Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

Hannes Tschofenig <> Sat, 20 February 2016 10:24 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id D7DB31A87DB for <>; Sat, 20 Feb 2016 02:24:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.606
X-Spam-Status: No, score=-2.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id p7I5kxhcbIjl for <>; Sat, 20 Feb 2016 02:24:42 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A4AB91A88B4 for <>; Sat, 20 Feb 2016 02:24:41 -0800 (PST)
Received: from [] ([]) by (mrgmx001) with ESMTPSA (Nemesis) id 0MbfnB-1aGus63Y7Z-00J47l; Sat, 20 Feb 2016 11:24:32 +0100
To: Mike Jones <>, William Denniss <>, "Phil Hunt (IDM)" <>
References: <> <> <> <> <> <> <>
From: Hannes Tschofenig <>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
X-Enigmail-Draft-Status: N1110
Message-ID: <>
Date: Sat, 20 Feb 2016 11:24:42 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="60Ql5ENl6rgbX9tfT4S3ud2IKWwexUkMK"
X-Provags-ID: V03:K0:qVqJdmIUSBrbCSvFnj4JlqhMYKCeB/UfmC0fy+G6IxAUGudqH2l 6NhmH1v9zlLXo5pKnihIoSEU3/8s3s+FfLyhTrzJWVl3icgMwuQvQQLfbSpVhTp30DJ3WhC OQq7PqbZwg164z7JFhYSK+ov3bbSfIEzZbMkoXXOzj43+G81Id7wr03JIRoUht06e8qUBeD rGlAVbLCG40IZW/ZSbDQg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:WfoOBeHAA5I=:GcL75PQAwylT/AOHh0Ol+l h9bSUjMV0jA07j4Pfmr1guTei1iD/bqhyBWhsc/66sGP5lArK4cQVE9L9M8YZqeNscdHjTwnN 2mKFEle7zmaGdWUo85P4KDgDIumV1h0BCGQFceCbHPqvq1tLzOZrX2/bYe+FP0q+KvwlBnSuy 2CGHvogiqSruK6bApng6PlhVT4EodEu/sMlJjqBHlkeORJWz5arSTXXmD8huQGss37pBGeEQW n9AF0GfnNIZDtcS9YiCpU5cvRsIsJinKmv0bG+IgUsF1SG9hdC8hJ7DkJ29+6SwLMiFZmzwHU GKmL2vf/bHgoZY9yL3In5atoZ1gzUYtFXRWr2NltOQdXrxpm89/rzwr34NyJUbzfzL91O9HTx wwUcBO1zWbpk3WM+k0LuiMe2TvtzlBHNd6DryO0CnvKcCi5iBZ8MvBwt2Tf7f7ZNqLcOc9vOd flzuXLYiBeAJwQPh/P8aTQi/dDQAI5upBewdMWIYfMv97kOArw2PshfRcR6hPBcAEGj2600zV Vh0f5994FIXfPD+MHFqwNnddOpVtRAsc4QU47sVzPc5DJqksYtReALZgxoNul2grqpMToV9Bn mqkTUanFgw4b7kAmXGuxOrqCsFMXzn1OrbFHRLPXxKvWypDu7OqRh3vKowQniAaQm+yrvX3B6 AXqohGCzPf3cgRYhW+47OyHnB8NDjMoLnV+AOB44b4om245P/pg1dkM9RqXnzKAz1Hsp/gEiZ i8wvOKHMNHdwqOTv+Ky+Hky8SFLq9130CQ2z6aAm27xO3EGJCUOmeq6ajW8=
Archived-At: <>
Cc: "" <>
Subject: Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 20 Feb 2016 10:24:44 -0000

Hi Mike,

On 02/20/2016 10:52 AM, Mike Jones wrote:
> Have you read both of their publications?  If not, do yourself a
> favor and do.  They're actually both very readable and quite
> informative.

I have read both documents. In context of this discussion the question
is whether we

(a) require them to be read (in which case they should be a normative
reference), or
(b) suggest them to be read (since they provide additional background
information). In this case they are an informative reference.

I believe believe we want (b) for the OAuth WG document. While I
encourage everyone to read the publications I also believe that there is
lots of material in there that goes beyond the information our audience
typically reads (such as the text about the formal analysis).

There is probably also a middle-ground where we either copy relevant
text from the papers into the draft or reference specific sections that
are "must-read".

One other issue: I actually thought that the threat that is outlined in
the research paper is sufficiently well described but the second threat,
which is called 'cut-and-paste attack', requires more work.
I noted this in my summary mail to the list, see