Re: [OAUTH-WG] Shepherd review of draft-ietf-oauth-v2-threatmodel
Mark Mcgloin <mark.mcgloin@ie.ibm.com> Tue, 24 April 2012 08:17 UTC
Return-Path: <mark.mcgloin@ie.ibm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E3C821F8713 for <oauth@ietfa.amsl.com>; Tue, 24 Apr 2012 01:17:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L+MPhfQ5QD2H for <oauth@ietfa.amsl.com>; Tue, 24 Apr 2012 01:17:38 -0700 (PDT)
Received: from e06smtp16.uk.ibm.com (e06smtp16.uk.ibm.com [195.75.94.112]) by ietfa.amsl.com (Postfix) with ESMTP id 3A6F421F86B9 for <oauth@ietf.org>; Tue, 24 Apr 2012 01:17:37 -0700 (PDT)
Received: from /spool/local by e06smtp16.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <oauth@ietf.org> from <mark.mcgloin@ie.ibm.com>; Tue, 24 Apr 2012 09:17:36 +0100
Received: from d06nrmr1307.portsmouth.uk.ibm.com (9.149.38.129) by e06smtp16.uk.ibm.com (192.168.101.146) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Tue, 24 Apr 2012 09:17:33 +0100
Received: from d06av04.portsmouth.uk.ibm.com (d06av04.portsmouth.uk.ibm.com [9.149.37.216]) by d06nrmr1307.portsmouth.uk.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q3O8HXPt2486452; Tue, 24 Apr 2012 09:17:33 +0100
Received: from d06av04.portsmouth.uk.ibm.com (loopback [127.0.0.1]) by d06av04.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q3O8HVZA002382; Tue, 24 Apr 2012 02:17:31 -0600
Received: from d06ml091.portsmouth.uk.ibm.com (d06ml091.portsmouth.uk.ibm.com [9.149.104.170]) by d06av04.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id q3O8HVex002374; Tue, 24 Apr 2012 02:17:31 -0600
In-Reply-To: <4F957EA7.3060004@mtcc.com>
References: <CALaySJLy6jpuPqxQXfKfpx0TpcK1gav1NtcTOoh+NOr11JSCbw@mail.gmail.com> <4F8DE789.4030704@mtcc.com> <CALaySJK1ej_HkP5Jz26XT-KjULirD2iFfVOpRkHgPZp-CbJCrg@mail.gmail.com> <4F957EA7.3060004@mtcc.com>
X-KeepSent: 3ECF645E:478720A4-802579EA:002D0B13; type=4; name=$KeepSent
To: Michael Thomas <mike@mtcc.com>
X-Mailer: Lotus Notes Release 8.5.1FP5 SHF29 November 12, 2010
Message-ID: <OF3ECF645E.478720A4-ON802579EA.002D0B13-802579EA.002D8D07@ie.ibm.com>
From: Mark Mcgloin <mark.mcgloin@ie.ibm.com>
Date: Tue, 24 Apr 2012 09:17:24 +0100
X-MIMETrack: Serialize by Router on D06ML091/06/M/IBM(Release 8.5.2FP1 ZX852FP1HF12|September 28, 2011) at 24/04/2012 09:17:25
MIME-Version: 1.0
Content-type: text/plain; charset="US-ASCII"
x-cbid: 12042408-3548-0000-0000-000001B54537
Cc: Barry Leiba <barryleiba@computer.org>, "oauth@ietf.org" <oauth@ietf.org>, oauth-bounces@ietf.org
Subject: Re: [OAUTH-WG] Shepherd review of draft-ietf-oauth-v2-threatmodel
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2012 08:17:40 -0000
Hi Thomas Your additional text is already covered in a countermeasure for section 4.1.4. In addition, section 4.1.4.4 states the assumption that the auth server can't protect against a user installing a malicious client Regards Mark oauth-bounces@ietf.org wrote on 23/04/2012 17:09:11: > From: > > Michael Thomas <mike@mtcc.com> > > To: > > Barry Leiba <barryleiba@computer.org>, "oauth@ietf.org" <oauth@ietf.org> > > Date: > > 23/04/2012 17:09 > > Subject: > > Re: [OAUTH-WG] Shepherd review of draft-ietf-oauth-v2-threatmodel > > Sent by: > > oauth-bounces@ietf.org > > [I accidentally sent just to Barry my take on his addition which I > think is fine > except for one thing addition...] > > Barry Leiba wrote: > > You sent it just to me. I think it's a reasonable addition, so please > > send it to the distribution (which at the moment does not include the > > OAuth list, just the > > <draft-ietf-oauth-v2-threatmodel.all@tools.ietf.org> alias), and > > suggest specific text to add. I presume it would go in an new bullet > > just before the last. > > The thing I think is missing here is that the Authorization Server has a > stake in mitigating threats, and actually has a quite potent one: it can > be selective with whom it enrolls, and can revoke bad actors. > > So let me try a bullet: > > o While end users are mostly incapable of properly vetting applications they > load onto their devices, those who deploy Authorization Servers > have tools at > their disposal to mitigate malicious Clients. Namely, in order to > become a threat > at all, a Client must first become a Client. A well run > Authorization Server MAY > require a curation process when enrolling Clients, and SHOULD > have processes to > revoke bad actors after enrollment. > > Mike > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- Re: [OAUTH-WG] Shepherd review of draft-ietf-oaut… Michael Thomas
- Re: [OAUTH-WG] Shepherd review of draft-ietf-oaut… Mark Mcgloin
- Re: [OAUTH-WG] Shepherd review of draft-ietf-oaut… Michael Thomas
- Re: [OAUTH-WG] Shepherd review of draft-ietf-oaut… Mark Mcgloin
- Re: [OAUTH-WG] Shepherd review of draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] Shepherd review of draft-ietf-oaut… Michael Thomas
- Re: [OAUTH-WG] Shepherd review of draft-ietf-oaut… Eran Hammer
- Re: [OAUTH-WG] Shepherd review of draft-ietf-oaut… Michael Thomas
- Re: [OAUTH-WG] Shepherd review of draft-ietf-oaut… Peter Saint-Andre
- Re: [OAUTH-WG] Shepherd review of draft-ietf-oaut… Derek Atkins
- Re: [OAUTH-WG] Shepherd review of draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] Shepherd review of draft-ietf-oaut… Michael Thomas
- Re: [OAUTH-WG] Shepherd review of draft-ietf-oaut… Eran Hammer
- Re: [OAUTH-WG] Shepherd review of draft-ietf-oaut… Eran Hammer
- Re: [OAUTH-WG] Shepherd review of draft-ietf-oaut… Barry Leiba
- Re: [OAUTH-WG] Shepherd review of draft-ietf-oaut… Peter Saint-Andre
- Re: [OAUTH-WG] Shepherd review of draft-ietf-oaut… Michael Thomas
- Re: [OAUTH-WG] Shepherd review of draft-ietf-oaut… Mark Mcgloin
- Re: [OAUTH-WG] Shepherd review of draft-ietf-oaut… Derek Atkins
- Re: [OAUTH-WG] Shepherd review of draft-ietf-oaut… Barry Leiba