Re: [OAUTH-WG] comments on draft-hammer-oauth-03

Ethan Jewett <esjewett@gmail.com> Wed, 18 November 2009 22:11 UTC

Return-Path: <esjewett@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 75D643A68C2 for <oauth@core3.amsl.com>; Wed, 18 Nov 2009 14:11:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tn0fR3UOyuHb for <oauth@core3.amsl.com>; Wed, 18 Nov 2009 14:11:25 -0800 (PST)
Received: from mail-pz0-f176.google.com (mail-pz0-f176.google.com [209.85.222.176]) by core3.amsl.com (Postfix) with ESMTP id C86233A6989 for <oauth@ietf.org>; Wed, 18 Nov 2009 14:11:24 -0800 (PST)
Received: by pzk6 with SMTP id 6so1057470pzk.29 for <oauth@ietf.org>; Wed, 18 Nov 2009 14:11:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=rQZ5Oq2VJiBw+VDXYw9UEYRKBtSkof1utqskTTGxkP4=; b=aM2qXuzx3ljUYbwfx/wbzSdBHT9hiA2VZPiy+273Jb7+Dgx1pa6NeLT1L+l6V3g75s LEnLu6o/5tp9icTaSjmTZYOT/i3bdH2yIfLqbNk3KiXW75H++mLB569pEWWpwlf8jXH+ QbWtWqSX9ijMSDZ5Vt03o5mLmNuddQ3XUcl7I=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=HsLWfXgVRXRuUtAoL3CwieKt+9hvuRXbVKkDakmzZy+JkK4Y5NRh55QS/2f8x0Lcob f8s4shilmWa6zj5DE6deNVfd5F5/V/c4rDFTh4xsr2BNEesQaznwBpkN08Nw16IUIoJL StEyLkKwlnB/+Yz8ZfqC+0yKN2EQ47bYN7gx0=
MIME-Version: 1.0
Received: by 10.140.207.20 with SMTP id e20mr693125rvg.135.1258582279779; Wed, 18 Nov 2009 14:11:19 -0800 (PST)
In-Reply-To: <4B0467F4.6060702@stpeter.im>
References: <4AF8943E.4050802@stpeter.im> <90C41DD21FB7C64BB94121FBBC2E72343785103101@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4B0467F4.6060702@stpeter.im>
Date: Wed, 18 Nov 2009 17:11:19 -0500
Message-ID: <68f4a0e80911181411w364b902cg37f8c011dabebdd9@mail.gmail.com>
From: Ethan Jewett <esjewett@gmail.com>
To: Peter Saint-Andre <stpeter@stpeter.im>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] comments on draft-hammer-oauth-03
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2009 22:11:27 -0000

On Wed, Nov 18, 2009 at 4:32 PM, Peter Saint-Andre
>
> Again, I must be missing something. Just because I use Thunderbird or
> Pidgin or some other free software doesn't mean you can hack into my
> email or IM password. How is the case any different here?

I think in the original email "freely" was not meant in terms of free
as in beer *or* free as in speech, but rather any software distributed
in such a way that an attacker can get his/her hands on a copy of the
executable. OAuth in normal installed software must embed the client
secret into the executable, and in this case the secret is only as
secret as the executable file.

This is why OAuth providers that allow installed applications to
authenticate against them may want to just forget about the client
secret entirely.

Ethan