Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

Mike Jones <> Sat, 20 February 2016 10:41 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 474FA1A871B for <>; Sat, 20 Feb 2016 02:41:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tF7fB1WnXDWn for <>; Sat, 20 Feb 2016 02:41:28 -0800 (PST)
Received: from ( [IPv6:2a01:111:f400:fc10::754]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 708A51A86FA for <>; Sat, 20 Feb 2016 02:41:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=b5JC5SbqKfLfnLxzpRYJAte12SEBQoFZeX2t/TptzRg=; b=KkU3fEXXndMwbmpc+MuCaCnBTihbHvIUEkYH08ib/2dapo7J3wB77VlfmvHTpTXLvyBaG0S/l4PcFhoGCQtzNX/uAtFod9lxgHTr9f7qcrgvIE9q/xhCC9wRSwJ28jZkQVboNelDzBNQWF8VCb6+loBgb/sEqbjc08+KKHoWRZY=
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.1.409.15; Sat, 20 Feb 2016 10:41:05 +0000
Received: from ([]) by ([]) with mapi id 15.01.0409.017; Sat, 20 Feb 2016 10:41:05 +0000
From: Mike Jones <>
To: Hannes Tschofenig <>, William Denniss <>, "Phil Hunt (IDM)" <>
Thread-Topic: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption
Date: Sat, 20 Feb 2016 10:41:05 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
x-originating-ip: []
x-ms-office365-filtering-correlation-id: 00f1d040-a825-4280-d798-08d339e255fa
x-microsoft-exchange-diagnostics: 1; BY2PR03MB443; 5:JOZjEkggnFT/fpFlx1rIaDQmb3+chmu7jxCQ8rlh+PF9fMN3xdXhWr9AmfMgF9x6XKNl3PLzW12PLenfRa4LRy/6+MorBP57L62YHk07uWkh8Ap05dQgquKB0mdtipTBMAletPf3BWdfWB+SikRjwQ==; 24:iOwSk3o2wzJnMyMj8EjNJ8TM9qx7iNGQJaBmgOHTH58C+hKMxa9VVmBvwm72FAAA/GKG8Y+cN8/KljvJgiWwANjGqBB2NBWU6ay05+C75l8=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB443;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(61426038)(61427038); SRVR:BY2PR03MB443; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB443;
x-forefront-prvs: 0858FF8026
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(24454002)(479174004)(377454003)(13464003)(5002640100001)(76576001)(586003)(15975445007)(10290500002)(122556002)(1096002)(3846002)(66066001)(5003600100002)(10400500002)(76176999)(54356999)(5005710100001)(102836003)(87936001)(2906002)(8990500004)(1220700001)(50986999)(86362001)(2950100001)(3280700002)(33656002)(5004730100002)(3660700001)(86612001)(2900100001)(6116002)(4326007)(77096005)(74316001)(5001770100001)(11100500001)(92566002)(189998001)(19580405001)(5008740100001)(19580395003)(5001960100002)(99286002)(93886004)(40100003); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB443;; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Feb 2016 10:41:05.3516 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB443
Archived-At: <>
Cc: "" <>
Subject: Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 20 Feb 2016 10:41:31 -0000

Suggesting that they be read is of course, the right long-term approach.  But as someone who spent 20+ years as a researcher before switching to digital identity, I was sensitive to not wanting to upstage their work by copying too much of their material into our draft before their publications were widely known.  I'll of course commit to working the researchers and the working group to create a self-contained concise description of the threats and mitigations in the working group document.

				-- Mike

-----Original Message-----
From: Hannes Tschofenig [] 
Sent: Saturday, February 20, 2016 2:25 AM
To: Mike Jones <>; William Denniss <>; Phil Hunt (IDM) <>
Subject: Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

Hi Mike,

On 02/20/2016 10:52 AM, Mike Jones wrote:
> Have you read both of their publications?  If not, do yourself a favor 
> and do.  They're actually both very readable and quite informative.

I have read both documents. In context of this discussion the question is whether we

(a) require them to be read (in which case they should be a normative reference), or
(b) suggest them to be read (since they provide additional background information). In this case they are an informative reference.

I believe believe we want (b) for the OAuth WG document. While I encourage everyone to read the publications I also believe that there is lots of material in there that goes beyond the information our audience typically reads (such as the text about the formal analysis).

There is probably also a middle-ground where we either copy relevant text from the papers into the draft or reference specific sections that are "must-read".

One other issue: I actually thought that the threat that is outlined in the research paper is sufficiently well described but the second threat, which is called 'cut-and-paste attack', requires more work.
I noted this in my summary mail to the list, see