Re: [OAUTH-WG] Shepherd review of draft-ietf-oauth-v2-threatmodel

Phil Hunt <> Tue, 24 April 2012 17:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7D15D21F8826 for <>; Tue, 24 Apr 2012 10:26:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.175
X-Spam-Status: No, score=-10.175 tagged_above=-999 required=5 tests=[AWL=0.424, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id V3alLouRHpaG for <>; Tue, 24 Apr 2012 10:26:50 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 6BCED21F8652 for <>; Tue, 24 Apr 2012 10:26:50 -0700 (PDT)
Received: from ( []) by (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id q3OHQlFZ004734 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 24 Apr 2012 17:26:48 GMT
Received: from ( []) by (8.14.4+Sun/8.14.4) with ESMTP id q3OHQkXC005839 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 24 Apr 2012 17:26:47 GMT
Received: from ( []) by ( with ESMTP id q3OHQkjN027094; Tue, 24 Apr 2012 12:26:46 -0500
Received: from [] (/ by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 24 Apr 2012 10:26:46 -0700
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: text/plain; charset=us-ascii
From: Phil Hunt <>
In-Reply-To: <>
Date: Tue, 24 Apr 2012 10:26:46 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <>
To: Eran Hammer <>
X-Mailer: Apple Mail (2.1257)
X-Source-IP: []
Cc: "" <>, "" <>
Subject: Re: [OAUTH-WG] Shepherd review of draft-ietf-oauth-v2-threatmodel
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 24 Apr 2012 17:26:51 -0000

Folks this is a "scoping" debate.  Because this document is a brand new type of specification, I can see why there is some confusion.

First, I want to point out the concerns Michael Thomas are making are *valid*.

**However**  Editorially I feel strongly the comments fall outside the intended scope and purpose for this document. This document is about threats specifically related to the OAuth protocol.  It's intent is to go beyond security considerations to give implementers a feel for the issues the group has considered specific to the protocol.

Michael's comments are directed at general trusted computing platform. And while I agree they are valid, they don't fit in this document. At no time did the OAuth WG set out to solve or debate trusted computing platform issues. It is simply not within the charter of the WG.

Michael feels the premise for the document is "borked" because his comments are not included.  However, there are those of us that feel the document instead needs to be sharply edited back to focus even tighter on OAuth specific issues.

As for "consensus" there seems to be two issues/questions at hand:

1. Do we go back and extend the document scope to general trusted computing platforms issues? 

2. Is the document correct for the content that it has now?

I suspect there is strong consensus for number 2. 

I suspect there is quite a lot of debate about number 1. For me, I will push very hard to cut the document in half (the opposite).  My worry is the document is too long, and many are already not reading it because it is only an Informational document.



On 2012-04-24, at 9:20 AM, Eran Hammer wrote:

> We've been kicking this can of silliness for months now because one person refuses to move on even in the face of otherwise unanimous consensus from the group.
> Chairs - Please take this ridiculous and never ending thread off list and resolve it once and for all.
> EH
>> -----Original Message-----
>> From: [] On Behalf
>> Of Phil Hunt
>> Sent: Tuesday, April 24, 2012 7:59 AM
>> To: Michael Thomas
>> Cc: Barry Leiba;;
>> Subject: Re: [OAUTH-WG] Shepherd review of draft-ietf-oauth-v2-
>> threatmodel
>> Are we at this stage re-opening the entire document? I thought we were
>> responding only to specific shepherd text edits.
>> Phil
>> On 2012-04-24, at 6:24, Michael Thomas <> wrote:
>>> On 04/24/2012 01:17 AM, Mark Mcgloin wrote:
>>>> Hi Thomas
>>>> Your additional text is already covered in a countermeasure for
>>>> section 4.1.4.  In addition, section states the assumption
>>>> that the auth server can't protect against a user installing a
>>>> malicious client
>>> The more I read this draft, the more borked I think its base
>>> assumptions are. The client *is* one of the main threats. Full stop. A
>>> threat document should not be asking the adversary to play nice. Yet,
>>> 4.1.4 bullets 1 and
>>> 3 are doing exactly that again. If those are countermeasures, then so
>>> is visualizing world peace.
>>> As for bullet two, it doesn't mention revocation, and I prefer Barry's
>>> section generally. I can't find a section
>>> Mike
>>> _______________________________________________
>>> OAuth mailing list
>> _______________________________________________
>> OAuth mailing list
> _______________________________________________
> OAuth mailing list