Re: [OAUTH-WG] Barry Leiba's Discuss on draft-ietf-oauth-spop-12: (with DISCUSS and COMMENT)

Barry Leiba <barryleiba@computer.org> Thu, 11 June 2015 19:10 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 068081B2CC0; Thu, 11 Jun 2015 12:10:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XN2qAayWA0wJ; Thu, 11 Jun 2015 12:10:02 -0700 (PDT)
Received: from mail-ig0-x233.google.com (mail-ig0-x233.google.com [IPv6:2607:f8b0:4001:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 757DF1B2CFC; Thu, 11 Jun 2015 12:09:37 -0700 (PDT)
Received: by igbhj9 with SMTP id hj9so59902078igb.1; Thu, 11 Jun 2015 12:09:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=dRa1G2+HDoLDcx06ivsGpUIXLdUS2oWoUbm63JtD9BA=; b=H14HAvey9+ik2AOgANxNqTQnu0urMUDmMi8vHwQefaRun7wnXz1M242Nxpr73j0Fxl 7zRNGel5TU3q7JTd0xlthh2jO3v1RBKcgXGTX4qo6HeZ4ob7GWkO5st2obgltlHKhouO plCePrunq4ck+ba7Jd7cJGlhG29TpxGtmXPuzDVPplZ/9+afVDVvHpooyuPMexsX5jug U3DpvBZJSV7CnwugYmirFGEjrQEr3VC0Q8FCkxmhLsOxr+1kBOTtY9buHh3rXifMLZri 942YoCj2354Vl2aECU5JyuTIIhCBMcyGD6+dCRMpG+6ovqLR6GQiCfna0bJMxA7m5GAc zHrw==
MIME-Version: 1.0
X-Received: by 10.50.43.227 with SMTP id z3mr14893114igl.12.1434049776699; Thu, 11 Jun 2015 12:09:36 -0700 (PDT)
Sender: barryleiba@gmail.com
Received: by 10.107.16.222 with HTTP; Thu, 11 Jun 2015 12:09:36 -0700 (PDT)
In-Reply-To: <5579DB31.30807@gmx.net>
References: <20150611184955.1618.38149.idtracker@ietfa.amsl.com> <5579DB31.30807@gmx.net>
Date: Thu, 11 Jun 2015 20:09:36 +0100
X-Google-Sender-Auth: A6NvfKxlEuue7zCGWzKsj0zhKGk
Message-ID: <CALaySJJKwOVAWHry41khzNg6fDpkW6No2QQsz5PG6amvnNHSaQ@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/WdA_OlVYx7QvCXL6BTEiWYSOW4k>
Cc: draft-ietf-oauth-spop@ietf.org, oauth WG <oauth@ietf.org>, draft-ietf-oauth-spop.shepherd@ietf.org, The IESG <iesg@ietf.org>, oauth-chairs@ietf.org, draft-ietf-oauth-spop.ad@ietf.org
Subject: Re: [OAUTH-WG] Barry Leiba's Discuss on draft-ietf-oauth-spop-12: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jun 2015 19:10:03 -0000

Hi, Hannes, and thanks for clearing this bit up.

>>    4) The attacker (via the installed app) is able to observe responses
>>       from the authorization endpoint.  As a more sophisticated attack
>>       scenario the attacker is also able to observe requests (in
>>       addition to responses) to the authorization endpoint.
..
> In this model the adversary will see response messages. However, it is
> possible for an attacker to also compromise the smart phone OS in such a
> way that he/she is also able to see the request as well as the
> responses. In such a "more sophisticated attack" the proposed mechanism
> does not help.

Ah, got it.  Then it would be good for (4) to say that, maybe just by
adding to the end, "This mechanism does not protect again the more
sophisticated attack."  Sound OK?

Barry