Re: [OAUTH-WG] Auth Code Swap Attack

Barry Leiba <> Mon, 15 August 2011 16:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5033421F8C5C for <>; Mon, 15 Aug 2011 09:26:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -103.04
X-Spam-Status: No, score=-103.04 tagged_above=-999 required=5 tests=[AWL=-0.063, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zaSC1pumLGBu for <>; Mon, 15 Aug 2011 09:26:12 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id B1ECF21F8C52 for <>; Mon, 15 Aug 2011 09:26:12 -0700 (PDT)
Received: by yxp4 with SMTP id 4so3691493yxp.31 for <>; Mon, 15 Aug 2011 09:26:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=SjreA2fOOt5IWiwp5QNWHgL8h3z+UGPn2dkrj9dm0lg=; b=TgGPUW+55DuRlLkmYAyPN+Wx4sPmuHvTkLyszfoYLrT1mJstq7Kh/Q42su5p6cEKVZ EOtfWRlyyCeS0Q4BmxuKoMxsRr18FOIjRUmnrI6Xx9l1ardzzicX/KicngI/umq746ON DvsHSAIr7bVm6ykr0p9vGaGd2O96ghVBBptCI=
MIME-Version: 1.0
Received: by with SMTP id n68mr12778510yhj.177.1313425617632; Mon, 15 Aug 2011 09:26:57 -0700 (PDT)
Received: by with HTTP; Mon, 15 Aug 2011 09:26:57 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234502498CE6B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <> <> <90C41DD21FB7C64BB94121FBBC2E7234502498CDDB@P3PW5EX1MB01.EX1.SECURESERVER.NET> <> <> <90C41DD21FB7C64BB94121FBBC2E7234502498CE4A@P3PW5EX1MB01.EX1.SECURESERVER.NET> <> <90C41DD21FB7C64BB94121FBBC2E7234502498CE6B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Mon, 15 Aug 2011 12:26:57 -0400
X-Google-Sender-Auth: sJqNyBovTLf4OAQxqiG9XAZ_v94
Message-ID: <>
From: Barry Leiba <>
To: Eran Hammer-Lahav <>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "OAuth WG (" <>
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 15 Aug 2011 16:26:13 -0000

> I do not plan to publish another draft until this issue is closed and resolved.
> I plan to seek WG consensus to every change made to -21 prior to publication
> to reduce the need for another WG draft.
> and I informed the list of my intention of using the edited text. Mr. Nadalin then
> raised his disagreement with the proposed edit. Fine. Now we wait for more
> participants to express their views.

OK, this is where the disconnect came from, and why I had a problem
with what I heard.  My guess is that that's the same problem Tony had:
My interpretation of your one-line message that said, "I'm using my
proposed text in -21," was that you were deciding the issue, and were
about to publish a new draft now-ish that reflects your decision.
What you say here makes it clear that that's not the case, and that
what you meant was, "I believe my proposed text addresses this issue
while maintaining established consensus about the protocol details,
and when I post -21 (soon, but not now), which I hope will be the
final version, I intend to use that version of the text, unless
further discussion shows that WG consensus on the 'state' option has
now changed."

That's rather more long-winded, of course, but I have, as chair, no
problem at all with that plan.  I also suspect that Tony will consider
the longer-winded explanation to be less dismissive of the T/Y/T/P
proposal than the one-sentence version may have come across.

And, so, carry on.

Barry, still chair-like