Re: [OAUTH-WG] [apps-discuss] Apps Area review of draft-ietf-oauth-v2-threatmodel-01
Michael Thomas <mike@mtcc.com> Tue, 24 January 2012 00:18 UTC
Return-Path: <mike@mtcc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADA7721F8534 for <oauth@ietfa.amsl.com>; Mon, 23 Jan 2012 16:18:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.59
X-Spam-Level:
X-Spam-Status: No, score=-2.59 tagged_above=-999 required=5 tests=[AWL=0.009, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IPyrxkrLjFZD for <oauth@ietfa.amsl.com>; Mon, 23 Jan 2012 16:18:05 -0800 (PST)
Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id F1D1621F852A for <oauth@ietf.org>; Mon, 23 Jan 2012 16:18:04 -0800 (PST)
Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id q0O0HomV019243 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Mon, 23 Jan 2012 16:17:50 -0800
Message-ID: <4F1DF8AE.8000009@mtcc.com>
Date: Mon, 23 Jan 2012 16:17:50 -0800
From: Michael Thomas <mike@mtcc.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0
MIME-Version: 1.0
To: S Moonesamy <sm+ietf@elandsys.com>
References: <6.2.5.6.2.20120123134319.0a76c338@resistor.net>
In-Reply-To: <6.2.5.6.2.20120123134319.0a76c338@resistor.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1992; t=1327364272; x=1328228272; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20<mike@mtcc.com> |Subject:=20Re=3A=20[OAUTH-WG]=20[apps-discuss]=20Apps=20Ar ea=20review=20of=20draft-ietf-oauth-v2-threatmodel-01 |Sender:=20 |To:=20S=20Moonesamy=20<sm+ietf@elandsys.com> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=Lyckr7VxRv6EeOmyYzQ4zEbdif2x1Sc1F8v4nGs3xxg=; b=q1d19Tf2Vi5QDGdV9AntyiBU5z/ZqXkXDYu95hOHEwKTAMW+djJf/He5PP 2lRH7ltItobzrAhg5JyZW7nkwFsl9Vh4m2Ux6kvBr5MSuASzHBHTPjEQEDSz MQHr0x/l0aJEue1r1ZzrHqFvH/RawnZ55kRU/IWQRfPQPe/1F3c3I=;
Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com
Cc: Tim Bray <tbray@textuality.com>, draft-ietf-oauth-v2-threatmodel.all@tools.ietf.org, oauth@ietf.org
Subject: Re: [OAUTH-WG] [apps-discuss] Apps Area review of draft-ietf-oauth-v2-threatmodel-01
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jan 2012 00:18:05 -0000
On 01/23/2012 01:47 PM, S Moonesamy wrote: > > Minor Issues: > > 4.4.1.4 2nd bullet. The explanation of why this wouldn't work for > native clients wasn't comprehensible to me. I'm suspicious of any > such claims because I can emulate most things a browser can do in a > mobile client. Perhaps this would be obvious to someone who is an > OAuth2 implementor. Actually I'd say that it is *not* obvious because I joined the working group mailing list as an oauth deployer who had precisely questions along these lines expecting that I was *wrong* in worrying about this attack. I'd also say in this section and others like it dealing with native apps that saying: " Assumption: It is not the task of the authorization server to protect the end-user's device from malicious software" Is wrong headed. It's not the authorization server's task to protect the end user, but the authorization server *surely* has an interest in protecting *itself* from rogue clients. An attack by a malicious client is an attack against the end user *and* the authorization server. > > 4.4.1.9 I think where it says "iFrame" it might mean "WebView", i.e. a > Web Browser control embedded in the native app. If that's not what it > means, I don't understand what it's saying. If this is true, then the > second bullet point is probably wrong. I agree, and don't think the first bullet makes any sense either: "Native applications SHOULD use external browsers instead of embedding browsers in an iFrame when requesting end-user authorization" Who exactly is the attacker here? If it's the native app itself, then this isn't a countermeasure at all because the rogue client will ignore this SHOULD. If it's not the native app, then what is the an external browser doing that an embedded browser cannot? I don't understand the third bullet in this one either, but if only works in older browsers it's probably not worth mentioning. Mike
- [OAUTH-WG] [apps-discuss] Apps Area review of dra… S Moonesamy
- Re: [OAUTH-WG] [apps-discuss] Apps Area review of… Michael Thomas
- Re: [OAUTH-WG] [apps-discuss] Apps Area review of… Justin Richer
- Re: [OAUTH-WG] [apps-discuss] Apps Area review of… Michael Thomas
- Re: [OAUTH-WG] [apps-discuss] Apps Area review of… Torsten Lodderstedt
- Re: [OAUTH-WG] [apps-discuss] Apps Area review of… John Bradley
- Re: [OAUTH-WG] [apps-discuss] Apps Area review of… Torsten Lodderstedt
- Re: [OAUTH-WG] [apps-discuss] Apps Area review of… Torsten Lodderstedt
- Re: [OAUTH-WG] [apps-discuss] Apps Area review of… André DeMarre
- Re: [OAUTH-WG] [apps-discuss] Apps Area review of… Igor Faynberg
- Re: [OAUTH-WG] [apps-discuss] Apps Area review of… Peter Wolanin
- Re: [OAUTH-WG] [apps-discuss] Apps Area review of… Mark Mcgloin