IETF Logo Mail Archive

Re: [OAUTH-WG] problem statement

Eran Hammer-Lahav <eran@hueniverse.com> Wed, 07 September 2011 01:23 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB19621F8D5C for <oauth@ietfa.amsl.com>; Tue, 6 Sep 2011 18:23:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.56
X-Spam-Level:
X-Spam-Status: No, score=-2.56 tagged_above=-999 required=5 tests=[AWL=0.039, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y5raKHUFfFeJ for <oauth@ietfa.amsl.com>; Tue, 6 Sep 2011 18:23:06 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id 23C0221F8D56 for <oauth@ietf.org>; Tue, 6 Sep 2011 18:23:06 -0700 (PDT)
Received: (qmail 26573 invoked from network); 7 Sep 2011 01:24:54 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.47) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 7 Sep 2011 01:24:54 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT005.EX1.SECURESERVER.NET ([72.167.180.134]) with mapi; Tue, 6 Sep 2011 18:24:54 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Michael Thomas <mike@mtcc.com>
Date: Tue, 06 Sep 2011 18:24:46 -0700
Thread-Topic: [OAUTH-WG] problem statement
Thread-Index: Acxs/PJaPKy49eoGR5OTmXzHoJKpmg==
Message-ID: <BE965137-7EC9-4F92-945C-AD39066211E5@hueniverse.com>
References: <4E665B25.6090709@mtcc.com> <4E6661FA.7050804@alcatel-lucent.com> <CD0B1909-8298-4CC3-B273-7B26E71EAB31@hueniverse.com> <4E666512.7010701@mtcc.com> <F4839FCD-CA73-4450-AD12-E07D46BB7746@hueniverse.com> <4E6667D1.3080404@mtcc.com> <1315334677.26387.YahooMailNeo@web31809.mail.mud.yahoo.com> <4E666B65.30701@mtcc.com> <29815937-0FB9-463B-B6E4-8FCAF7B3CD8C@hueniverse.com> <4E666E73.3050502@mtcc.com> <CAMrm-MJHKTxaj1iEm_Lr=X92sOiWZcYN4F6dNqb5w5gh4OPndQ@mail.gmail.com> <4E6671FA.3090503@gmail.com> <4E667469.2040007@mtcc.com> <1315337809.3136.38.camel@ground> <4E667953.9020906@mtcc.com> <71A460EE-1E2C-4165-99A8-5A97D6E9365C@jkemp.net> <4E667E2E.7090304@mtcc.com> <80A88920-A1EF-4A1C-A97E-F99379923CFB@jkemp.net> <4E66845E.7090906@mtcc.com> <E3DEC4C8-6BB0-44EE-821A-7589F5DC6462@jkemp.net> <4E669D3C.5000900@gmail.com> <4E66B964.2060808@stpeter.im> <4E66BFF0.9020008@gmail.com> <4E66C407.9090209@stpeter.im> <4E66C521.5070804@mtcc.com>
In-Reply-To: <4E66C521.5070804@mtcc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] problem statement
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Sep 2011 01:23:06 -0000

You clearly feel strongly about this. The only way forward if you want to pursue this is to suggest text and show how providing it will lead to more secure implementations. Otherwise this is just going in circles. 

EHL

On Sep 6, 2011, at 18:13, "Michael Thomas" <mike@mtcc.com> wrote:

> On 09/06/2011 06:08 PM, Peter Saint-Andre wrote:
>> Put me in the "may not have been avoided" camp. We can't legislate
>> common sense (which, sadly, is all too uncommon).
>> 
> 
> Can somebody show me in the archives where this has been
> discussed before? Specifically about oauth clients that also
> have control of the web UA?
> 
> In any case, you site this as common sense. It's not. You are
> close to the problem. Nobody else is.
> 
> Mike
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email