Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011

William Mills <> Wed, 04 January 2012 23:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6BDC311E8089 for <>; Wed, 4 Jan 2012 15:43:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -17.018
X-Spam-Status: No, score=-17.018 tagged_above=-999 required=5 tests=[AWL=0.580, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tfv5bMJs01i1 for <>; Wed, 4 Jan 2012 15:43:05 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id 4E25111E80C1 for <>; Wed, 4 Jan 2012 15:43:05 -0800 (PST)
Received: from [] by with NNFMP; 04 Jan 2012 23:42:57 -0000
Received: from [] by with NNFMP; 04 Jan 2012 23:42:57 -0000
Received: from [] by with NNFMP; 04 Jan 2012 23:42:57 -0000
X-Yahoo-Newman-Property: ymail-3
Received: (qmail 44293 invoked by uid 60001); 4 Jan 2012 23:42:56 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=ginc1024; t=1325720576; bh=EFUQBEN8uPHI0auUojmNg1Mn/JvoSR6gvXjHHsRw16k=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=Ls3dIwQO1sDCqFdOGtTXL4UDCAOUPNBinIg3TVEM1TJFUMoDrxrIeNOmOVbd9aJRL6qszV0+G3gNGZ34CqtvQsNmsufYlvOop7hykBBox4AmdeIoDOoeW982BAa6bxRMewB3Og9FTMZAQpviomg4OIcLVro7EjfRIz+46uKuAkY=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024;; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=U1C9k9Y6RTKIA1GDNZMYlD5qr8OAMBt+yH8tfXPuJS+T7ZbR5LNvhTyoREi8QfXzxNO6MI3BId7aiqWNcqhSou46HSMhAOZD/rZQxtmu+6D1U37Dbyl9tSGVik73jAYpenGVlldgy1/QjfzZpdxAKmLVaIAjyAsgZQAzPtDXBfk=;
X-YMail-OSG: wPf4towVM1kzKMkfG6Gm_gW87dMkgYcR.CvgTvs.IEEAFTl 6j39pZ07fObz8keH5RWZNi_uK6b.jrOqDB7Sv0DPEu3Dku8bLleizgZCbVhu fVKYpfJxMMv2WFeAn3SUVC0VaFlYFbE5NL0LNIQp.HAKoptJMVSqKYz4.0fB C.NhwGwM4gcv8Wbo5MbU9OG8VFofUgRs6o5qxf.s1aLg_CRr50zQhxJXtlf7 J5i1zwHxWmJ0JZNTiyQZD10CUfS.t1VcsFN5TODGe6lqhygjdV4j6gAG1Y6s N3DQEsnmNGnEQKy0rpUx4.GEeWUlojmsV3VowqLaHmKNUfLW43n0s1hjclq2 hNcJwh9eCrf6Y14JRkQcQJUbEmTP71o7XuMi54htZCGatP3E7ML4Kq0qCkhr iXHBMHJ3VhJojheNz5sMZ.KW.cfHxcglIje94UjZU
Received: from [] by via HTTP; Wed, 04 Jan 2012 15:42:56 PST
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
Message-ID: <>
Date: Wed, 04 Jan 2012 15:42:56 -0800
From: William Mills <>
To: Michael Thomas <>, Barry Leiba <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-1238014912-1525551451-1325720576=:43079"
Cc: oauth WG <>
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <>
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 04 Jan 2012 23:43:06 -0000

I think the threat draft should simply say, "OAuth does not and can not protect the user against credential compromise as a result of phishing, malware, social engineering, or machine compromise."

Get rid of the fancy rhetoric, we don't need to explain a lot more than this.  

I don't agree that OAuth purports to solve these problems. What it solves is limiting the credentials granted to allow the user more control and limited damage in the event of credential misuse.


 From: Michael Thomas <>
To: Barry Leiba <> 
Cc: oauth WG <> 
Sent: Wednesday, January 4, 2012 1:06 PM
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011
On 01/04/2012 12:41 PM, Barry Leiba wrote:
> up being a compromised browser or a native application that the user
> perhaps unwisely installed, all the security in the framework goes out
> the window, because an untrustworthy UA can fiddle with pretty much
> everything.

I think the "perhaps unwisely" goes to the heart of my objection. You
might as well be talking about "perhaps unwisely" driving a car,
or "perhaps unwisely" eating food: the reality is that people download
apps by the *billions*.  When I was initially blown off, many of the
participants including document editors implied that only idiots get
apps for their phones. That is *completely* unhelpful as the reality
is that OAUTH's use is hugely if not primarily deployed in that sort of

This is a threat that cuts to the very heart of what OAUTH is, and purports
to defend against: keeping user credentials out of the hands of an
untrusted third party. If there really aren't any good ways to mitigate this
in an app environment, why is OAUTH being deployed so aggressively there?
Shouldn't the threat draft say in blinking bold: "DEPLOYING OAUTH

OAuth mailing list