IETF Logo Mail Archive

Re: [OAUTH-WG] problem statement

Eran Hammer-Lahav <eran@hueniverse.com> Wed, 07 September 2011 20:03 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18DC321F8CE0 for <oauth@ietfa.amsl.com>; Wed, 7 Sep 2011 13:03:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.561
X-Spam-Level:
X-Spam-Status: No, score=-2.561 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tYJgP0lQAPyX for <oauth@ietfa.amsl.com>; Wed, 7 Sep 2011 13:03:29 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id 3159221F8CDB for <oauth@ietf.org>; Wed, 7 Sep 2011 13:03:28 -0700 (PDT)
Received: (qmail 25797 invoked from network); 7 Sep 2011 20:05:17 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.47) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 7 Sep 2011 20:05:16 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT005.EX1.SECURESERVER.NET ([72.167.180.134]) with mapi; Wed, 7 Sep 2011 13:05:02 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Melinda Shore <melinda.shore@gmail.com>
Date: Wed, 07 Sep 2011 13:03:06 -0700
Thread-Topic: [OAUTH-WG] problem statement
Thread-Index: AcxtjMuEbqjRG3iRQl6wXpxvi4bS/wABWcng
Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234518A4F277D@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <4E665B25.6090709@mtcc.com> <4E666512.7010701@mtcc.com> <F4839FCD-CA73-4450-AD12-E07D46BB7746@hueniverse.com> <4E6667D1.3080404@mtcc.com> <1315334677.26387.YahooMailNeo@web31809.mail.mud.yahoo.com> <4E666B65.30701@mtcc.com> <29815937-0FB9-463B-B6E4-8FCAF7B3CD8C@hueniverse.com> <4E666E73.3050502@mtcc.com> <CAMrm-MJHKTxaj1iEm_Lr=X92sOiWZcYN4F6dNqb5w5gh4OPndQ@mail.gmail.com> <4E6671FA.3090503@gmail.com> <4E667469.2040007@mtcc.com> <1315337809.3136.38.camel@ground> <4E667953.9020906@mtcc.com> <71A460EE-1E2C-4165-99A8-5A97D6E9365C@jkemp.net> <4E667E2E.7090304@mtcc.com> <80A88920-A1EF-4A1C-A97E-F99379923CFB@jkemp.net> <4E66845E.7090906@mtcc.com> <E3DEC4C8-6BB0-44EE-821A-7589F5DC6462@jkemp.net> <4E669D3C.5000900@gmail.com> <7D4DF72E-B211-4D41-B447-4CF04E9CB1D8@hueniverse.com> <4E67A710.9070505@alcatel-lucent.com> <4E67A942.1070200@mtcc.com> <D3A6B9B9-AC0A-4D0E-ACA8-AEB1BF8D5ECF@jkemp.net> <4E67B1C3.60306@mtcc.com> <2DEC7481-6359-4E6D-9F98-D97F42AF1A19@oracle.com> <4E67B93C.3060909@gmail.com>
In-Reply-To: <4E67B93C.3060909@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] problem statement
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Sep 2011 20:03:30 -0000

Melinda,

We clearly have different views on what it means to "[deal] with this like an adult". I would like to address what I *think* were your two main points: the lack of civility in addressing the feedback provided by Mr. Thomas, and the alleged IETF process violation by me as editor. I have not seen any actual technical argument coming from you in support of this change other than 'why not'.

While the 11 people who replied to this thread did dismiss the claim and the need to address it, the conversation was pretty calm and polite. I suggest you go back and read the entire thread:

http://www.ietf.org/mail-archive/web/oauth/current/maillist.html

Any hints of hostility you find can be justly explained by the frustration of trying to talk to someone who refuses to listen and insists on making a change that everyone else objects to. Given that this is a technical working group, I can safely state that this objection was unanimous based on technical arguments.

Process-wise, we are operating under clear and explicit directions from the chairs to only consider changes to the document based on *proposed text* and consensus. As editor, it is completely within my authority to dismiss proposals and changes not matching the criteria set by the chairs, and it is my stated responsibility to reject changes where there clearly is no consensus. While the chairs can change their instructions, someone still has to provide text, which is the only way you can reach consensus.

And for the record, in this case, there is clear cut IETF consensus not to make any changes (1 in support, 11 against, and 1 'why not'). That's a close as the IETF gets to unanimity. I agree that the editor is not empowered to make such final declarations, but everyone is free to make that observation, including the editor. I have never refused to make a change in face of clear guidance from the chairs, nor have I ever suggested I have the authority to make such final calls. I find that suggestion disrespectful to my unparalleled contribution to this work over 4 years.

Your entire argument is basically 'why not, it's only a few lines in the introduction'. I find this both counter-productive and harmful. The suggested change boils down to explaining to the reader that installing untrusted clients on a user device can have wide repercussions to the security properties of this protocol. But such a claim is both obvious (to everyone but one) and incomplete.

It is the incompleteness part that most people objected to, and the fact that any attempt at a comprehensive text would mean significant and open-ended delay. The number of potential ways for malicious code to find its way onto a user device are practically unlimited, and every single one of them will lead to the same security degradation described in this thread.

There are certain things we have to take for granted when writing a specification like this. One of them is the reader's understanding that there are many factors outside the scope of the protocol, and malware is one of the most obvious factors. I am completely serious when I say that earthquakes (as suggested jokingly by others) present equal thread to the security model of this protocol because the user hand might shake when trying to deny client access and hitting the approve button instead.

So following your login, why not discuss the potential impact of a physical disruption to the user interaction with the authorization endpoint? I am dead serious as I consider the two threats to be of equal relevance to this document. There are many examples of over-specification causing more harm than good and this is clearly one of those cases. 'Why not' is never an acceptable argument for making changes, especially at this stage and for a security protocol. I would also note that every example you tried to give for why accommodating this is the right thing based on past protocols was proved to be misleading or misguided.

I would also note that the proposed changes (guessing based on the information provided in lieu of actual text) will not result in *any* actionable result by anyone, if only because there is nothing to do about it other than educate users not to install untrusted software of any kind on any device.

Trying to portray the answer below as a more adult response is interesting. If you note, no one actually suggested we change the security thread model document, only that it provides a comprehensive description of the protocol. I am pretty sure most WG participants will still object to this change made in that document for the same reasons.

As editor, I consider this matter closed and will not make any changes based on the information presented. You are free ask the chairs to open an issue block the progress of the draft until this is resolved to your satisfaction.

EHL



> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> Of Melinda Shore
> Sent: Wednesday, September 07, 2011 11:35 AM
> To: oauth@ietf.org
> Subject: Re: [OAUTH-WG] problem statement
> 
> On 09/07/2011 10:22 AM, Phil Hunt wrote:
> > You should read the threat model document. This document has more
> editorial on these kinds of issues.
> 
> This seems reasonable to me, and thank you so much for departing from
> what seems to be standard working group mode by dealing with this like an
> adult.
> 
> It seems to me that there are some usability problems that while not being
> unique to oauth, really aren't that much like what we usually run into with
> on-the-wire protocols.  Documents in the security area have typically not
> dealt with usability issues even when, perhaps, they should, given their
> impact on how secure a technology is in the field.  Getting that into a threat
> model document sounds about right to me.
> 
> Melinda
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email