IETF Logo Mail Archive

Re: [OAUTH-WG] problem statement

Peter Saint-Andre <stpeter@stpeter.im> Wed, 07 September 2011 01:01 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C4F221F86DF for <oauth@ietfa.amsl.com>; Tue, 6 Sep 2011 18:01:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RVT2BbF+ng9d for <oauth@ietfa.amsl.com>; Tue, 6 Sep 2011 18:01:23 -0700 (PDT)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id A5A3021F86AA for <oauth@ietf.org>; Tue, 6 Sep 2011 18:01:23 -0700 (PDT)
Received: from squire.local (unknown [216.17.251.17]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 5E768418BB; Tue, 6 Sep 2011 19:06:06 -0600 (MDT)
Message-ID: <4E66C2CE.5040101@stpeter.im>
Date: Tue, 06 Sep 2011 19:03:10 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:6.0.1) Gecko/20110830 Thunderbird/6.0.1
MIME-Version: 1.0
To: Michael Thomas <mike@mtcc.com>, OAuth WG <oauth@ietf.org>
References: <4E665B25.6090709@mtcc.com> <4E6661FA.7050804@alcatel-lucent.com> <CD0B1909-8298-4CC3-B273-7B26E71EAB31@hueniverse.com> <4E666512.7010701@mtcc.com> <F4839FCD-CA73-4450-AD12-E07D46BB7746@hueniverse.com> <4E6667D1.3080404@mtcc.com> <1315334677.26387.YahooMailNeo@web31809.mail.mud.yahoo.com> <4E666B65.30701@mtcc.com> <29815937-0FB9-463B-B6E4-8FCAF7B3CD8C@hueniverse.com> <4E666E73.3050502@mtcc.com> <CAMrm-MJHKTxaj1iEm_Lr=X92sOiWZcYN4F6dNqb5w5gh4OPndQ@mail.gmail.com> <4E6671FA.3090503@gmail.com> <4E667469.2040007@mtcc.com> <1315337809.3136.38.camel@ground> <4E667953.9020906@mtcc.com> <71A460EE-1E2C-4165-99A8-5A97D6E9365C@jkemp.net> <4E667E2E.7090304@mtcc.com> <80A88920-A1EF-4A1C-A97E-F99379923CFB@jkemp.net> <4E66845E.7090906@mtcc.com> <E3DEC4C8-6BB0-44EE-821A-7589F5DC6462@jkemp.net> <4E669D3C.5000900@gmail.com> <4E66B964.2060808@stpeter.im> <4E66BBD7.1000703@mtcc.com>
In-Reply-To: <4E66BBD7.1000703@mtcc.com>
X-Enigmail-Version: 1.3.1
OpenPGP: url=https://stpeter.im/stpeter.asc
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Subject: Re: [OAUTH-WG] problem statement
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Sep 2011 01:01:24 -0000

On 9/6/11 6:33 PM, Michael Thomas wrote:
> On 09/06/2011 05:23 PM, Peter Saint-Andre wrote:
>> On 9/6/11 4:22 PM, Melinda Shore wrote:
>>   
>>> On 09/06/2011 12:59 PM, John Kemp wrote:
>>>     
>>>> The point is that you have a point.
>>>>        
>>> He does, and that's in some large part why I don't
>>> fully understand the temperature of the responses.
>>> I do not think it's a particularly big deal to stick
>>> a couple of sentences in the security considerations
>>> underscoring the fact that OAUTH can't do anything
>>> about a compromised host or a malicious application.
>>> I've learned to live with the fact that sometimes
>>> people implementing or deploying security technologies
>>> don't fully understand them and it's my impression that
>>> there's some number of people out there who think that
>>> OAUTH and other third-party protocols provide sufficient
>>> protection against password snagging.
>>>      
>> I just looked at the most recent specifications for TLS (RFC 5246) and
>> secure shell (RFC 4253), which I think we'd all agree are two quite
>> successful security technologies. Neither of those specs says anything
>> about not protecting humans users from malicious clients that perform
>> keylogging to capture security-critical data the user might enter. Not
>> only is OAuth "not a superhero" as John Kemp said, but I fail to see why
>> we need to document exactly which superhero powers OAuth lacks (given
>> that it's not reasonable to expect *any* security protocol to have those
>> powers). IMHO this is gilding the documentation lily.
>>    
> 
> That is because neither TLS or SSH are trying to allow access
> but protect you from a third party that is not necessarily
> trustworthy. OAuth  is. When the eve literally has access to
> the to-be protected data in many cases, that's noteworthy.
> That is not the case of either TLS or SSH.

TLS and ssh are controlling access to things like my bank account and my
VPS. Those are less important than my Flickr photos?

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

v2.23.0 | Report a Bug | By Email