IETF Logo Mail Archive

Re: [OAUTH-WG] problem statement

John Kemp <john@jkemp.net> Wed, 07 September 2011 17:47 UTC

Return-Path: <john@jkemp.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A786521F8CCE for <oauth@ietfa.amsl.com>; Wed, 7 Sep 2011 10:47:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.439
X-Spam-Level:
X-Spam-Status: No, score=0.439 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_53=0.6, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MqSltZlNROkd for <oauth@ietfa.amsl.com>; Wed, 7 Sep 2011 10:47:15 -0700 (PDT)
Received: from oproxy6-pub.bluehost.com (oproxy6.bluehost.com [IPv6:2605:dc00:100:2::a6]) by ietfa.amsl.com (Postfix) with SMTP id 0262421F8CC8 for <oauth@ietf.org>; Wed, 7 Sep 2011 10:47:14 -0700 (PDT)
Received: (qmail 20124 invoked by uid 0); 7 Sep 2011 17:49:04 -0000
Received: from unknown (HELO box320.bluehost.com) (69.89.31.120) by cpoproxy3.bluehost.com with SMTP; 7 Sep 2011 17:49:04 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=jkemp.net; s=default; h=To:References:Message-Id:Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Content-Type:Mime-Version:Subject; bh=YtGTdaT0Qwheiwyfe+1mA8GUWx+VqMc8e0GyvvDCEpk=; b=IsBQyPRJAfuOiLpy7Qcp0JGIcLg7JzhBNzt7gJ025sPt3waMyZUCWqVl00Zn1F7/jIehMSd7q5xDYFdKHPrdAmdwsAUERzlEttdYdgs8FjqOk1Ovgr1zqojdgN8oPlw9;
Received: from c-107-3-99-170.hsd1.vt.comcast.net ([107.3.99.170] helo=[192.168.0.102]) by box320.bluehost.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76) (envelope-from <john@jkemp.net>) id 1R1MFE-0002hG-Bu; Wed, 07 Sep 2011 11:49:04 -0600
Mime-Version: 1.0 (Apple Message framework v1244.3)
Content-Type: text/plain; charset="us-ascii"
From: John Kemp <john@jkemp.net>
In-Reply-To: <4E67A942.1070200@mtcc.com>
Date: Wed, 07 Sep 2011 13:49:03 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <D3A6B9B9-AC0A-4D0E-ACA8-AEB1BF8D5ECF@jkemp.net>
References: <4E665B25.6090709@mtcc.com> <4E6661FA.7050804@alcatel-lucent.com> <CD0B1909-8298-4CC3-B273-7B26E71EAB31@hueniverse.com> <4E666512.7010701@mtcc.com> <F4839FCD-CA73-4450-AD12-E07D46BB7746@hueniverse.com> <4E6667D1.3080404@mtcc.com> <1315334677.26387.YahooMailNeo@web31809.mail.mud.yahoo.com> <4E666B65.30701@mtcc.com> <29815937-0FB9-463B-B6E4-8FCAF7B3CD8C@hueniverse.com> <4E666E73.3050502@mtcc.com> <CAMrm-MJHKTxaj1iEm_Lr=X92sOiWZcYN4F6dNqb5w5gh4OPndQ@mail.gmail.com> <4E6671FA.3090503@gmail.com> <4E667469.2040007@mtcc.com> <1315337809.3136.38.camel@ground> <4E667953.9020906@mtcc.com> <71A460EE-1E2C-4165-99A8-5A97D6E9365C@jkemp.net> <4E667E2E.7090304@mtcc.com> <80A88920-A1EF-4A1C-A97E-F99379923CFB@jkemp.net> <4E66845E.7090906@mtcc.com> <E3DEC4C8-6BB0-44EE-821A-7589F5DC6462@jkemp.net> <4E669D3C.5000900@gmail.com> <7D4DF72E-B211-4D41-B447-4CF04E9CB1D8@hueniverse.com> <4E67A710.9070505@alcatel-lucent.com> <4E67A942.1070200@mtcc.com>
To: Michael Thomas <mike@mtcc.com>
X-Mailer: Apple Mail (2.1244.3)
X-Identified-User: {1122:box320.bluehost.com:jkempnet:jkemp.net} {sentby:smtp auth 107.3.99.170 authed with john+jkemp.net}
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] problem statement
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Sep 2011 17:47:15 -0000

Mike,

On Sep 7, 2011, at 1:26 PM, Michael Thomas wrote:

> On 09/07/2011 10:17 AM, Igor Faynberg wrote:
>> +300 (if I can do that) to indicate my strong agreement.  But if somehow it is decided to add a few sentences on saying that OAuth cannot deal with key-logging, I will insist on adding two sentences each on OAuth being unable to deal with 1) earthquakes, 2) certain contageous diseases, etc., [...]
> 
> Please, enough of the hyperbole. It is not clear or obvious whether this is
> a protocol issue or not. It brings into question whether the protocol is worth
> deploying at all, and that is surely an issue. As far as I can tell, there is very
> little upside to deploying OAuth in the general case over, say, Basic+TLS. In
> fact, you guys have convinced me that OAuth gives inferior protection at
> considerable expense for all concerned.

I'm sorry that you haven't received an easy introduction to the OAuth WG. But that's no reason to spout nonsense. OAuth seeks to replace something that was once rather common - the need for a user to type (and/or store) his password for site A at site B, to let site B get their content from site A. Now, site B gets a token in the common case, rather than the user's password for site A. This doesn't remove the need for a user to exercise common sense in deciding where to type her password. But it does, in the common case, mitigate the password being shared among websites, or across networks multiple times. 

You are right that OAuth doesn't mitigate key logging or other similar attacks on the client OS/platform itself. But that doesn't make it inferior to other methods of web authorization.

- John

> 
> Mike
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email