IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011

Michael Thomas <mike@mtcc.com> Thu, 05 January 2012 16:21 UTC

Return-Path: <mike@mtcc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00EEA21F86CA for <oauth@ietfa.amsl.com>; Thu, 5 Jan 2012 08:21:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OGPPVcyCDEWA for <oauth@ietfa.amsl.com>; Thu, 5 Jan 2012 08:21:52 -0800 (PST)
Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id 67AFD21F863C for <oauth@ietf.org>; Thu, 5 Jan 2012 08:21:50 -0800 (PST)
Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id q05GLmI1026201 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Thu, 5 Jan 2012 08:21:48 -0800
Message-ID: <4F05CE1C.4060401@mtcc.com>
Date: Thu, 05 Jan 2012 08:21:48 -0800
From: Michael Thomas <mike@mtcc.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0
MIME-Version: 1.0
To: Justin Richer <jricher@mitre.org>
References: <CALaySJKhYQQdmjvWBLS3mwzzrDt35jfDn2xZCuDOk=hpwEUiKQ@mail.gmail.com> <CAC4RtVDyiuqCGO25nZQEVxi0uchTi2gu_peh=+FwmWwZsQ=LEQ@mail.gmail.com> <CAC4RtVCvnz7n9Ei08h7QRruesJ=GeOMOOvBkNAVmcc8_gzg7QQ@mail.gmail.com> <8AB6F5CC-E9A2-4A07-9AA0-83FB7C67A221@oracle.com> <4EEA3951.5010904@mtcc.com> <OF6C9EBE7C.1B053FE3-ON80257968.003C02DF-80257968.003CAA12@ie.ibm.com> <4EEB5BDD.7080401@mtcc.com> <4F038CB9.1040403@mtcc.com> <F674B8D6-54D6-4B39-A494-9D7EB6E058D6@oracle.com> <4F0394D6.1090006@mtcc.com> <OFD88021B6.E1FD29B9-ON8025797B.004036CF-8025797B.00404EA6@ie.ibm.com> <4F04AAAE.6080702@mtcc.com> <4F04ACE4.1070006@stpeter.im> <4F04B101.3070708@mtcc.com> <OF0587BA9E.B7B40207-ON8025797B.00702BFB-8025797B.007103EA@ie.ibm.com> <CALaySJLcFGyt97OVFZY34kZSjp2bKRqiH_JSDQQaO-aTjSWh2g@mail.gmail.com> <4F04BF70.3010501@mtcc.com> <1325720576.43079.YahooMailNeo@web31816.mail.mud.yahoo.com> <4F04E79B.1030604@mtcc.com> <4F05C7B8.4070204@mitre.org>
In-Reply-To: <4F05C7B8.4070204@mitre.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1102; t=1325780510; x=1326644510; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20<mike@mtcc.com> |Subject:=20Re=3A=20[OAUTH-WG]=20WGLC=20on=20draft-ietf-oau th-v2-threatmodel-01,=20ends=209=0A=20Dec=202011 |Sender:=20 |To:=20Justin=20Richer=20<jricher@mitre.org> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=+cvQ3Ov3kKi2JY+rLgctr5sLndJzqtRzDgYEdMG38xk=; b=k1otN1+FjG5jcyrFF/pZWRo1wAqB3nqbZ3J52lEwQ920kNun58JKkjqjV4 ffDPI+mwIXj1gBDMy5GMw3fT6/fKUeNB93XohSjwzn+7mE3FUepncyvs+JWd /wAWCbTmvYX0ezyz7is/kWrqJTcuDCMNnfxC8BpZVb7eV0vP2c2H0=;
Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2012 16:21:53 -0000

On 01/05/2012 07:54 AM, Justin Richer wrote:
>
> However, the contention about native apps that Mike brings up is misleading for one key reason: if the user's browser is compromised (which is the attack vector in question), then all OAuth-backed webapps will *also* be compromised, since the bad party can just grab the data on its way to the screen. And if the user downloads malware masquerading as a good app (which OAuth *can* protect against by using client secrets in some circumstances and trusted callback urls in others), and they approve the bad app, then they're hosed too.

There's a big difference between a compromised browser and a native app with
an embedded browser. The first is considered harmful and browsers already take
steps to insure they do not remain infected through updates, etc. The second is
working as intended.

| Even so, I do think it's clear from what text we already have.

Remember: the reason that I am here at all is precisely because it was *not*
clear. It's why I find the belligerence I've been afforded from the beginning
so mystifying.

Mike

v2.14.0 | Report a Bug | By Email