Re: [OAUTH-WG] comments on draft-hammer-oauth-03
Peter Saint-Andre <stpeter@stpeter.im> Thu, 19 November 2009 23:49 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5C02928C0DB for <oauth@core3.amsl.com>; Thu, 19 Nov 2009 15:49:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.549
X-Spam-Level:
X-Spam-Status: No, score=-2.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lwq5pDnBYNYU for <oauth@core3.amsl.com>; Thu, 19 Nov 2009 15:49:02 -0800 (PST)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 2407328C0D7 for <oauth@ietf.org>; Thu, 19 Nov 2009 15:49:02 -0800 (PST)
Received: from squire.local (ip-216-17-182-30.rev.frii.com [216.17.182.30]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id EC41740D13; Thu, 19 Nov 2009 16:48:58 -0700 (MST)
Message-ID: <4B05D52F.1070303@stpeter.im>
Date: Thu, 19 Nov 2009 16:30:55 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: Eran Hammer-Lahav <eran@hueniverse.com>
References: <4AF8943E.4050802@stpeter.im> <90C41DD21FB7C64BB94121FBBC2E72343785103101@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4B0467F4.6060702@stpeter.im> <90C41DD21FB7C64BB94121FBBC2E723437851824C8@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723437851824C8@P3PW5EX1MB01.EX1.SECURESERVER.NET>
X-Enigmail-Version: 0.96.0
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="------------ms010409040304050004080609"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] comments on draft-hammer-oauth-03
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2009 23:49:03 -0000
On 11/18/09 4:03 PM, Eran Hammer-Lahav wrote: > >> -----Original Message----- From: Peter Saint-Andre >> [mailto:stpeter@stpeter.im] Sent: Wednesday, November 18, 2009 1:33 >> PM > >>>> 12. In Section 3.6, we say that "Text values are first encoded >>>> as UTF- 8" but it's not fully clear to me which values this >>>> applies to or exactly where in the protocol the encoding rules >>>> are applied. >>> I added an introduction to the section. This has always been a >>> sore point and underspecified. I am happy to consider >>> clarifications. >> Now it's clear that these rules apply to the signature base string. >> I think that it would be even clearer as follows: >> >> This specification defines the following method for percent- >> encoding of parameter values that are used as input to construction >> of the signature base string: >> >> (I say this because it's not 100% clear which strings are meant in >> the current text -- i.e., does the method apply only to the values >> in the name/value pairs?) > > I'll take a look. The problem is we "accidently" applied the encoding > method to the authorization header... This means this specific way of > encoding leaked out of the signature base string scope. This makes it > a bit hard to be so specific about its context. I can try to be more > specific by saying it is for the SBS and header, but does not apply > to parameter encoding in the query or body... Not sure how much that > will help though. That's not a disaster, I just thought it would be good to clarify the context to forestall confusion. But I don't know if this is a source of confusion at present. >>>> 13. In Section 4, I think that a brief flow diagram would be >>>> helpful to illustrate the authorization process (e.g., this >>>> would provide context for why the client obtains a set of >>>> temporary credentials, which might not otherwise be obivous to >>>> first-time readers of Section 4.1). >>> I am going to dig Jeff's diagrams and see if I can make them work >>> for this. >> OK. > > Still on my list pending more items. IMHO this is nice but not necessary. Perhaps it's an item for the WG items and not the informational spec. >>>> 14. In Section 4.2 (or in a security consideration pointed to >>>> from Section 4.2), it might be helpful to describe why >>>> oauth_callback is important and the nature of the session >>>> fixation attach that it helps to prevent. >>> If someone wants to offer text, I am happy to consider. I don't >>> write security text. >> Perhaps we could borrow and adjust some text from your blog post at >> >> http://hueniverse.com/2009/04/explaining-the-oauth-session-fixation- >> attack/ :) > > Go for it... :-) It is one thing for me to write blog posts (with the > review of Brian and Dirk), but another to write it for the spec. I'll see what I can come up with. >>>> 15. In Section 6.8, I think there is a non-sequitur. Just >>>> because a client is a freely available desktop application does >>>> not mean that an attacker will be able to recover the client >>>> credentials. Perhaps one step in the chain of reasoning is not >>>> spelled out here? >>>> >>> If you have access to the client bits, you can reverse engineer >>> it to get the secret. See DVD encryption key... >> Again, I must be missing something. Just because I use Thunderbird >> or Pidgin or some other free software doesn't mean you can hack >> into my email or IM password. How is the case any different here? > > No no. *You* can hack those applications and find their client > credentials (not token credentials). Yes, I figured that out now. :) Peter -- Peter Saint-Andre https://stpeter.im/
- [OAUTH-WG] comments on draft-hammer-oauth-03 Peter Saint-Andre
- Re: [OAUTH-WG] comments on draft-hammer-oauth-03 Moore, Jonathan (CIM)
- Re: [OAUTH-WG] comments on draft-hammer-oauth-03 Eran Hammer-Lahav
- Re: [OAUTH-WG] comments on draft-hammer-oauth-03 Eran Hammer-Lahav
- Re: [OAUTH-WG] comments on draft-hammer-oauth-03 Peter Saint-Andre
- Re: [OAUTH-WG] comments on draft-hammer-oauth-03 Ethan Jewett
- Re: [OAUTH-WG] comments on draft-hammer-oauth-03 Peter Saint-Andre
- Re: [OAUTH-WG] comments on draft-hammer-oauth-03 Peter Saint-Andre