IETF Logo Mail Archive

[OAUTH-WG] comments on draft-hammer-oauth-03

Peter Saint-Andre <stpeter@stpeter.im> Mon, 09 November 2009 22:14 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E968E3A6991 for <oauth@core3.amsl.com>; Mon, 9 Nov 2009 14:14:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.556
X-Spam-Level:
X-Spam-Status: No, score=-2.556 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Es5j0O0lyXs for <oauth@core3.amsl.com>; Mon, 9 Nov 2009 14:13:58 -0800 (PST)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 082DB3A6968 for <oauth@ietf.org>; Mon, 9 Nov 2009 14:13:58 -0800 (PST)
Received: from host-113-169.meeting.ietf.org (64-104-46-217.cisco.com [64.104.46.217]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 25EF340D09 for <oauth@ietf.org>; Mon, 9 Nov 2009 15:14:23 -0700 (MST)
Message-ID: <4AF8943E.4050802@stpeter.im>
Date: Tue, 10 Nov 2009 07:14:22 +0900
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: OAuth WG <oauth@ietf.org>
X-Enigmail-Version: 0.96.0
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Subject: [OAUTH-WG] comments on draft-hammer-oauth-03
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2009 22:14:02 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

<hat type='individual'/>

On the flight to Japan for IETF 76, I finally got a chance to finish
reviewing draft-hammer-oauth-03, the informational documentation of
what's known as "OAUth Core 1.0 Revision A" in the community. Many of my
comments are purely editorial, so I will send those directly to the
document editor. Here are a few slightly more substantive issues...

1. I think it would be very helpful to provide a bit more context in the
Introduction. Say, two or three sentences about the provenance of this
technology, the community that developed it, and a link to oauth.net
(along with something like the final paragraph of the current
Introduction). Something like this:

  The OAuth protocol was originally created by a loose group of
  technologists from a variety of websites and other Internet
  services, who wanted to solve the common problem of enabling
  delegated access to protected resources.  The resulting OAuth
  protocol was stabilized at version 1.0 in October 2007 and
  published at the oauth.net website.  This specification provides
  informational documentation of OAuth Core 1.0 Revision A as
  finalized in June 2009, incorporating several errata reported
  since that time as well as numerous editorial clarifications.
  It is not an item of the IETF's OAuth Working Group, which at
  the time of writing is working on an OAuth version that can be
  appropriate for publication on the standards track.

2. In the Terminology section, I think it might be helpful to provide
pointers to the old terminology, as in:

  "(In the community edition, a client was called a consumer.)"

We might also want to point to RFC 4949 regarding terminology and check
that our usage of key terms like "authorization" is consistent with that
document.

3. Before jumping right into authenticated requests in section 3, I
think it would be helpful to provide a bit more context about the
overall protocol flow (similar to Section 6 of the community edition).

4. In Section 3.1, we might want to say explicitly which parameters are
required and which are not. For example, "Protocol parameters MUST NOT
appear more than once per request. The following parameters are REQUIRED
unless otherwise noted." Then say that, for example, oauth_version is
RECOMMENDED instead of REQUIRED (or whatever).

5. In Section 3.2, it's not completely clear that the timestamp value
must be numerical instead of, say, in ISO 8601 format. It's also not
clear how the server would specify that the timestamp is something other
than "the number of seconds since January 1, 1970 00:00:00 GMT".

6. In Section 3.2, let's explicitly say that methods that enable the
client to sync its clock with the server's clock are out of scope for OAuth.

7. In Section 3.3, let's refer to the Security Considerations from the
paragraph about not mandating a particular signature method (since
that's where we talk about the properties of various methods).

8. In Section 3.3.1.1, we might want to be more explicit about which
parameters are included in the "specific set of request parameters" (see
recent discussion on the community list).

9. In Section 3.3.1.1 second bullet point, we say "The HTTP request
entity-body, but only if..." -- does this mean that all of the three
listed conditions need to be met, or any one of the conditions?

10. In Section 3.3.1.1, the sentence

    The "oauth_signature" parameter MUST be excluded if present.

might be taken to imply that all other oauth_* parameters MUST be
included (if found in the request). Let's be explicit about that.

11. In Section 3.3.4, we say that PLAINTEXT method SHOULD be used with
SSL/TLS. Does that deserve to be a MUST? At least it might be worth a
mention in the Security Considerations.

12. In Section 3.6, we say that "Text values are first encoded as UTF-8"
but it's not fully clear to me which values this applies to or exactly
where in the protocol the encoding rules are applied.

13. In Section 4, I think that a brief flow diagram would be helpful to
illustrate the authorization process (e.g., this would provide context
for why the client obtains a set of temporary credentials, which might
not otherwise be obivous to first-time readers of Section 4.1).

14. In Section 4.2 (or in a security consideration pointed to from
Section 4.2), it might be helpful to describe why oauth_callback is
important and the nature of the session fixation attach that it helps to
prevent.

15. In Section 6.8, I think there is a non-sequitur. Just because a
client is a freely available desktop application does not mean that an
attacker will be able to recover the client credentials. Perhaps one
step in the chain of reasoning is not spelled out here?

16. Section 6.15 says:

    Clients should prevent CSRF attacks on OAuth callback URIs
    by verifying that the resource owner at the client site intended to
    complete the OAuth negotiation with the server.

No guidance is provided on how the client might be able to do so. Saying
that "methods for doing so are out of scope for this specification" is
probably acceptable.

17. In Appendix A.1 the phrase "HTTPS POST" is used, but I think that's
more accurately an HTTP POST to an SSL-protected host.

Overall the spec looks very good, and IMHO is a big improvement over the
community edition!

Peter

- --
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkr4lD0ACgkQNL8k5A2w/vzkJwCfeOy6ZH1u8La20llLhgksyb4T
mOYAoPrGjaVIL9w801IuguP3161i2X0/
=tN+p
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email