IETF Logo Mail Archive

Re: [OAUTH-WG] problem statement

Michael Thomas <mike@mtcc.com> Wed, 07 September 2011 18:26 UTC

Return-Path: <mike@mtcc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D24A21F8B38 for <oauth@ietfa.amsl.com>; Wed, 7 Sep 2011 11:26:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.468
X-Spam-Level:
X-Spam-Status: No, score=-2.468 tagged_above=-999 required=5 tests=[AWL=0.131, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w4XCgXm4pIvH for <oauth@ietfa.amsl.com>; Wed, 7 Sep 2011 11:26:28 -0700 (PDT)
Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id 2517321F8B20 for <oauth@ietf.org>; Wed, 7 Sep 2011 11:26:18 -0700 (PDT)
Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id p87IS6E2013131 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 7 Sep 2011 11:28:07 -0700
Message-ID: <4E67B7B6.2010506@mtcc.com>
Date: Wed, 07 Sep 2011 11:28:06 -0700
From: Michael Thomas <mike@mtcc.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0
MIME-Version: 1.0
To: David Waite <david@alkaline-solutions.com>
References: <4E665B25.6090709@mtcc.com> <4E666512.7010701@mtcc.com> <F4839FCD-CA73-4450-AD12-E07D46BB7746@hueniverse.com> <4E6667D1.3080404@mtcc.com> <1315334677.26387.YahooMailNeo@web31809.mail.mud.yahoo.com> <4E666B65.30701@mtcc.com> <29815937-0FB9-463B-B6E4-8FCAF7B3CD8C@hueniverse.com> <4E666E73.3050502@mtcc.com> <CAMrm-MJHKTxaj1iEm_Lr=X92sOiWZcYN4F6dNqb5w5gh4OPndQ@mail.gmail.com> <4E6671FA.3090503@gmail.com> <4E667469.2040007@mtcc.com> <1315337809.3136.38.camel@ground> <4E667953.9020906@mtcc.com> <71A460EE-1E2C-4165-99A8-5A97D6E9365C@jkemp.net> <4E667E2E.7090304@mtcc.com> <80A88920-A1EF-4A1C-A97E-F99379923CFB@jkemp.net> <4E66845E.7090906@mtcc.com> <E3DEC4C8-6BB0-44EE-821A-7589F5DC6462@jkemp.net> <4E669D3C.5000900@gmail.com> <7D4DF72E-B211-4D41-B447-4CF04E9CB1D8@hueniverse.com> <4E67A710.9070505@alcatel-lucent.com> <4E67A942.1070200@mtcc.com> <D3A6B9B9-AC0A-4D0E-ACA8-AEB1BF8D5ECF@jkemp.net> <4E67B1C3.60306@mtcc.com> <36ACF4D0-50DA-46B9-84A4-3B4193D79334@alkaline-solutions! .com>
In-Reply-To: <36ACF4D0-50DA-46B9-84A4-3B4193D79334@alkaline-solutions.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1499; t=1315420087; x=1316284087; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20<mike@mtcc.com> |Subject:=20Re=3A=20[OAUTH-WG]=20problem=20statement |Sender:=20 |To:=20David=20Waite=20<david@alkaline-solutions.com> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=0BKP2qNmWGU1UdMJD8jpmIMRh34O/SJ7n15iOCpGfNY=; b=Riaxn4M77L+k1Vhr9uHYtOnL4/UeQNcFcVvbkZfmhICYzxVk8XsasoP7aT HX1o51yQDhVsa7qmWOIisO91KcNz3phIxfAYjLGQCx3PcoSSx6jfaOTUlFK9 v1f8WdFnTHKTPBFbHEdwaIKrAPH1C6WTs/AYS/4MvTXoRjHRXPtKs=;
Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] problem statement
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Sep 2011 18:26:29 -0000

On 09/07/2011 11:20 AM, David Waite wrote:
>
> On Sep 7, 2011, at 12:02 PM, Michael Thomas wrote:
>>
>> It's not nonsense:
>>
>> 1) App prompts me for my credentials to Facebook -- I wonder whether
>>    I trust the app.
>> 2) App puts me in a Facebook login window -- I figure that it's 
>> secure and
>>    don't wonder whether I trust the app.
>>
> The assumption for #1 is that the app gave you a user experience for 
> entering your facebook credentials that looks different than the 
> actual facebook login window. If the app is malicious, this will most 
> likely not be the case.
>
> The advantage OAuth provides is that it can vet/ban clients which are 
> doing malicious things. However, even a client with no oauth support 
> at all is still capable of providing a realistic-looking login window 
> using an embedded user agent, and capturing the real username/password.
>
Absolutely. But before facebook started doing this oauth-like
authentication (from the UX standpoint), there wasn't any reason
why a user would expect to see that facebook-like authentication page.
But now users are getting taught to trust that facebook authentication
page inside untrusted apps. So it's the whole ecosystem that's problematic,
but it doesn't seem right to tout oauth as a solution which is
how it's coming across on the outside. Not wanting to very clearly
fess up in the protocol document makes it sound like some people
view that as a feature, not a bug.

Mike

v2.23.0 | Report a Bug | By Email