Re: [OAUTH-WG] Barry Leiba's Discuss on draft-ietf-oauth-spop-12: (with DISCUSS and COMMENT)

Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 11 June 2015 19:02 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 301591B2CC5; Thu, 11 Jun 2015 12:02:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qlp2nfkqFxA3; Thu, 11 Jun 2015 12:02:16 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55CD81A92E0; Thu, 11 Jun 2015 12:02:16 -0700 (PDT)
Received: from [192.168.10.236] ([12.217.69.145]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0MLelb-1Z3Oac2swl-000qCR; Thu, 11 Jun 2015 21:02:14 +0200
Message-ID: <5579DB31.30807@gmx.net>
Date: Thu, 11 Jun 2015 21:02:09 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Barry Leiba <barryleiba@computer.org>, The IESG <iesg@ietf.org>
References: <20150611184955.1618.38149.idtracker@ietfa.amsl.com>
In-Reply-To: <20150611184955.1618.38149.idtracker@ietfa.amsl.com>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="6lgMwev9DpRlpuxlk78KL3IffbuoEHirT"
X-Provags-ID: V03:K0:+cIY2HC75Jz1cN9yuzd9XG8IN7N+VdGsjOgo73f6clK3Ri0CrqS cPZZQUu4R4jxGMG4nsECwxbU1JT8m/sYNmzqWQpM7ZZ11ipoEHulwSUFoeu2hsaM3O+cjMC XGx2dpO8UiWNwYBvXJwD/DULRLSfIdhBihRBH9puH5yAIVhFsC1aj9A8gPKNE8Ah4XGt6aI SsgpA5/2alV/80OrXGLFg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:QPZOrztC67Q=:CIxqh01ixSM+FKd43VNEvg zBIQfK2MX9lpLflQzpQtOIQ070dkTyHN7p8GogTP0oaCewVfWNNjREytLF8OApj66w8Z3yi+U pWIReZ6qCK4bcqU/Z0nkBV0VETCd9tdC7QTeR7tnax3ozyiB8maUxZw3pdDrNPnB3U7i+wNFf xOQVd/zpPj4wDv83AiB9p41irTcSjBdDSy0s24r/P7bGPh62bM0Jpg3OWTtwEAfy08mtKaUXx 5xLA+ik0pFxpIH9ZQhYtPSbzCJIOrPQ0ZctgE3sy9QsSTKuShFHoHl+W8wgRCjeZ99wP47m1m fuGKu9JK5HHM6E4aN/ILx1Ix0SwMVuxmtbtynQfGl0IRMR6rBWwNnnbOW9u1C7zs2K5uTvE6k qfxoym+97rv9qb5C35wbA3AHo3gaLozmluLUQcKFBUxjewF77IsBFCznlVCawbPdSqRUi4jXA zU2LyXpLz3fk+EDu9Ikoa460pG6WPXzG75yplKj1hKtcs4FlChMiphSetNKmiYko0xkXpylFx gmFsXJrXexhtMBIUg/qMA0cZa0yAtNonF8pNm0xGVEy3BtYuVhCgDKFM0SrD5gGsg7dl7BYoz QXcuiGAOWrIynRD/nn3OwMjElNnP8FvEo3ONvUwfRgZIbtVLHCDT3G/A/BUgZKTcxvFbn5per z9tqbtNK4J4/rb6yzCrwUds4kyo24gamEMKgCPrnqqUU9jA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/8mkgyiqzjCk3l_VTrRW30pV8taE>
Cc: draft-ietf-oauth-spop.ad@ietf.org, draft-ietf-oauth-spop.shepherd@ietf.org, oauth@ietf.org, draft-ietf-oauth-spop@ietf.org, oauth-chairs@ietf.org
Subject: Re: [OAUTH-WG] Barry Leiba's Discuss on draft-ietf-oauth-spop-12: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jun 2015 19:02:18 -0000

Hi Barry,

let me explain this pre-condition a bit more since I wrote the text:

On 06/11/2015 08:49 PM, Barry Leiba wrote:
> *** IMPORTANT *** I am still puzzled by this, in pre-condition (4), which
> seems to contradict what John said and what I proposed above:
> 
>    4) The attacker (via the installed app) is able to observe responses
>       from the authorization endpoint.  As a more sophisticated attack
>       scenario the attacker is also able to observe requests (in
>       addition to responses) to the authorization endpoint.

With the attack that occurred in the wild the main issue was that an
attacker exploits the feature of smart phone OSs to register multiple
apps using the same custom URI scheme.

In this model the adversary will see response messages. However, it is
possible for an attacker to also compromise the smart phone OS in such a
way that he/she is also able to see the request as well as the
responses. In such a "more sophisticated attack" the proposed mechanism
does not help.

Does this additional description help?

Ciao
Hannes