9b77-7432-19a177e8299a@gmx.net>
X-Mailer: Apple Mail (2.3259)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a1149d2c68d4527054a15cb48"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/8VO564fI35plEuaM6TOp4iD6y_g>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Updated Shepherd Write-Up for Native Apps document
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2017 20:32:36 -0000
You may want to note that RFC6749 itself recommends agains embedded for security reasons:
An embedded user-agent poses a security challenge because resource
owners are authenticating in an unidentified window without access
to the visual protections found in most external user-agents. An
embedded user-agent educates end-users to trust unidentified
requests for authentication (making phishing attacks easier to
execute).
However 6749 did not explicitly mention that for 3rd party OAuth Apps using an embedded user Agent the 3rd party gets access to the password defeating one of the main goals of OAuth in keeping the password/credential out of the hands of the client. This document makes that clearer.
John B.
> On Mar 6, 2017, at 1:00 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>
> Here is the shepherd write-up:
> https://github.com/hannestschofenig/tschofenig-ids/blob/master/shepherd-writeups/Writeup_OAuth_NativeApps.txt
>
> Feedback appreciated. I will also do another shepherd review.
>
> Ciao
> Hannes
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Updated Shepherd Write-Up for Native A… Hannes Tschofenig
- Re: [OAUTH-WG] Updated Shepherd Write-Up for Nati… John Bradley
- Re: [OAUTH-WG] Updated Shepherd Write-Up for Nati… Anthony Nadalin
- Re: [OAUTH-WG] Updated Shepherd Write-Up for Nati… Hannes Tschofenig
- Re: [OAUTH-WG] Updated Shepherd Write-Up for Nati… William Denniss