IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011

Michael Thomas <mike@mtcc.com> Wed, 04 January 2012 20:05 UTC

Return-Path: <mike@mtcc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 215E51F0C3E; Wed, 4 Jan 2012 12:05:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QsDfDiI+LWFj; Wed, 4 Jan 2012 12:05:30 -0800 (PST)
Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id 56A431F0C3C; Wed, 4 Jan 2012 12:05:30 -0800 (PST)
Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id q04K5Lk8026221 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 4 Jan 2012 12:05:22 -0800
Message-ID: <4F04B101.3070708@mtcc.com>
Date: Wed, 04 Jan 2012 12:05:21 -0800
From: Michael Thomas <mike@mtcc.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0
MIME-Version: 1.0
To: Peter Saint-Andre <stpeter@stpeter.im>
References: <CALaySJKhYQQdmjvWBLS3mwzzrDt35jfDn2xZCuDOk=hpwEUiKQ@mail.gmail.com> <CAC4RtVDyiuqCGO25nZQEVxi0uchTi2gu_peh=+FwmWwZsQ=LEQ@mail.gmail.com> <CAC4RtVCvnz7n9Ei08h7QRruesJ=GeOMOOvBkNAVmcc8_gzg7QQ@mail.gmail.com> <8AB6F5CC-E9A2-4A07-9AA0-83FB7C67A221@oracle.com> <4EEA3951.5010904@mtcc.com> <OF6C9EBE7C.1B053FE3-ON80257968.003C02DF-80257968.003CAA12@ie.ibm.com> <4EEB5BDD.7080401@mtcc.com> <4F038CB9.1040403@mtcc.com> <F674B8D6-54D6-4B39-A494-9D7EB6E058D6@oracle.com> <4F0394D6.1090006@mtcc.com> <OFD88021B6.E1FD29B9-ON8025797B.004036CF-8025797B.00404EA6@ie.ibm.com> <4F04AAAE.6080702@mtcc.com> <4F04ACE4.1070006@stpeter.im>
In-Reply-To: <4F04ACE4.1070006@stpeter.im>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1675; t=1325707523; x=1326571523; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20<mike@mtcc.com> |Subject:=20Re=3A=20[OAUTH-WG]=20WGLC=20on=20draft-ietf-oau th-v2-threatmodel-01,=20ends=209=0A=20Dec=202011 |Sender:=20 |To:=20Peter=20Saint-Andre=20<stpeter@stpeter.im> |Content-Type:=20text/plain=3B=20charset=3DUTF-8=3B=20forma t=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=Rmlpa4wSO2U/+O26EBxEq02+Vqz5jhLHz2nfWyypSVA=; b=EHyyvoov1qrD98wn57RjJum/8ak35Ik/6KsPF/ncohrAzpOCuTraL6LQ0f s4YicNHak3pAwKVDd8jZmvfL1gN0ms04OC/4X/+NJccxRHA8tjTQL6OW5lOM 3hQjY6oFTqwNApE5/GmyiUOVMuCaM3FnmUr1EeOEcz2ETo58mHNpc=;
Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com
Cc: Barry Leiba <barryleiba@computer.org>, oauth WG <oauth@ietf.org>, "oauth-bounces@ietf.org" <oauth-bounces@ietf.org>
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2012 20:05:31 -0000

On 01/04/2012 11:47 AM, Peter Saint-Andre wrote:
> I've already done that in my original last call comments. Given that you
> rejected my comments out of hand, it doesn't appear that it was for
> lack of clarity.
>
> Mike, rather put off by the attitude of the editors in this wg
> Mike:
>
> In my experience, the IETF tradition is not to passively complain, but
> to actively contribute. Thus if I don't like the fact that there's no
> specification for some feature or protocol I care about, it's my
> responsibility to write an Internet-Draft to fill that gap. Similarly,
> if I have concerns about someone else's Internet-Draft, it's incumbent
> on me to propose new or alternative text. Sure, I could wait for the
> authors, editors, working group chairs, or area directors to take
> action, but you will have much greater success if you actively contribute.
>

I am not an IETF noob. The problem here is that I DO NOT KNOW
HOW TO MITIGATE THE THREATS I brought up as inadequately
mitigated in the threat draft. I don't know how I can state that more
plainly. I would *hope* that the participants of this working group who
have been working on this for years could do a better job. But if they
can't then the threat draft should just say that there is no known defense
instead of feel-good things like "educate users".

And I completely disagree that this isn't "active" participation. It
denigrates draft reviewers as being lesser participants. Nor does it
match IETF reality: cross area reviewers typically just point out the
problems and leave it to the working group participants to work it
out. Same goes for an IESG DISCUSS.

Mike

v2.23.0 | Report a Bug | By Email