Re: [OAUTH-WG] Auth Code Swap Attack
Barry Leiba <barryleiba@computer.org> Mon, 15 August 2011 16:26 UTC
Return-Path: <barryleiba.mailing.lists@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5033421F8C5C for <oauth@ietfa.amsl.com>; Mon, 15 Aug 2011 09:26:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.04
X-Spam-Level:
X-Spam-Status: No, score=-103.04 tagged_above=-999 required=5 tests=[AWL=-0.063, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zaSC1pumLGBu for <oauth@ietfa.amsl.com>; Mon, 15 Aug 2011 09:26:12 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id B1ECF21F8C52 for <oauth@ietf.org>; Mon, 15 Aug 2011 09:26:12 -0700 (PDT)
Received: by yxp4 with SMTP id 4so3691493yxp.31 for <oauth@ietf.org>; Mon, 15 Aug 2011 09:26:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=SjreA2fOOt5IWiwp5QNWHgL8h3z+UGPn2dkrj9dm0lg=; b=TgGPUW+55DuRlLkmYAyPN+Wx4sPmuHvTkLyszfoYLrT1mJstq7Kh/Q42su5p6cEKVZ EOtfWRlyyCeS0Q4BmxuKoMxsRr18FOIjRUmnrI6Xx9l1ardzzicX/KicngI/umq746ON DvsHSAIr7bVm6ykr0p9vGaGd2O96ghVBBptCI=
MIME-Version: 1.0
Received: by 10.236.144.232 with SMTP id n68mr12778510yhj.177.1313425617632; Mon, 15 Aug 2011 09:26:57 -0700 (PDT)
Sender: barryleiba.mailing.lists@gmail.com
Received: by 10.147.181.13 with HTTP; Mon, 15 Aug 2011 09:26:57 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234502498CE6B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <4E46207A.6080404@lodderstedt.net> <CA6BD89B.17E85%eran@hueniverse.com> <90C41DD21FB7C64BB94121FBBC2E7234502498CDDB@P3PW5EX1MB01.EX1.SECURESERVER.NET> <B26C1EF377CB694EAB6BDDC8E624B6E723BB563D@SN2PRD0302MB137.namprd03.prod.outlook.com> <CAC4RtVACp8+YD2j3xf7ZCpbS=pt3WE1-U4w-17xFiqFZ3ovYHA@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E7234502498CE4A@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAC4RtVBx1g767nW5cC-YcgOomA3gN7FYrdjtmdhL8=2HahG1gA@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E7234502498CE6B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Mon, 15 Aug 2011 12:26:57 -0400
X-Google-Sender-Auth: sJqNyBovTLf4OAQxqiG9XAZ_v94
Message-ID: <CAC4RtVCn2GXORarPXhq-nBbrn_FKjhzoAo7ZL3WnhH3X91GhNQ@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2011 16:26:13 -0000
> I do not plan to publish another draft until this issue is closed and resolved. > I plan to seek WG consensus to every change made to -21 prior to publication > to reduce the need for another WG draft. ... > and I informed the list of my intention of using the edited text. Mr. Nadalin then > raised his disagreement with the proposed edit. Fine. Now we wait for more > participants to express their views. OK, this is where the disconnect came from, and why I had a problem with what I heard. My guess is that that's the same problem Tony had: My interpretation of your one-line message that said, "I'm using my proposed text in -21," was that you were deciding the issue, and were about to publish a new draft now-ish that reflects your decision. What you say here makes it clear that that's not the case, and that what you meant was, "I believe my proposed text addresses this issue while maintaining established consensus about the protocol details, and when I post -21 (soon, but not now), which I hope will be the final version, I intend to use that version of the text, unless further discussion shows that WG consensus on the 'state' option has now changed." That's rather more long-winded, of course, but I have, as chair, no problem at all with that plan. I also suspect that Tony will consider the longer-winded explanation to be less dismissive of the T/Y/T/P proposal than the one-sentence version may have come across. And, so, carry on. Barry, still chair-like
- [OAUTH-WG] Auth Code Swap Attack Anthony Nadalin
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Torsten Lodderstedt
- Re: [OAUTH-WG] Auth Code Swap Attack Phil Hunt
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack William J. Mills
- Re: [OAUTH-WG] Auth Code Swap Attack Phil Hunt
- Re: [OAUTH-WG] Auth Code Swap Attack William J. Mills
- Re: [OAUTH-WG] Auth Code Swap Attack Phillip Hunt
- Re: [OAUTH-WG] Auth Code Swap Attack John Kemp
- Re: [OAUTH-WG] Auth Code Swap Attack John Kemp
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Anthony Nadalin
- Re: [OAUTH-WG] Auth Code Swap Attack Barry Leiba
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Barry Leiba
- Re: [OAUTH-WG] Auth Code Swap Attack John Kemp
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Barry Leiba
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Blaine Cook
- Re: [OAUTH-WG] Auth Code Swap Attack William J. Mills
- Re: [OAUTH-WG] Auth Code Swap Attack William J. Mills
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Phil Hunt
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Torsten Lodderstedt
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack David Recordon
- Re: [OAUTH-WG] Auth Code Swap Attack Phil Hunt
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Phil Hunt
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Anthony Nadalin
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Torsten Lodderstedt
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Barry Leiba
- Re: [OAUTH-WG] Auth Code Swap Attack Anthony Nadalin
- Re: [OAUTH-WG] Auth Code Swap Attack Phil Hunt
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Anthony Nadalin
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Phil Hunt
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Anthony Nadalin