Re: [OAUTH-WG] New Version Notification for draft-sakimura-oauth-tcse-02.txt

Phil Hunt <phil.hunt@oracle.com> Thu, 24 October 2013 22:29 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36B1511E81FA for <oauth@ietfa.amsl.com>; Thu, 24 Oct 2013 15:29:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.249
X-Spam-Level:
X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[AWL=0.349, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V6F1pC9lfew5 for <oauth@ietfa.amsl.com>; Thu, 24 Oct 2013 15:29:08 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id E751A11E8222 for <oauth@ietf.org>; Thu, 24 Oct 2013 15:29:04 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r9OMT2fa016755 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 24 Oct 2013 22:29:03 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r9OMT1ox029182 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 24 Oct 2013 22:29:02 GMT
Received: from abhmt111.oracle.com (abhmt111.oracle.com [141.146.116.63]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r9OMT1Cw001636; Thu, 24 Oct 2013 22:29:01 GMT
Received: from [10.151.103.210] (/148.87.13.6) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 24 Oct 2013 15:29:00 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail=_357D4213-F1EC-47C6-9865-29538A534930"
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <CABzCy2Ai6W3XRLzXTGQB8vS40V6QTsoa6Q+7uq4zMftgnZkc7g@mail.gmail.com>
Date: Thu, 24 Oct 2013 15:29:01 -0700
Message-Id: <533D7882-E26C-469B-9F50-22694D70456A@oracle.com>
References: <20131019101348.9565.3370.idtracker@ietfa.amsl.com> <CABzCy2Ai6W3XRLzXTGQB8vS40V6QTsoa6Q+7uq4zMftgnZkc7g@mail.gmail.com>
To: Nat Sakimura <sakimura@gmail.com>
X-Mailer: Apple Mail (2.1510)
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] New Version Notification for draft-sakimura-oauth-tcse-02.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Oct 2013 22:29:13 -0000

Nat/Naveen,

I must confess I keep going back and forth on this issue.

Clearly this draft is a fix for the issue of:

1.  Real app initiates authorize request
2. 'bad' app intercepts grant because it has taken over the access token.

But while I agree this is a problem, what's to stop the 'bad' app from doing 1 and 2?  As they say all bets are off.  I can register "Facebook Blue" and make it look like the next generation facebook app.

Even if we could prove that an app is legit by some cryptographic means, we are still limited by Mobile App store vendors, and how well they curate apps, and what they do to make sure only legit apps can run.

Naveen, you mentioned at IIW, we really have to depend more on the user authorization of the app.  Can you comment here?

I think the draft is correct. It fixes the problem it describes.  But does it matter?

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com

On 2013-10-19, at 3:15 AM, Nat Sakimura <sakimura@gmail.com> wrote:

> Incorporated the discussion at Berlin meeting and after in the ML. 
> 
> Best, 
> 
> Nat
> 
> ---------- Forwarded message ----------
> From: <internet-drafts@ietf.org>
> Date: 2013/10/19
> Subject: New Version Notification for draft-sakimura-oauth-tcse-02.txt
> To: Nat Sakimura <sakimura@gmail.com>om>, John Bradley <jbradley@pingidentity.com>om>, Naveen Agarwal <naa@google.com>
> 
> 
> 
> A new version of I-D, draft-sakimura-oauth-tcse-02.txt
> has been successfully submitted by Nat Sakimura and posted to the
> IETF repository.
> 
> Filename:        draft-sakimura-oauth-tcse
> Revision:        02
> Title:           OAuth Symmetric Proof of Posession for Code Extension
> Creation date:   2013-10-19
> Group:           Individual Submission
> Number of pages: 8
> URL:             http://www.ietf.org/internet-drafts/draft-sakimura-oauth-tcse-02.txt
> Status:          http://datatracker.ietf.org/doc/draft-sakimura-oauth-tcse
> Htmlized:        http://tools.ietf.org/html/draft-sakimura-oauth-tcse-02
> Diff:            http://www.ietf.org/rfcdiff?url2=draft-sakimura-oauth-tcse-02
> 
> Abstract:
>    The OAuth 2.0 public client utilizing authorization code grant is
>    susceptible to the code interception attack.  This specification
>    describe a mechanism that acts as a control against this threat.
> 
> 
> 
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> The IETF Secretariat
> 
> 
> 
> 
> -- 
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth