IETF Logo Mail Archive

Re: [OAUTH-WG] Shepherd review of draft-ietf-oauth-v2-threatmodel

Michael Thomas <mike@mtcc.com> Tue, 24 April 2012 16:27 UTC

Return-Path: <mike@mtcc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D7E321F8650 for <oauth@ietfa.amsl.com>; Tue, 24 Apr 2012 09:27:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.539
X-Spam-Level:
X-Spam-Status: No, score=-2.539 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nfx3Ph55slOq for <oauth@ietfa.amsl.com>; Tue, 24 Apr 2012 09:27:54 -0700 (PDT)
Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id 5C68C21F864C for <oauth@ietf.org>; Tue, 24 Apr 2012 09:27:54 -0700 (PDT)
Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id q3OGRpk5016090 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 24 Apr 2012 09:27:51 -0700
Message-ID: <4F96D487.1080501@mtcc.com>
Date: Tue, 24 Apr 2012 09:27:51 -0700
From: Michael Thomas <mike@mtcc.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0
MIME-Version: 1.0
To: Eran Hammer <eran@hueniverse.com>
References: <CALaySJLy6jpuPqxQXfKfpx0TpcK1gav1NtcTOoh+NOr11JSCbw@mail.gmail.com> <4F8DE789.4030704@mtcc.com> <CALaySJK1ej_HkP5Jz26XT-KjULirD2iFfVOpRkHgPZp-CbJCrg@mail.gmail.com> <4F957EA7.3060004@mtcc.com> <OF3ECF645E.478720A4-ON802579EA.002D0B13-802579EA.002D8D07@ie.ibm.com> <4F96A99F.7010303@mtcc.com> <85556C53-99DD-47A2-A0D5-2F86DD2B668F@oracle.com> <0CBAEB56DDB3A140BA8E8C124C04ECA2FFC41C@P3PWEX2MB008.ex2.secureserver.net>
In-Reply-To: <0CBAEB56DDB3A140BA8E8C124C04ECA2FFC41C@P3PWEX2MB008.ex2.secureserver.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2429; t=1335284872; x=1336148872; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20<mike@mtcc.com> |Subject:=20Re=3A=20[OAUTH-WG]=20Shepherd=20review=20of=20d raft-ietf-oauth-v2-threatmodel |Sender:=20 |To:=20Eran=20Hammer=20<eran@hueniverse.com> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=AiYfszAir0NTh1epeec48cApx3HoSwTgmOZzDv5Lsto=; b=tdDF+ZWBVCY1SKdlERL4Oe0eb2gTeN6PbjtJW7+9cOOUR4nveKimq55Z0R hKNNvsrzaofjGOH3+UF0qnMQz5SWwzJQQobSMcD0BySnQacJ10diAHCIS7SO M+JxgIxRCw4PuWP05fNMrmRgmixVkaO8QlhMQlkasvOb5IOzG3upU=;
Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com
Cc: "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Shepherd review of draft-ietf-oauth-v2-threatmodel
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2012 16:27:55 -0000

I am sorry that you feel the need to resort to an ad hominem attack,
but my last call comment were not addressed in last call, and this
is the process Barry came up with dealing with them.

And it was hardly "unanimous" and you have no say in determining
consensus so stop presuming to do so.

Mike


On 04/24/2012 09:20 AM, Eran Hammer wrote:
> We've been kicking this can of silliness for months now because one person refuses to move on even in the face of otherwise unanimous consensus from the group.
>
> Chairs - Please take this ridiculous and never ending thread off list and resolve it once and for all.
>
> EH
>
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>> Of Phil Hunt
>> Sent: Tuesday, April 24, 2012 7:59 AM
>> To: Michael Thomas
>> Cc: Barry Leiba; oauth@ietf.org; oauth-bounces@ietf.org
>> Subject: Re: [OAUTH-WG] Shepherd review of draft-ietf-oauth-v2-
>> threatmodel
>>
>> Are we at this stage re-opening the entire document? I thought we were
>> responding only to specific shepherd text edits.
>>
>> Phil
>>
>> On 2012-04-24, at 6:24, Michael Thomas<mike@mtcc.com>  wrote:
>>
>>> On 04/24/2012 01:17 AM, Mark Mcgloin wrote:
>>>> Hi Thomas
>>>>
>>>> Your additional text is already covered in a countermeasure for
>>>> section 4.1.4.  In addition, section 4.1.4.4 states the assumption
>>>> that the auth server can't protect against a user installing a
>>>> malicious client
>>>>
>>> The more I read this draft, the more borked I think its base
>>> assumptions are. The client *is* one of the main threats. Full stop. A
>>> threat document should not be asking the adversary to play nice. Yet,
>>> 4.1.4 bullets 1 and
>>> 3 are doing exactly that again. If those are countermeasures, then so
>>> is visualizing world peace.
>>>
>>> As for bullet two, it doesn't mention revocation, and I prefer Barry's
>>> section generally. I can't find a section 4.1.4.4
>>>
>>> Mike
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email