Re: [OAUTH-WG] Shepherd review of draft-ietf-oauth-v2-threatmodel

Mark Mcgloin <mark.mcgloin@ie.ibm.com> Tue, 24 April 2012 08:17 UTC

Return-Path: <mark.mcgloin@ie.ibm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E3C821F8713 for <oauth@ietfa.amsl.com>; Tue, 24 Apr 2012 01:17:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L+MPhfQ5QD2H for <oauth@ietfa.amsl.com>; Tue, 24 Apr 2012 01:17:38 -0700 (PDT)
Received: from e06smtp16.uk.ibm.com (e06smtp16.uk.ibm.com [195.75.94.112]) by ietfa.amsl.com (Postfix) with ESMTP id 3A6F421F86B9 for <oauth@ietf.org>; Tue, 24 Apr 2012 01:17:37 -0700 (PDT)
Received: from /spool/local by e06smtp16.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <oauth@ietf.org> from <mark.mcgloin@ie.ibm.com>; Tue, 24 Apr 2012 09:17:36 +0100
Received: from d06nrmr1307.portsmouth.uk.ibm.com (9.149.38.129) by e06smtp16.uk.ibm.com (192.168.101.146) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Tue, 24 Apr 2012 09:17:33 +0100
Received: from d06av04.portsmouth.uk.ibm.com (d06av04.portsmouth.uk.ibm.com [9.149.37.216]) by d06nrmr1307.portsmouth.uk.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q3O8HXPt2486452; Tue, 24 Apr 2012 09:17:33 +0100
Received: from d06av04.portsmouth.uk.ibm.com (loopback [127.0.0.1]) by d06av04.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q3O8HVZA002382; Tue, 24 Apr 2012 02:17:31 -0600
Received: from d06ml091.portsmouth.uk.ibm.com (d06ml091.portsmouth.uk.ibm.com [9.149.104.170]) by d06av04.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id q3O8HVex002374; Tue, 24 Apr 2012 02:17:31 -0600
In-Reply-To: <4F957EA7.3060004@mtcc.com>
References: <CALaySJLy6jpuPqxQXfKfpx0TpcK1gav1NtcTOoh+NOr11JSCbw@mail.gmail.com> <4F8DE789.4030704@mtcc.com> <CALaySJK1ej_HkP5Jz26XT-KjULirD2iFfVOpRkHgPZp-CbJCrg@mail.gmail.com> <4F957EA7.3060004@mtcc.com>
X-KeepSent: 3ECF645E:478720A4-802579EA:002D0B13; type=4; name=$KeepSent
To: Michael Thomas <mike@mtcc.com>
X-Mailer: Lotus Notes Release 8.5.1FP5 SHF29 November 12, 2010
Message-ID: <OF3ECF645E.478720A4-ON802579EA.002D0B13-802579EA.002D8D07@ie.ibm.com>
From: Mark Mcgloin <mark.mcgloin@ie.ibm.com>
Date: Tue, 24 Apr 2012 09:17:24 +0100
X-MIMETrack: Serialize by Router on D06ML091/06/M/IBM(Release 8.5.2FP1 ZX852FP1HF12|September 28, 2011) at 24/04/2012 09:17:25
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
x-cbid: 12042408-3548-0000-0000-000001B54537
Cc: Barry Leiba <barryleiba@computer.org>, "oauth@ietf.org" <oauth@ietf.org>, oauth-bounces@ietf.org
Subject: Re: [OAUTH-WG] Shepherd review of draft-ietf-oauth-v2-threatmodel
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2012 08:17:40 -0000

Hi Thomas

Your additional text is already covered in a countermeasure for section
4.1.4.  In addition, section 4.1.4.4 states the assumption that the auth
server can't protect against a user installing a malicious client

Regards
Mark

oauth-bounces@ietf.org wrote on 23/04/2012 17:09:11:

> From:
>
> Michael Thomas <mike@mtcc.com>
>
> To:
>
> Barry Leiba <barryleiba@computer.org>rg>, "oauth@ietf.org" <oauth@ietf.org>
>
> Date:
>
> 23/04/2012 17:09
>
> Subject:
>
> Re: [OAUTH-WG] Shepherd review of draft-ietf-oauth-v2-threatmodel
>
> Sent by:
>
> oauth-bounces@ietf.org
>
> [I accidentally sent just to Barry my take on his addition which I
> think is fine
> except for one thing addition...]
>
> Barry Leiba wrote:
> > You sent it just to me.  I think it's a reasonable addition, so please
> > send it to the distribution (which at the moment does not include the
> > OAuth list, just the
> > <draft-ietf-oauth-v2-threatmodel.all@tools.ietf.org> alias), and
> > suggest specific text to add.  I presume it would go in an new bullet
> > just before the last.
>
> The thing I think is missing here is that the Authorization Server has a
> stake in mitigating threats, and actually has a quite potent one: it can
> be selective with whom it enrolls, and can revoke bad actors.
>
> So let me try a bullet:
>
> o While end users are mostly incapable of properly vetting applications
they
>    load onto their devices, those who deploy Authorization Servers
> have tools at
>    their disposal to mitigate malicious Clients. Namely, in order to
> become a threat
>    at all, a Client must first become a Client. A well run
> Authorization Server MAY
>    require a curation process when enrolling Clients, and SHOULD
> have processes to
>    revoke bad actors after enrollment.
>
> Mike
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>