Re: [OAUTH-WG] Shepherd review of draft-ietf-oauth-v2-threatmodel

Barry Leiba <> Fri, 27 April 2012 01:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 355D811E8091 for <>; Thu, 26 Apr 2012 18:28:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.962
X-Spam-Status: No, score=-102.962 tagged_above=-999 required=5 tests=[AWL=0.015, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id akVRZb02NSvU for <>; Thu, 26 Apr 2012 18:28:20 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 83B9811E8079 for <>; Thu, 26 Apr 2012 18:28:20 -0700 (PDT)
Received: by ghbg16 with SMTP id g16so146081ghb.31 for <>; Thu, 26 Apr 2012 18:28:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; bh=FQzcXV+V1ucw2FqX2XX6U9Chgs4v//EWvmdlVDV6+hc=; b=jEdnOh4TXNiH7yO76gFxGRBYfKCrq/BS/JGsJoYvcjJyU5D/9g0ECpsJpWdiSdr40F BOJAodrkoE3pyVUYaSkTGlaYq3DoifFsm002D0hH4IaLWoqDGEwml/ZS4gEMPeX+13IP kCnz5Bs7dQUz/6hseaHciOJksJ0xWl7+AdKw06eEhYRRGc63EnUc2+I30cZ5JDt4sIp6 pZugAumBe8e4AGz1m8d+bcX6brtW0makhWvuMDAZGlodRJ74FYI1PIufJV6MvpduIWWH 7DnnR6HjjjgCh1FLWt7UGe3fz1GuNosysG73Ki66xN5zTLuYgi2IFw+F4JUDikYJnwWU 50/A==
MIME-Version: 1.0
Received: by with SMTP id t10mr8981755yhm.112.1335490100103; Thu, 26 Apr 2012 18:28:20 -0700 (PDT)
Received: by with HTTP; Thu, 26 Apr 2012 18:28:19 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <>
Date: Thu, 26 Apr 2012 21:28:19 -0400
X-Google-Sender-Auth: K2PlQI3ejfRdNd3PlbBZzY_QJZ0
Message-ID: <>
From: Barry Leiba <>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [OAUTH-WG] Shepherd review of draft-ietf-oauth-v2-threatmodel
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 27 Apr 2012 01:28:21 -0000

Phil said...

> **However**  Editorially I feel strongly the comments fall outside the intended scope
> and purpose for this document. This document is about threats specifically related
> to the OAuth protocol.  It's intent is to go beyond security considerations to give
> implementers a feel for the issues the group has considered specific to the protocol.
> Michael's comments are directed at general trusted computing platform. And while I
> agree they are valid, they don't fit in this document.

I'll add one thing to this consideration:  while I agree that we can't
discuss every threat that one might encounter in a web services
environment, I think it's useful and important to discuss issues that
people are likely to think are addressed, mitigated, or solved by
OAuth, *even if we don't think that, and even if we know they're not
really OAuth issues.*

DKIM had a related problem (which I do NOT want to open up for
discussion here; I mention it only for comparison).  DKIM was often
oversold as being something that would "block spam" or "stop phishing
in its tracks."  It will do neither, though it's a tool to be used in
systems that aim at both.  Similarly, while OAuth solves a real
problem and is a good step, it will not *stop* impersonation attacks,
credential-theft attacks, and so on.  We all know that, but many
people who will read the OAuth spec will think it can do that.  The
threats document should be addressing that "overselling" problem[1],
and if that means highlighting a few things that we think should be
obvious, I'm in favour of it.

I think the things that Mike Thomas has bought up fall into that
category.  I'm sympathetic to the argument that this is a long
document, bordering on (or perhaps having crossed the border into)
"tl;dr" territory.  Perhaps there are other things that can be
trimmed.  But at this point, I've made a proposal to add a few
paragraphs, and mostly (not completely) gotten feedback from the
editors that my text is acceptable.  Mike has asked for one paragraph
to be added to that, and I think his proposal is reasonable.  If we go
with that set of additions, I think we'll address some of the
overselling problem, and I think the document will be better for it.

If the editors want to post my suggested addition here, they may do
so; yes, it was meant for a small group to iron out first, but the WG
will have to see and agree to it at some point anyway.  If the editors
want to trim a bit elsewhere in the document to make room, they may
also do that -- with the consent of the WG.  But let's please not get
hung up on this to the point of losing traction on the whole document.

And everyone please relax and not get hot or snarky: we're all trying
to make a better document, and calm discussion, rather than sarcasm
and hyperbole, is the best way to do that.  We're almost there.  We'll
get there soon.

Barry, document shepherd