[OAUTH-WG] Operations Directorate Review of draft-ietf-oauth-v2-threatmodel-06
"Romascanu, Dan (Dan)" <dromasca@avaya.com> Sun, 08 July 2012 15:21 UTC
Return-Path: <dromasca@avaya.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C18F521F8611; Sun, 8 Jul 2012 08:21:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.49
X-Spam-Level:
X-Spam-Status: No, score=-103.49 tagged_above=-999 required=5 tests=[AWL=0.109, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wKr97FX+85qa; Sun, 8 Jul 2012 08:21:13 -0700 (PDT)
Received: from de307622-de-outbound.net.avaya.com (de307622-de-outbound.net.avaya.com [198.152.71.100]) by ietfa.amsl.com (Postfix) with ESMTP id CA15D21F8617; Sun, 8 Jul 2012 08:21:12 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av4EAEil+U/GmAcF/2dsb2JhbABFt12BB4IiAQEDEh4KOAcSARUVBgwMB1cBBAEaDgyHa507m3qQbGADmy6KDYJh
X-IronPort-AV: E=Sophos;i="4.77,548,1336363200"; d="scan'208";a="314249472"
Received: from unknown (HELO co300216-co-erhwest.avaya.com) ([198.152.7.5]) by de307622-de-outbound.net.avaya.com with ESMTP; 08 Jul 2012 11:18:08 -0400
Received: from unknown (HELO 307622ANEX5.global.avaya.com) ([135.64.140.11]) by co300216-co-erhwest-out.avaya.com with ESMTP; 08 Jul 2012 11:18:07 -0400
x-mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Sun, 08 Jul 2012 17:21:11 +0200
Message-ID: <EDC652A26FB23C4EB6384A4584434A0407CC334E@307622ANEX5.global.avaya.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Operations Directorate Review of draft-ietf-oauth-v2-threatmodel-06
Thread-Index: Ac1dHU5+iGtrvjufQcqoVYojJlCjgw==
From: "Romascanu, Dan (Dan)" <dromasca@avaya.com>
To: torsten@lodderstedt.net, mark.mcgloin@ie.ibm.com, phil.hunt@yahoo.com
X-Mailman-Approved-At: Sun, 08 Jul 2012 08:29:12 -0700
Cc: ops-dir@ietf.org, Barry Leiba <barryleiba@computer.org>, oauth@ietf.org
Subject: [OAUTH-WG] Operations Directorate Review of draft-ietf-oauth-v2-threatmodel-06
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jul 2012 15:21:13 -0000
This document is informational and describes the threat model and
security counter measures for OAuth 2.0 (about the scope see Comment 1).
Although informational it includes a lot of pieces of information useful
for operators, as well as recommendations on actions that need to be
taken by operators, or recommendations or education that needs to be
made to users in order to ensure a secure environment. Some more clarity
on what are the operators responsibilities vs. design recommendations
would have helped, but overall it's a good document.
Specific comments:
1. The relation between this document, OAuth 1.0 (RFC 5849) and OAuth
2.0 is not clear. In the Introduction we find:
This document gives additional security considerations for OAuth,
beyond those in the OAuth specification, based on a comprehensive
threat model for the OAuth 2.0 Protocol [I-D.ietf-oauth-v2].
(would be good to provide a referent for the 'OAuth specification' -
probably RFC 5489)
but then says the document
- Gives a comprehensive threat model for OAuth and describes the
respective counter measures to thwart those threats.
So is the scope of the document the threats beyond what is described in
OAuth 1.0, or all the threats?
In any of the two cases some additional text is needed to clarify the
Scope.
2. The countermeasures to threats described in Section 5 can be divided
into several categories - user actions, operator actions, design
measures. Operators are typically responsible on some of them, and may
make recommendations to users on other. It would have been useful to
mark these accordingly, or maybe to include in Section 5 a table that
shows to what category/ies each measure belongs. For operators this
would have eased detecting the specific actions and recommendations to
users that concern them.
3. The OAuth and OAuth 2.0 documents need to be Normative References.
One cannot understand this document without understanding OAuth.
Regards,
Dan
- [OAUTH-WG] Operations Directorate Review of draft… Romascanu, Dan (Dan)
- Re: [OAUTH-WG] Operations Directorate Review of d… Barry Leiba
- Re: [OAUTH-WG] Operations Directorate Review of d… Romascanu, Dan (Dan)