IETF Logo Mail Archive

Re: [OAUTH-WG] problem statement

William Mills <wmills@yahoo-inc.com> Wed, 07 September 2011 01:25 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95F3121F8D5C for <oauth@ietfa.amsl.com>; Tue, 6 Sep 2011 18:25:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.374
X-Spam-Level:
X-Spam-Status: No, score=-17.374 tagged_above=-999 required=5 tests=[AWL=0.224, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I0nGjJJ8ZQ3K for <oauth@ietfa.amsl.com>; Tue, 6 Sep 2011 18:25:40 -0700 (PDT)
Received: from nm27-vm4.bullet.mail.ne1.yahoo.com (nm27-vm4.bullet.mail.ne1.yahoo.com [98.138.91.187]) by ietfa.amsl.com (Postfix) with SMTP id 8235121F8D56 for <oauth@ietf.org>; Tue, 6 Sep 2011 18:25:40 -0700 (PDT)
Received: from [98.138.90.50] by nm27.bullet.mail.ne1.yahoo.com with NNFMP; 07 Sep 2011 01:27:28 -0000
Received: from [98.138.88.237] by tm3.bullet.mail.ne1.yahoo.com with NNFMP; 07 Sep 2011 01:27:28 -0000
Received: from [127.0.0.1] by omp1037.mail.ne1.yahoo.com with NNFMP; 07 Sep 2011 01:27:28 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 188185.27879.bm@omp1037.mail.ne1.yahoo.com
Received: (qmail 27197 invoked by uid 60001); 7 Sep 2011 01:27:27 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1315358847; bh=XiGI7SgQJyAYDoQj6juCX8zwS11HCcdORTuu18wgGm4=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=IVQR7nBRFiw8vfm5Di3JCkIb2PyKfY1cHwlPdpJLn2dtsGp0XYKeZi6IOetACHMVo8T/HrwphPKfLW2EtoADROzDHZE5f32mW1BApJu/fwXiCR2uGLuIVmCOveOkQEMkO6U1aVBU7AmuPzGpRxiC6XZiIUeNRtM+6x/Tf2R4bxw=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=LOpX6+I5SpS81Wbr+ffpZyz1klarADJiXyp2dQahWLTCa8F8LAkl3fnHytYnhWc9ERm0Uw/ogG2XIIkjlm8FQxiPaH2IA9OKXbV2eeJocvckhM9Zn1f1Q3koX4VNMOiq77ujJh5lXIfgs2W54qiaLySwbv4M/Dp6uqGoeWEcp3g=;
X-YMail-OSG: nvVcKokVM1nMob2Jpee1hJAPNV4vHGmcdZYYkodrPjj8SbC svPFTETcgaVMrVw_BqO50B26mYlbT7Yg6VK4tlD_8PXo6ehNSSd89irQBacs 6ZMcRK_9jE.T.Htd4X1G6DCK0gUT11HE58N0VJilE90VraAZkByufSZdo_8W _pZt9CEmtcIufHnoAZnTY7ofwnJTwFdx0GcVQIf1DwTjeeDkvYBmepyJrg02 Jv63b7c415.iV_G0tUkSDPN3y_41PsEGd2iSKTkoGHcggG0kQDMBs4CCAvQM YD0DC3qsjTK5ogYBJ9h9nOo3dGdAZK4.4Kq0yza941a7YJSo03jlrFTy0fnH jFsqScSIPM0M3TnNo44FhcVl4mmISwKE8kjP9av0k4YpbArzTr.8yc64HQJd 2p3SLDXlnL.uBu_xgY44u0O59KUJkWEmhjzCDzSe1CA--
Received: from [209.131.62.113] by web31809.mail.mud.yahoo.com via HTTP; Tue, 06 Sep 2011 18:27:27 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.114.317681
References: <4E665B25.6090709@mtcc.com> <4E6661FA.7050804@alcatel-lucent.com> <CD0B1909-8298-4CC3-B273-7B26E71EAB31@hueniverse.com> <4E666512.7010701@mtcc.com> <F4839FCD-CA73-4450-AD12-E07D46BB7746@hueniverse.com> <4E6667D1.3080404@mtcc.com> <1315334677.26387.YahooMailNeo@web31809.mail.mud.yahoo.com> <4E666B65.30701@mtcc.com> <29815937-0FB9-463B-B6E4-8FCAF7B3CD8C@hueniverse.com> <4E666E73.3050502@mtcc.com> <CAMrm-MJHKTxaj1iEm_Lr=X92sOiWZcYN4F6dNqb5w5gh4OPndQ@mail.gmail.com> <4E6671FA.3090503@gmail.com> <4E667469.2040007@mtcc.com> <1315337809.3136.38.camel@ground> <4E667953.9020906@mtcc.com> <71A460EE-1E2C-4165-99A8-5A97D6E9365C@jkemp.net> <4E667E2E.7090304@mtcc.com> <80A88920-A1EF-4A1C-A97E-F99379923CFB@jkemp.net> <4E66845E.7090906@mtcc.com> <E3DEC4C8-6BB0-44EE-821A-7589F5DC6462@jkemp.net> <4E669D3C.5000900@gmail.com> <4E66B964.2060808@stpeter.im> <4E66BFF0.9020008@gmail.com> <4E66C407.9090209@stpeter.im> <4E66C521.5070804@mtcc.com>
Message-ID: <1315358847.25169.YahooMailNeo@web31809.mail.mud.yahoo.com>
Date: Tue, 06 Sep 2011 18:27:27 -0700
From: William Mills <wmills@yahoo-inc.com>
To: Michael Thomas <mike@mtcc.com>, Peter Saint-Andre <stpeter@stpeter.im>
In-Reply-To: <4E66C521.5070804@mtcc.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1781685922-1315358847=:25169"
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] problem statement
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Sep 2011 01:25:41 -0000

I think the only potential mitigation OAuth can offer is that the authenticating sites can do more due dilligence about the clients they allow.  I say this knowing that it's not likely to happen in most cases, but it's possible.  Sites *can* limit the clients they allow, *but* it doesn't really work for installed clients on the desktop, software copy protection being the hard problem that it has proved to be.

Nobody dismisses the problem you're talking about, it's definitely a problem.  What you have not do is provided any concrete way in which OAuth can mitigate it beyond it's present state.

I personally want OAuth 2.0 to get out the door.  What you seem to be asking for (if we really go there) is a far more comprehensive and general security considerations section that's goign to cover a huge swath of space not specific to OAuth.  I don't think what you're asking for is specific to OAuth, so I don't think it's appropriate to take this spec there.

If you really think you've got something here, draft language and propose it.  That takes this from the theory of the problem to specifics.  It's got to be concrete though and actionable.  The recent discussions around CSRF identified a problem of CSRF in the auth server, and the new language addresses that in an actionable way.



________________________________
From: Michael Thomas <mike@mtcc.com>
To: Peter Saint-Andre <stpeter@stpeter.im>
Cc: oauth@ietf.org
Sent: Tuesday, September 6, 2011 6:13 PM
Subject: Re: [OAUTH-WG] problem statement

On 09/06/2011 06:08 PM, Peter Saint-Andre wrote:
> Put me in the "may not have been avoided" camp. We can't legislate
> common sense (which, sadly, is all too uncommon).
>    

Can somebody show me in the archives where this has been
discussed before? Specifically about oauth clients that also
have control of the web UA?

In any case, you site this as common sense. It's not. You are
close to the problem. Nobody else is.

Mike
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email