Re: [OAUTH-WG] problem statement

Michael Thomas <mike@mtcc.com> Wed, 07 September 2011 19:38 UTC

Return-Path: <mike@mtcc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A36F21F8B22 for <oauth@ietfa.amsl.com>; Wed, 7 Sep 2011 12:38:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.788
X-Spam-Level:
X-Spam-Status: No, score=-1.788 tagged_above=-999 required=5 tests=[AWL=-0.609, BAYES_00=-2.599, SARE_ADULT2=1.42]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8lok0OooGShs for <oauth@ietfa.amsl.com>; Wed, 7 Sep 2011 12:38:14 -0700 (PDT)
Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id 94A1321F8B17 for <oauth@ietf.org>; Wed, 7 Sep 2011 12:38:14 -0700 (PDT)
Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id p87Je3DP008377 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 7 Sep 2011 12:40:03 -0700
Message-ID: <4E67C893.5060505@mtcc.com>
Date: Wed, 07 Sep 2011 12:40:03 -0700
From: Michael Thomas <mike@mtcc.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0
MIME-Version: 1.0
To: Peter Saint-Andre <stpeter@stpeter.im>
References: <4E665B25.6090709@mtcc.com> <4E666512.7010701@mtcc.com> <F4839FCD-CA73-4450-AD12-E07D46BB7746@hueniverse.com> <4E6667D1.3080404@mtcc.com> <1315334677.26387.YahooMailNeo@web31809.mail.mud.yahoo.com> <4E666B65.30701@mtcc.com> <29815937-0FB9-463B-B6E4-8FCAF7B3CD8C@hueniverse.com> <4E666E73.3050502@mtcc.com> <CAMrm-MJHKTxaj1iEm_Lr=X92sOiWZcYN4F6dNqb5w5gh4OPndQ@mail.gmail.com> <4E6671FA.3090503@gmail.com> <4E667469.2040007@mtcc.com> <1315337809.3136.38.camel@ground> <4E667953.9020906@mtcc.com> <71A460EE-1E2C-4165-99A8-5A97D6E9365C@jkemp.net> <4E667E2E.7090304@mtcc.com> <80A88920-A1EF-4A1C-A97E-F99379923CFB@jkemp.net> <4E66845E.7090906@mtcc.com> <E3DEC4C8-6BB0-44EE-821A-7589F5DC6462@jkemp.net> <4E669D3C.5000900@gmail.com> <7D4DF72E-B211-4D41-B447-4CF04E9CB1D8@hueniverse.com> <4E67A710.9070505@alcatel-lucent.com> <4E67A942.1070200@mtcc.com> <90C41DD21FB7C64BB94121FBBC2E7234518A4F274E@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4E67C501.3060001@mtcc.com> <4E67C6C9.1070704@stpete! r.im>
In-Reply-To: <4E67C6C9.1070704@stpeter.im>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2535; t=1315424403; x=1316288403; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20<mike@mtcc.com> |Subject:=20Re=3A=20[OAUTH-WG]=20problem=20statement |Sender:=20 |To:=20Peter=20Saint-Andre=20<stpeter@stpeter.im> |Content-Type:=20text/plain=3B=20charset=3DUTF-8=3B=20forma t=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=ukT4i9yvtQkFYm1mIQcPtDKLfLEPSUzKEi0steP+I2E=; b=DZp/ig+XLwxvJPANDl6EZxykdwyq2gMx+Tu3VZVaFtQMJNfBqHWsMWsSDn JkpANsAYQQTN33VE1GjFPdDzJb9YKwhTuai0Ot2JW8pJinaoO2+rbZDXKkh9 nORv+d4mLcxbc3cMioPy8ohlPNP5r3rfNF+MEG0hAG6L1xNVjMe7s=;
Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] problem statement
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Sep 2011 19:38:15 -0000

On 09/07/2011 12:32 PM, Peter Saint-Andre wrote:
> On 9/7/11 1:24 PM, Michael Thomas wrote:
>    
>> On 09/07/2011 12:12 PM, Eran Hammer-Lahav wrote:
>>
>> [more browbeating elided]
>>
>>      
>>> In fact, you guys have convinced me that OAuth gives inferior
>>> protection at
>>>        
>>>> considerable expense for all concerned.
>>>>
>>>>          
>>> an irresponsible and serious offense - the kind of baseless FUD that
>>> can cause real damage to important work.
>>>
>>>        
>> I have written down at least 3 or 4 times why I think it's inferior.
>> Nobody attacking the messenger including yourself has answered
>> it. There's FUD here, but not from me.
>>      
> Mike, did you propose text to address the concern? Per recent discussion
> I think the threat-model document is the right place for it, so please
> take a look at that spec to see where your proposed text can slot in.
>    
Yes, I outlined what I think should be done at a minimum. I've
also been told by the editor that he won't consider it. Barry
has said that he won't consider it either. Unless the working
group is open to changes, I'm not going to waste my time crafting
the actual changes. So this is your call.

Here's what I wrote previously:

[...]

Second, I'd say that [section 9] is a good first step, but the text there
should be explicit and not pussy-foot around the fact that it
means embedded UA's in phone apps and other examples. It
should also make clear that the "challenge" (ack, ptui) involves
untrusted apps stealing the user's credentials by simply snooping
on the UA itself. If there is reasonable mitigation, then by all means
add text about it. This is important because I do not think that
many people grok the seriousness of the issue, and most especially
people who would deploy oauth authentication services.

Third, I think that the introduction needs to have an applicability
statement of *when/where/what* oauth can be used. That is,
do not beat around the bush about the need for the UA to be
trustable because that is a basic the assumption that oauth makes.
As inconvenient as that may be, it would be far worse for people
in the industry to not fully understand the threat.

Fourth, it would be *really* nice to hear from folks at Facebook
and Twitter who have deployed oauth and oauth-like flows with
their experience here, and most especially if they understood the
threat ahead of their deployment, and what they do to mitigate
it if anything.


Mike