Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner Impersonation)

Barry Leiba <> Thu, 18 August 2011 17:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A5A5911E80B3 for <>; Thu, 18 Aug 2011 10:47:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -103.037
X-Spam-Status: No, score=-103.037 tagged_above=-999 required=5 tests=[AWL=-0.060, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9NItetA338OB for <>; Thu, 18 Aug 2011 10:47:22 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 4BA4711E80C0 for <>; Thu, 18 Aug 2011 10:47:20 -0700 (PDT)
Received: by ywm21 with SMTP id 21so1759171ywm.31 for <>; Thu, 18 Aug 2011 10:48:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=Ce+qKmVjGRRIZTVrOUjfb3mdOnC1U7wUdwg+052lQqc=; b=UVj9TUOLUh2niTZQq3vuVJ3aBW385PgdcSdIIC7xe9JOLEp5Vy1jIsobC2Vty90wFM WeYJI0oetImIDV9DELZhPg6bK83UPFodU69fj0VlnGTZe0N8R7DuI6OBBccmlSUbhNBW ek/Wg/u5dmnPES+f88aOA9eCNxJnKNNwKul5g=
MIME-Version: 1.0
Received: by with SMTP id g22mr1067537yaa.34.1313689693536; Thu, 18 Aug 2011 10:48:13 -0700 (PDT)
Received: by with HTTP; Thu, 18 Aug 2011 10:48:13 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72345029DFAA5B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <> <90C41DD21FB7C64BB94121FBBC2E72345029DFA960@P3PW5EX1MB01.EX1.SECURESERVER.NET> <> <90C41DD21FB7C64BB94121FBBC2E72345029DFAA22@P3PW5EX1MB01.EX1.SECURESERVER.NET> <> <90C41DD21FB7C64BB94121FBBC2E72345029DFAA5B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Thu, 18 Aug 2011 13:48:13 -0400
X-Google-Sender-Auth: 2fo8N5_6x9xN-Lx_xXcIrMnkAP4
Message-ID: <>
From: Barry Leiba <>
To: "" <>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner Impersonation)
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 18 Aug 2011 17:47:22 -0000

>> Yes, the example I provided is a very lightweight one which does take the
>> form of CSRF, but it is only the simplest example of a family of automated
>> authorization flow attacks. Indeed, a nonce (or hidden token, both serve the
>> same purpose in this case) would be enough here.
> Great. So we need to add explicit text about preventing CSRF attacks at the
> authorization endpoint.

General comment, not for this issue alone (and not specifically to the
folks conversing here):

There are a great many things we can say about threats and attacks,
which is why we have the threats document by Torsten, et al.  I'm
generally in favour of putting more security considerations into the
base document to describe threats that implementors need to be
concerned about, and well-crafted text that the editors can drop in is
a good thing.

That said, the reason we decided to put "highlights" into the base
doc's Security Considerations section, and then refer to the larger
document for more details and a more complete threat analysis is that
we wanted to strike a balance, keep the base doc for protocol details,
and leave the threat descriptions in the base doc as general threat

As we debate the various attack descriptions and mitigations that we
might like to add, please keep that balance in mind, and think
carefully about whether the details of *this specific* attack should
go into this document, or whether we just need to cover the general
class of threats here and put the details of this attack into

Otherwise, we might eventually merge the entire threat analysis
document into the base, one paragraph at a time.

Barry, as chair