IETF Logo Mail Archive

Re: [OAUTH-WG] problem statement

Igor Faynberg <igor.faynberg@alcatel-lucent.com> Wed, 07 September 2011 17:15 UTC

Return-Path: <igor.faynberg@alcatel-lucent.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4AAE21F8D0A for <oauth@ietfa.amsl.com>; Wed, 7 Sep 2011 10:15:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O0TqxUtKsqCB for <oauth@ietfa.amsl.com>; Wed, 7 Sep 2011 10:15:17 -0700 (PDT)
Received: from ihemail2.lucent.com (ihemail2.lucent.com [135.245.0.35]) by ietfa.amsl.com (Postfix) with ESMTP id DB66121F8D32 for <oauth@ietf.org>; Wed, 7 Sep 2011 10:15:16 -0700 (PDT)
Received: from usnavsmail3.ndc.alcatel-lucent.com (usnavsmail3.ndc.alcatel-lucent.com [135.3.39.11]) by ihemail2.lucent.com (8.13.8/IER-o) with ESMTP id p87HH66a021443 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <oauth@ietf.org>; Wed, 7 Sep 2011 12:17:06 -0500 (CDT)
Received: from umail.lucent.com (umail-ce2.ndc.lucent.com [135.3.40.63]) by usnavsmail3.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id p87HH58Z013132 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <oauth@ietf.org>; Wed, 7 Sep 2011 12:17:06 -0500
Received: from [135.222.134.166] (USMUYN0L055118.mh.lucent.com [135.222.134.166]) by umail.lucent.com (8.13.8/TPES) with ESMTP id p87HH4jb029469; Wed, 7 Sep 2011 12:17:05 -0500 (CDT)
Message-ID: <4E67A710.9070505@alcatel-lucent.com>
Date: Wed, 07 Sep 2011 13:17:04 -0400
From: Igor Faynberg <igor.faynberg@alcatel-lucent.com>
Organization: Alcatel-Lucent
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11
MIME-Version: 1.0
To: oauth@ietf.org
References: <4E665B25.6090709@mtcc.com> <4E6661FA.7050804@alcatel-lucent.com> <CD0B1909-8298-4CC3-B273-7B26E71EAB31@hueniverse.com> <4E666512.7010701@mtcc.com> <F4839FCD-CA73-4450-AD12-E07D46BB7746@hueniverse.com> <4E6667D1.3080404@mtcc.com> <1315334677.26387.YahooMailNeo@web31809.mail.mud.yahoo.com> <4E666B65.30701@mtcc.com> <29815937-0FB9-463B-B6E4-8FCAF7B3CD8C@hueniverse.com> <4E666E73.3050502@mtcc.com> <CAMrm-MJHKTxaj1iEm_Lr=X92sOiWZcYN4F6dNqb5w5gh4OPndQ@mail.gmail.com> <4E6671FA.3090503@gmail.com> <4E667469.2040007@mtcc.com> <1315337809.3136.38.camel@ground> <4E667953.9020906@mtcc.com> <71A460EE-1E2C-4165-99A8-5A97D6E9365C@jkemp.net> <4E667E2E.7090304@mtcc.com> <80A88920-A1EF-4A1C-A97E-F99379923CFB@jkemp.net> <4E66845E.7090906@mtcc.com> <E3DEC4C8-6BB0-44EE-821A-7589F5DC6462@jkemp.net> <4E669D3C.5000900@gmail.com> <7D4DF72E-B211-4D41-B447-4CF04E9CB1D8@hueniverse.com>
In-Reply-To: <7D4DF72E-B211-4D41-B447-4CF04E9CB1D8@hueniverse.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.35
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.11
Subject: Re: [OAUTH-WG] problem statement
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: igor.faynberg@alcatel-lucent.com
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Sep 2011 17:15:17 -0000

+300 (if I can do that) to indicate my strong agreement.  But if somehow 
it is decided to add a few sentences on saying that OAuth cannot deal 
with key-logging, I will insist on adding two sentences each on OAuth 
being unable to deal with 1) earthquakes, 2) certain contageous 
diseases, etc., and I will invite others to complete that list. And 
encouraged by the precedent, I will require similar changes to TLS as 
well as the whole list of password-authenticated key exchange protocols.

  Melinda, in my reading the "temperature of the responses" is explained 
by a huge amount of work achieved by this group, which involved many, 
many real protocol issues on which it was hard to build the consensus. 
Now that the consenus has been pretty much achieved, it is important to 
complete OAuth 2.0, which means concentrating on real outstanding 
issues--Barry has dutifully documented and enumerated them.  I myself 
got beaten up unjustly for pushing the use cases, but in order to 
complete the protocol, I accepted the beating and agreed to wait until 
the next rechartering.  This is a matter of priorities. My opinion is 
that we just cannot go off on a tangent to deal with something that is 
not OAuth's concern.  Because, if we do, someone will bring the 
earthquakes, too.

Igor



On 9/6/2011 6:27 PM, Eran Hammer-Lahav wrote:
> It is a problem. For a few months now we have been going through this over and over again. The longer we work on this draft the more of this two-sentence changes people suggest. They don't make the document any better, create a false sense of comprehensiveness, and just further delay being done.
>
> So yeah, unless you can prove that there is an actual problem, we are done.
>
> EHL
>
> On Sep 6, 2011, at 15:22, "Melinda Shore"<melinda.shore@gmail.com>  wrote:
>
>> On 09/06/2011 12:59 PM, John Kemp wrote:
>>> The point is that you have a point.
>> He does, and that's in some large part why I don't
>> fully understand the temperature of the responses.
>> I do not think it's a particularly big deal to stick
>> a couple of sentences in the security considerations
>> underscoring the fact that OAUTH can't do anything
>> about a compromised host or a malicious application.
>> I've learned to live with the fact that sometimes
>> people implementing or deploying security technologies
>> don't fully understand them and it's my impression that
>> there's some number of people out there who think that
>> OAUTH and other third-party protocols provide sufficient
>> protection against password snagging.
>>
>> Melinda
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email