IETF Logo Mail Archive

Re: [OAUTH-WG] problem statement

Michael Thomas <mike@mtcc.com> Thu, 08 September 2011 01:02 UTC

Return-Path: <mike@mtcc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7D8C21F8CF7 for <oauth@ietfa.amsl.com>; Wed, 7 Sep 2011 18:02:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.417
X-Spam-Level:
X-Spam-Status: No, score=-2.417 tagged_above=-999 required=5 tests=[AWL=0.182, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wcBdPf7h8v-r for <oauth@ietfa.amsl.com>; Wed, 7 Sep 2011 18:02:10 -0700 (PDT)
Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id DA07A21F8CA0 for <oauth@ietf.org>; Wed, 7 Sep 2011 18:02:09 -0700 (PDT)
Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id p8813wVO031130 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 7 Sep 2011 18:03:58 -0700
Message-ID: <4E68147E.8000300@mtcc.com>
Date: Wed, 07 Sep 2011 18:03:58 -0700
From: Michael Thomas <mike@mtcc.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0
MIME-Version: 1.0
To: Ben Niven-Jenkins <ben@niven-jenkins.co.uk>, "oauth@ietf.org" <oauth@ietf.org>
References: <4E665B25.6090709@mtcc.com> <4E666B65.30701@mtcc.com> <29815937-0FB9-463B-B6E4-8FCAF7B3CD8C@hueniverse.com> <4E666E73.3050502@mtcc.com> <CAMrm-MJHKTxaj1iEm_Lr=X92sOiWZcYN4F6dNqb5w5gh4OPndQ@mail.gmail.com> <4E6671FA.3090503@gmail.com> <4E667469.2040007@mtcc.com> <1315337809.3136.38.camel@ground> <4E667953.9020906@mtcc.com> <71A460EE-1E2C-4165-99A8-5A97D6E9365C@jkemp.net> <4E667E2E.7090304@mtcc.com> <80A88920-A1EF-4A1C-A97E-F99379923CFB@jkemp.net> <4E66845E.7090906@mtcc.com> <E3DEC4C8-6BB0-44EE-821A-7589F5DC6462@jkemp.net> <4E669D3C.5000900@gmail.com> <7D4DF72E-B211-4D41-B447-4CF04E9CB1D8@hueniverse.com> <4E67A710.9070505@alcatel-lucent.com> <4E67A942.1070200@mtcc.com> <90C41DD21FB7C64BB94121FBBC2E7234518A4F274E@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4E67C501.3060001@mtcc.com> <4E67C6C9.1070704@stpete! r.im> <4E67C893.5060505@mtcc.com> <E37B0B59-787B-4F23-B708-596235235C79@gmail.co! m> <4E67D149.8080200@mtcc.com> <D02EDDCE-4498-4B75-9C5F-340A439F0190@niven-jenkins.co.! uk>
In-Reply-To: <D02EDDCE-4498-4B75-9C5F-340A439F0190@niven-jenkins.co.uk>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1316; t=1315443838; x=1316307838; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20<mike@mtcc.com> |Subject:=20Re=3A=20[OAUTH-WG]=20problem=20statement |Sender:=20 |To:=20Ben=20Niven-Jenkins=20<ben@niven-jenkins.co.uk>,=20= 0A=20=22oauth@ietf.org=22=20<oauth@ietf.org> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=u+hDxlUblwzZAZULJeM5IbQ74UjIsr0DYY3knSXwO3w=; b=Tg1Cj95Togi9bugk0d9bcHEyLOoVLiGV0M4ynIT/MhNYiq2c8Cbl7p2O+P rjJRDQmX2zfu60dVxazaA2F51rh/RWzOMvqJPiTRnUbyligjKGhUbupaebp3 4+FaEV0x6qrvpZtD8/+bxxG+YGFF8SEVZ3apE/+bErrDdCpXkYFbU=;
Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com
Subject: Re: [OAUTH-WG] problem statement
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Sep 2011 01:02:11 -0000

On 09/07/2011 05:19 PM, Ben Niven-Jenkins wrote:
> Your original e-mail that started this thread was not targeted at a specific document and my interpretation is that some of the hostility you have experienced is due to a frustration that your request is seen as a potential obstacle to getting the protocol specification out the door because the issue you want to discuss is not directly related to how a developer might implement the protocol.
>    

I had no idea where in the ietf process the protocol document is. I'm
still not sure whether it's been through wg last call, ietf last call, etc.

> If I may be so bold, could I suggest that you propose some text that articulates the issue that you would like to see documented and then the group can assess that text on its merits and try to reach consensus on which document, if any, it is best placed to reside within.
>    

Basically, in the protocol document's introduction I think it should
be clearly explained that the UA functionality is expected to be "trusted",
ie not be under the control of a potential attacker. I think that for the
uninitiated that is anything but obvious. There has been a sea-change
since 2007 making this an important point. Had that been in the
introduction, we would not be having  this conversation.

Mike

v2.23.0 | Report a Bug | By Email