Re: [OAUTH-WG] Shepherd review of draft-ietf-oauth-v2-threatmodel

Barry Leiba <barryleiba@computer.org> Fri, 27 April 2012 01:31 UTC

Return-Path: <barryleiba.mailing.lists@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B18811E8097 for <oauth@ietfa.amsl.com>; Thu, 26 Apr 2012 18:31:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.962
X-Spam-Level:
X-Spam-Status: No, score=-102.962 tagged_above=-999 required=5 tests=[AWL=0.015, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cNJ+vn06GQ46 for <oauth@ietfa.amsl.com>; Thu, 26 Apr 2012 18:31:30 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id 1B06811E8096 for <oauth@ietf.org>; Thu, 26 Apr 2012 18:31:30 -0700 (PDT)
Received: by yhkk25 with SMTP id k25so149605yhk.31 for <oauth@ietf.org>; Thu, 26 Apr 2012 18:31:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=UMHXn29dMPhgu/9i81AtBwc76snQyMJFPrdofP6TS5w=; b=DSlqvvqALbb9GSDihCE2G4hG4HbgPzMKH+xKupS/GkmrSXnGMCCVXsQKN1CPQjXw1A sP3cje4z6tiBKSQRcePEreNzBWotoAzNsavnEA6nCN+F97kbSBAHSZpkU16y5AxWdBsz DLm35sxcG0sT+Hv8nyKWeG/U3Lnk8+7hcseFWiUYOtxkx5iaDhmQ8jRR5Ulj/XWFlWng X+PwhgcLbO9QSRI1g4k3/jY+dLR1DZF+b0ob7HjNxOLmocYlDalhxzSX0BWBNVWPfmmz zMbDjVfN/AYmpOv6pazkOtV414/30ofCnk5wWv8WwSBV2lnyOkK1haCBc+9S5hnRhgyH 5Wlw==
MIME-Version: 1.0
Received: by 10.236.154.35 with SMTP id g23mr8963608yhk.107.1335490289607; Thu, 26 Apr 2012 18:31:29 -0700 (PDT)
Sender: barryleiba.mailing.lists@gmail.com
Received: by 10.147.152.14 with HTTP; Thu, 26 Apr 2012 18:31:29 -0700 (PDT)
In-Reply-To: <CAC4RtVAD3NVm8vcSNJvpYPU0meFh9tbN6dXqBS5XbHRKagCfwA@mail.gmail.com>
References: <CALaySJLy6jpuPqxQXfKfpx0TpcK1gav1NtcTOoh+NOr11JSCbw@mail.gmail.com> <4F8DE789.4030704@mtcc.com> <CALaySJK1ej_HkP5Jz26XT-KjULirD2iFfVOpRkHgPZp-CbJCrg@mail.gmail.com> <4F957EA7.3060004@mtcc.com> <OF3ECF645E.478720A4-ON802579EA.002D0B13-802579EA.002D8D07@ie.ibm.com> <4F96A99F.7010303@mtcc.com> <85556C53-99DD-47A2-A0D5-2F86DD2B668F@oracle.com> <0CBAEB56DDB3A140BA8E8C124C04ECA2FFC41C@P3PWEX2MB008.ex2.secureserver.net> <580607FC-28EC-4BBA-8CBA-C63D2FA52C8E@oracle.com> <CAC4RtVAD3NVm8vcSNJvpYPU0meFh9tbN6dXqBS5XbHRKagCfwA@mail.gmail.com>
Date: Thu, 26 Apr 2012 21:31:29 -0400
X-Google-Sender-Auth: 9wpLbvLdhO4h2LxRPGhYvx0tEGk
Message-ID: <CAC4RtVCBBTqFWkOOuACsiUz7YdCGD4FnpeR7wySL-J_GAxJ==g@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: oauth@ietf.org
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [OAUTH-WG] Shepherd review of draft-ietf-oauth-v2-threatmodel
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Apr 2012 01:31:30 -0000

Oh, and sorry...

> threats document should be addressing that "overselling" problem[1],
> and if that means highlighting a few things that we think should be
> obvious, I'm in favour of it.

...I forgot to include the footnote.

Barry

[1] Note that I'm NOT saying that the WG is overselling OAuth, but
that any technology like this gets oversold in the press, by
implementors who want to make its support part of a sales pitch, and
by general word of mouth/blog/twit.