Re: [OAUTH-WG] Auth Code Swap Attack

Eran Hammer-Lahav <eran@hueniverse.com> Mon, 15 August 2011 15:10 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49F7021F8C52 for <oauth@ietfa.amsl.com>; Mon, 15 Aug 2011 08:10:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.56
X-Spam-Level:
X-Spam-Status: No, score=-2.56 tagged_above=-999 required=5 tests=[AWL=0.039, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x5BRGnqQCQqO for <oauth@ietfa.amsl.com>; Mon, 15 Aug 2011 08:10:52 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id A944921F8C50 for <oauth@ietf.org>; Mon, 15 Aug 2011 08:10:52 -0700 (PDT)
Received: (qmail 20997 invoked from network); 15 Aug 2011 15:11:29 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 15 Aug 2011 15:11:29 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Mon, 15 Aug 2011 08:11:23 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Barry Leiba <barryleiba@computer.org>, Anthony Nadalin <tonynad@microsoft.com>
Date: Mon, 15 Aug 2011 08:10:11 -0700
Thread-Topic: [OAUTH-WG] Auth Code Swap Attack
Thread-Index: AcxbXPSiDHdMCdNtRUqP4pa88ufKlAAABdXQ
Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234502498CE4A@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <4E46207A.6080404@lodderstedt.net> <CA6BD89B.17E85%eran@hueniverse.com> <90C41DD21FB7C64BB94121FBBC2E7234502498CDDB@P3PW5EX1MB01.EX1.SECURESERVER.NET> <B26C1EF377CB694EAB6BDDC8E624B6E723BB563D@SN2PRD0302MB137.namprd03.prod.outlook.com> <CAC4RtVACp8+YD2j3xf7ZCpbS=pt3WE1-U4w-17xFiqFZ3ovYHA@mail.gmail.com>
In-Reply-To: <CAC4RtVACp8+YD2j3xf7ZCpbS=pt3WE1-U4w-17xFiqFZ3ovYHA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2011 15:10:53 -0000

Please go back to the beginning of the thread where I expressed (not as editor) my "significant objection" and listed actual problems with the proposed text, as well as the entire justification for making it.

In addition, my text is well within my discretion for making non-normative editorial changes.

EHL

> -----Original Message-----
> From: barryleiba.mailing.lists@gmail.com
> [mailto:barryleiba.mailing.lists@gmail.com] On Behalf Of Barry Leiba
> Sent: Monday, August 15, 2011 8:07 AM
> To: Anthony Nadalin
> Cc: Eran Hammer-Lahav; eran@sled.com; Torsten Lodderstedt; OAuth WG
> (oauth@ietf.org)
> Subject: Re: [OAUTH-WG] Auth Code Swap Attack
> 
> On Mon, Aug 15, 2011 at 10:51 AM, Anthony Nadalin
> <tonynad@microsoft.com> wrote:
> > That's nice, four people come up with text and you decide to use your text.
> > Making state optional does nothing to fix the protocol issue, people
> > will get this wrong and have. Our developers have been through this
> > and agreed upon the text that was generated. They find the text in the
> > current draft unacceptable and confusing and think that new text is
> acceptable.
> 
> I have to agree with what Tony says above.  The text proposed in his
> message was agreed upon by several WG participants, and unless there's
> some significant objection to it I think we should use it in the -21 version,
> subject to final WG review.
> 
> Barry, as chair