Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption
Hannes Tschofenig <hannes.tschofenig@gmx.net> Sat, 20 February 2016 09:46 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15A8E1A3BA3 for <oauth@ietfa.amsl.com>; Sat, 20 Feb 2016 01:46:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.606
X-Spam-Level:
X-Spam-Status: No, score=-2.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sPiYWyqEAfsX for <oauth@ietfa.amsl.com>; Sat, 20 Feb 2016 01:46:49 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5054A1A1BE5 for <oauth@ietf.org>; Sat, 20 Feb 2016 01:46:49 -0800 (PST)
Received: from [192.168.10.140] ([195.149.218.208]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0LgZRV-1aCWd50bTR-00nwh0; Sat, 20 Feb 2016 10:46:42 +0100
To: William Denniss <wdenniss@google.com>, "Phil Hunt (IDM)" <phil.hunt@oracle.com>
References: <56C7702B.2000401@gmx.net> <BY2PR03MB442E9BF84AFA890378C5116F5A00@BY2PR03MB442.namprd03.prod.outlook.com> <56C77D92.5050203@pingidentity.com> <88DE9988-2CDB-4206-86CE-E7EFF93FB27A@oracle.com> <CAAP42hD96u0Nepdo8YcHeXEo2v1Mo=a_Zo4OcS9ppu7rU-=8Ag@mail.gmail.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
X-Enigmail-Draft-Status: N1110
Message-ID: <56C8360C.8010203@gmx.net>
Date: Sat, 20 Feb 2016 10:46:52 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <CAAP42hD96u0Nepdo8YcHeXEo2v1Mo=a_Zo4OcS9ppu7rU-=8Ag@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="CiaBpSqnAoJMDHv3bJ53cXEg6NpQ3StTr"
X-Provags-ID: V03:K0:2tFXdpT5bERSOS2/Dkc8QanhONNpknxnO0AeOXyDt1Lsw06CjJh uyFmI94sGW4E1WXiV2E1Ln0LP0cRWLEKZVfS8+rM694NXptP17F97noR3kdECfo8GEAS2Ay 7ReuBukCcTlxSwbNTyNnpbfQZfDRc2wLK+K4977f3KGC3s4FgjF96FbBSgkxMKALjqPaerg yEOmSWzdMXoUXQNkcAgTQ==
X-UI-Out-Filterresults: notjunk:1;V01:K0:/tg89MnhD40=:UiGXv0ExQejAY4XmN2dsig L0gvM1H9YUJiLP7dYsGE+lYlbk7m9AafCNyxfy33TM0V9PWbZGajaRNqpM0RCCWbe5Vikgfjg 0OeebD01FOtAp0DXLh7CIVv/Z05qtcJZFO2PGhKbezD60x0PJ2L9LDYDdG8A9bV1wnIjBb10p FAZyCaIbTmB3iRnc1REvqs2ndhr365Xhx7+rL29Nd34qRejmQi4c9vBhrYm2oQ3Kh2F+bwP7l Z+lluSXbeUT1WYW8CLhciiuW3DfmNJ6DD/SsQNy/rCjK///2SwIgJatfDZkNUSouwf+1fmD+1 ftzzms/CEwYzzDUgZrz7UfjzJGMgRQ2BzXYAlqt39nIVRUGPL0FfuDGvpKo4VhE2iroF1J3Xo 09RmNuPas7P7Dxv4OeDyFZDdAZLUKJWYqa7sDrlhakcziyFtQOSp75XVi0m1KPyRZk6FSiQk2 wFnYDmjFNFpry22m+WqUwZOt3F3l570ZiK5625DfOL5955qmp2KAsRwTi9AsxvU3cKrkkhABa fy2Fmirq/Gyl7dqE3hTsAZdAmJnazCNKC5zFdUaLjQJ8y1PZNqgEfWcNFkvqCP4tszMdfss0I HleZT7BPI8iltEBLj1nMrsePPwXRkQzP4xqHHkXy+zsZ2QTZc0gFzLjJg9S8jUWEDYVqIHrJp w2yARZOEuMlOz4mE1qT9GMADj7YC3JFfQPLXnXZEFyt6x3vKqe+yMO6zMcmNqkS76He58bSWC hYGgzu8WSw7qHbas+Gp/Ay9ttq2SFyLecbpdgPbUxh7hPj3bYN3acQGAs6s=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/XzjeovOOx5vEXaLvx1x-R09GTp0>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Feb 2016 09:46:52 -0000
Just a quick reply to two of your remarks: On 02/20/2016 09:49 AM, William Denniss wrote: > The security researcher documents are only informative references I think they should be informative references since the motivate the reason for doing the work but there is nothing in these publications that raises interoperability concerns. I believe the solution documents need to be descriptive enough that they explain the threats so that a reader who does not read through the informative reference section still understands what's going on. > For my own knowledge: what are some of the use-cases that are subject > to these attacks? I'm not convinced every RP that talks to more than > 1 AS is at risk today. What are some risky situations that exist > which are mitigated by this draft? This is something I criticized in my review as well. IMHO the documents could do a better job in describing the threats and particularly the assumptions that need to hold in order for the attacks to work. Without those it will be difficult to inform readers when this is a concern and what level of risk this represents. Ciao Hannes
- [OAUTH-WG] Fixing the Authorization Server Mix-Up… Hannes Tschofenig
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Mike Jones
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Hans Zandbelt
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Phil Hunt (IDM)
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… William Denniss
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Hannes Tschofenig
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Mike Jones
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Hannes Tschofenig
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Mike Jones
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… John Bradley
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Nat Sakimura
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… John Bradley
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… William Denniss
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Antonio Sanso
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Daniel Fett
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- [OAUTH-WG] JWS Access Token concerns Sergey Beryozkin
- Re: [OAUTH-WG] JWS Access Token concerns Antonio Sanso
- Re: [OAUTH-WG] JWS Access Token concerns Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Roland Hedberg
- Re: [OAUTH-WG] JWS Access Token concerns Sergey Beryozkin
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Anthony Nadalin
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… John Bradley
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Anthony Nadalin
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Nat Sakimura
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… George Fletcher
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… John Bradley
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Hannes Tschofenig
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Brian Campbell
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Donald F. Coffin
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… John Bradley
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Torsten Lodderstedt
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… John Bradley
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov