Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011

Barry Leiba <> Wed, 04 January 2012 20:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 50D9B11E80A1 for <>; Wed, 4 Jan 2012 12:41:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.717
X-Spam-Status: No, score=-102.717 tagged_above=-999 required=5 tests=[AWL=0.260, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 36MMiLYGNxtg for <>; Wed, 4 Jan 2012 12:41:18 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id BC82511E809F for <>; Wed, 4 Jan 2012 12:41:18 -0800 (PST)
Received: by ggnk5 with SMTP id k5so11874607ggn.31 for <>; Wed, 04 Jan 2012 12:41:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=lwRkxyE7QM0IA29dl2IjU52plVoAKNpqYmKrf6+hsWY=; b=s4lVkc7vCEiYVqLQ8+GuLWJTBH41gvtokbCkzDgd9HKoI1lnpnq1w1pa89IiLzFSGF ABWB6QVZXPc7+1+CF6T3dqJ9dIQZOBrqJsU0s1Z7/7c8lX4RDa0imZIQNYROQiMD78CI 7RukU9NvDoL0Nhep/BD/2D+oo+uOV928FKnLw=
MIME-Version: 1.0
Received: by with SMTP id a12mr8788607anj.17.1325709678342; Wed, 04 Jan 2012 12:41:18 -0800 (PST)
Received: by with HTTP; Wed, 4 Jan 2012 12:41:18 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
Date: Wed, 04 Jan 2012 15:41:18 -0500
X-Google-Sender-Auth: XbvdpnkJM3mVARZpYoGeCBJJtgM
Message-ID: <>
From: Barry Leiba <>
To: Mark Mcgloin <>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: oauth WG <>
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 04 Jan 2012 20:41:19 -0000

> I have asked you to clearly describe the threat, not the mitigation.
> It obviously was either not clear or convincing the first time and I am not
> going to start digging through emails when you clearly understand it.

To try to shortcut this:
Mike did lay it out clearly, I think, in his first note (which I
linked at the beginning of this thread), and that should be the only
one that needs to be read to understand his point.  The basic point is
that the OAuth framework relies on both the end user and the
authorization server being able to trust the user's UA.  If that winds
up being a compromised browser or a native application that the user
perhaps unwisely installed, all the security in the framework goes out
the window, because an untrustworthy UA can fiddle with pretty much

Mike's note said much more than that, but I think I've encapsulated
things in an oversimplified version above.  I agree that this is
something that needs to be made very clear... and that I don't see any
way to mitigate it -- it's basically an aspect of what we're working
with here.

I don't think this is a difficult issue to document, and perhaps two
paragraphs should be enough to do it.  Identifying the right place and
the right two paragraphs should be something that a combination of
Mike and the documnet editors can do, if you can do it without getting
on each others' nerves.  :-)