IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011

Michael Thomas <mike@mtcc.com> Wed, 04 January 2012 23:58 UTC

Return-Path: <mike@mtcc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CCD911E80A2 for <oauth@ietfa.amsl.com>; Wed, 4 Jan 2012 15:58:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rknKEtWecQjU for <oauth@ietfa.amsl.com>; Wed, 4 Jan 2012 15:58:22 -0800 (PST)
Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id 839E311E80B9 for <oauth@ietf.org>; Wed, 4 Jan 2012 15:58:22 -0800 (PST)
Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id q04NwJD2010520 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 4 Jan 2012 15:58:19 -0800
Message-ID: <4F04E79B.1030604@mtcc.com>
Date: Wed, 04 Jan 2012 15:58:19 -0800
From: Michael Thomas <mike@mtcc.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0
MIME-Version: 1.0
To: William Mills <wmills@yahoo-inc.com>
References: <CALaySJKhYQQdmjvWBLS3mwzzrDt35jfDn2xZCuDOk=hpwEUiKQ@mail.gmail.com> <CAC4RtVDyiuqCGO25nZQEVxi0uchTi2gu_peh=+FwmWwZsQ=LEQ@mail.gmail.com> <CAC4RtVCvnz7n9Ei08h7QRruesJ=GeOMOOvBkNAVmcc8_gzg7QQ@mail.gmail.com> <8AB6F5CC-E9A2-4A07-9AA0-83FB7C67A221@oracle.com> <4EEA3951.5010904@mtcc.com> <OF6C9EBE7C.1B053FE3-ON80257968.003C02DF-80257968.003CAA12@ie.ibm.com> <4EEB5BDD.7080401@mtcc.com> <4F038CB9.1040403@mtcc.com> <F674B8D6-54D6-4B39-A494-9D7EB6E058D6@oracle.com> <4F0394D6.1090006@mtcc.com> <OFD88021B6.E1FD29B9-ON8025797B.004036CF-8025797B.00404EA6@ie.ibm.com> <4F04AAAE.6080702@mtcc.com> <4F04ACE4.1070006@stpeter.im> <4F04B101.3070708@mtcc.com> <OF0587BA9E.B7B40207-ON8025797B.00702BFB-8025797B.007103EA@ie.ibm.com> <CALaySJLcFGyt97OVFZY34kZSjp2bKRqiH_JSDQQaO-aTjSWh2g@mail.gmail.com> <4F04BF70.3010501@mtcc.com> <1325720576.43079.YahooMailNeo@web31816.mail.mud.yahoo.com>
In-Reply-To: <1325720576.43079.YahooMailNeo@web31816.mail.mud.yahoo.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=3884; t=1325721500; x=1326585500; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20<mike@mtcc.com> |Subject:=20Re=3A=20[OAUTH-WG]=20WGLC=20on=20draft-ietf-oau th-v2-threatmodel-01,=20ends=209=0A=20Dec=202011 |Sender:=20 |To:=20William=20Mills=20<wmills@yahoo-inc.com> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=20quoted-printable |MIME-Version:=201.0; bh=RtQt8+LXLvWWVJCxm03UNsMuPyJSiNUrQARYApK8wYc=; b=rgWz86pRaOLdnGfr77fUayQnTYek6fqfc3bkcUCyYuxvhepYFJ0I2M1Nas auljZz02MbrppzY32hqPXQuBV42SK7V6oAFc5Dli4PbQ0NzAXXCasNv6Ph6f bqK440VdYIgaq7pVzvWbpeJKiuPuMisaqBWxIVCUQPgYpvEybvHTE=;
Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com
Cc: Barry Leiba <barryleiba@computer.org>, oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2012 23:58:23 -0000

On 01/04/2012 03:42 PM, William Mills wrote:
> I think the threat draft should simply say, "OAuth does not and can not protect the user against credential compromise as a result of phishing, malware, social engineering, or machine compromise."

I could live with something like this, but I think it needs to be much more
explicit that it applies to any authentication service that allows native apps as clients
with no form of strong app vetting. It may even be useful to point to a couple of
large deployments who are at risk from this, like, oh say, twitterbook.

If this draft doesn't take a strong stand against that practice, it's doing nothing
more than giving a wink and a nod that what twitterbook is currently doing is safe.
That's bad, but I suspect it's the elephant in the room.

Mike

>
> Get rid of the fancy rhetoric, we don't need to explain a lot more than this.
>
> I don't agree that OAuth purports to solve these problems. What it solves is limiting the credentials granted to allow the user more control and limited damage in the event of credential misuse.
>
> -bill
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *From:* Michael Thomas <mike@mtcc.com>
> *To:* Barry Leiba <barryleiba@computer.org>
> *Cc:* oauth WG <oauth@ietf.org>
> *Sent:* Wednesday, January 4, 2012 1:06 PM
> *Subject:* Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011
>
> On 01/04/2012 12:41 PM, Barry Leiba wrote:
> > up being a compromised browser or a native application that the user
> > perhaps unwisely installed, all the security in the framework goes out
>     ^^^^^^^^^
> > the window, because an untrustworthy UA can fiddle with pretty much
> > everything.
> >
>
> I think the "perhaps unwisely" goes to the heart of my objection. You
> might as well be talking about "perhaps unwisely" driving a car,
> or "perhaps unwisely" eating food: the reality is that people download
> apps by the *billions*.  When I was initially blown off, many of the
> participants including document editors implied that only idiots get
> apps for their phones. That is *completely* unhelpful as the reality
> is that OAUTH's use is hugely if not primarily deployed in that sort of
> environment.
>
> This is a threat that cuts to the very heart of what OAUTH is, and purports
> to defend against: keeping user credentials out of the hands of an
> untrusted third party. If there really aren't any good ways to mitigate this
> in an app environment, why is OAUTH being deployed so aggressively there?
> Shouldn't the threat draft say in blinking bold: "DEPLOYING OAUTH
> IN NATIVE APPS CONSIDERED HARMFUL"?
>
> Mike
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email