Re: [OAUTH-WG] Operations Directorate Review of draft-ietf-oauth-v2-threatmodel-06
"Romascanu, Dan (Dan)" <dromasca@avaya.com> Sun, 08 July 2012 15:45 UTC
Return-Path: <dromasca@avaya.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC90A21F8533; Sun, 8 Jul 2012 08:45:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.492
X-Spam-Level:
X-Spam-Status: No, score=-103.492 tagged_above=-999 required=5 tests=[AWL=0.107, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id etBlCASpzLiC; Sun, 8 Jul 2012 08:45:13 -0700 (PDT)
Received: from de307622-de-outbound.net.avaya.com (de307622-de-outbound.net.avaya.com [198.152.71.100]) by ietfa.amsl.com (Postfix) with ESMTP id D10F621F852B; Sun, 8 Jul 2012 08:45:11 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgEFAASq+U+HCzI1/2dsb2JhbABFplORC4EHgiABAQEBAxIeCjgHDAQCAQgNBAQBAQsGDAsBBgEgJAEJCAEBBBMIGodcAwydOpIgDYlOilpmhSxgA5Nkh0qFDIUBgmE
X-IronPort-AV: E=Sophos;i="4.77,548,1336363200"; d="scan'208";a="314250130"
Received: from unknown (HELO p-us1-erheast.us1.avaya.com) ([135.11.50.53]) by de307622-de-outbound.net.avaya.com with ESMTP; 08 Jul 2012 11:42:27 -0400
Received: from unknown (HELO 307622ANEX5.global.avaya.com) ([135.64.140.11]) by p-us1-erheast-out.us1.avaya.com with ESMTP; 08 Jul 2012 11:26:35 -0400
x-mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Sun, 08 Jul 2012 17:45:30 +0200
Message-ID: <EDC652A26FB23C4EB6384A4584434A0407CC3350@307622ANEX5.global.avaya.com>
In-Reply-To: <CALaySJ+0NCxXwBhfvF8-wQWcHBpYsYpYEUFbzUDJMsV+3qUiFQ@mail.gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Operations Directorate Review of draft-ietf-oauth-v2-threatmodel-06
Thread-Index: Ac1dH5UddZKgXAqPQwiVjTiOnQ+gqgAAHRMg
References: <EDC652A26FB23C4EB6384A4584434A0407CC334E@307622ANEX5.global.avaya.com> <CALaySJ+0NCxXwBhfvF8-wQWcHBpYsYpYEUFbzUDJMsV+3qUiFQ@mail.gmail.com>
From: "Romascanu, Dan (Dan)" <dromasca@avaya.com>
To: Barry Leiba <barryleiba@computer.org>
Cc: phil.hunt@yahoo.com, oauth@ietf.org, ops-dir@ietf.org
Subject: Re: [OAUTH-WG] Operations Directorate Review of draft-ietf-oauth-v2-threatmodel-06
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jul 2012 15:45:14 -0000
> -----Original Message----- > From: barryleiba@gmail.com [mailto:barryleiba@gmail.com] On Behalf Of > Barry Leiba > Sent: Sunday, July 08, 2012 6:37 PM > To: Romascanu, Dan (Dan) > Cc: torsten@lodderstedt.net; mark.mcgloin@ie.ibm.com; > phil.hunt@yahoo.com; oauth@ietf.org; ops-dir@ietf.org > Subject: Re: Operations Directorate Review of draft-ietf-oauth-v2- > threatmodel-06 > > > 1. The relation between this document, OAuth 1.0 (RFC 5849) and OAuth > > 2.0 is not clear. In the Introduction we find: > > > > This document gives additional security considerations for OAuth, > > beyond those in the OAuth specification, based on a comprehensive > > threat model for the OAuth 2.0 Protocol [I-D.ietf-oauth-v2]. > > > > (would be good to provide a referent for the 'OAuth specification' - > > probably RFC 5489) > > It does have a citation, right there: [I-D.ietf-oauth-v2]. That is > the OAuth specification. I suppose we could move the citation to be > after the word "specification", though no one else has been confused > by this. > > > but then says the document > > > > - Gives a comprehensive threat model for OAuth and describes the > > respective counter measures to thwart those threats. > > > > So is the scope of the document the threats beyond what is described > in > > OAuth 1.0, or all the threats? > > It has nothing to do with OAuth 1.0, and I don't think it says that > anywhere. It's OAuth 2.0, as noted in the citation. It expands on > what's in the Security Considerations of the OAuth spec, and covers > threats that are not described there as well. The OAuth spec has an > informative reference to this document. Barry, I believe that the words 'additional' and 'beyond' create in the first quoted paragraph create the confusion. Saying ' This document gives additional security considerations for OAuth, beyond those in the OAuth specification ' is not the same as saying ' This document gives security considerations for OAuth based on the OAuth specification (and by the way, when we say this we mean OAuth 2.0 and nothing else)'. Regards, Dan
- [OAUTH-WG] Operations Directorate Review of draft… Romascanu, Dan (Dan)
- Re: [OAUTH-WG] Operations Directorate Review of d… Barry Leiba
- Re: [OAUTH-WG] Operations Directorate Review of d… Romascanu, Dan (Dan)