Re: [OAUTH-WG] Shepherd review of draft-ietf-oauth-v2-threatmodel

Phil Hunt <phil.hunt@oracle.com> Tue, 24 April 2012 14:58 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 073CD21F87FB; Tue, 24 Apr 2012 07:58:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.502
X-Spam-Level:
X-Spam-Status: No, score=-9.502 tagged_above=-999 required=5 tests=[AWL=-0.299, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yr3cj-iDM8SR; Tue, 24 Apr 2012 07:58:01 -0700 (PDT)
Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) by ietfa.amsl.com (Postfix) with ESMTP id 796C821F87E0; Tue, 24 Apr 2012 07:58:01 -0700 (PDT)
Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by acsinet15.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id q3OEvqol014343 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 24 Apr 2012 14:57:53 GMT
Received: from acsmt356.oracle.com (acsmt356.oracle.com [141.146.40.156]) by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id q3OEvp51014138 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 24 Apr 2012 14:57:52 GMT
Received: from abhmt102.oracle.com (abhmt102.oracle.com [141.146.116.54]) by acsmt356.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id q3OEvpHh001207; Tue, 24 Apr 2012 09:57:51 -0500
Received: from [192.168.1.125] (/24.85.226.208) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 24 Apr 2012 07:57:51 -0700
References: <CALaySJLy6jpuPqxQXfKfpx0TpcK1gav1NtcTOoh+NOr11JSCbw@mail.gmail.com> <4F8DE789.4030704@mtcc.com> <CALaySJK1ej_HkP5Jz26XT-KjULirD2iFfVOpRkHgPZp-CbJCrg@mail.gmail.com> <4F957EA7.3060004@mtcc.com> <OF3ECF645E.478720A4-ON802579EA.002D0B13-802579EA.002D8D07@ie.ibm.com> <4F96A99F.7010303@mtcc.com>
In-Reply-To: <4F96A99F.7010303@mtcc.com>
Mime-Version: 1.0 (1.0)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Message-Id: <85556C53-99DD-47A2-A0D5-2F86DD2B668F@oracle.com>
X-Mailer: iPhone Mail (9B179)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Tue, 24 Apr 2012 07:58:53 -0700
To: Michael Thomas <mike@mtcc.com>
X-Source-IP: ucsinet22.oracle.com [156.151.31.94]
Cc: Barry Leiba <barryleiba@computer.org>, "oauth@ietf.org" <oauth@ietf.org>, "oauth-bounces@ietf.org" <oauth-bounces@ietf.org>
Subject: Re: [OAUTH-WG] Shepherd review of draft-ietf-oauth-v2-threatmodel
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2012 14:58:02 -0000

Are we at this stage re-opening the entire document? I thought we were responding only to specific shepherd text edits. 

Phil

On 2012-04-24, at 6:24, Michael Thomas <mike@mtcc.com> wrote:

> On 04/24/2012 01:17 AM, Mark Mcgloin wrote:
>> Hi Thomas
>> 
>> Your additional text is already covered in a countermeasure for section
>> 4.1.4.  In addition, section 4.1.4.4 states the assumption that the auth
>> server can't protect against a user installing a malicious client
>> 
> 
> The more I read this draft, the more borked I think its base assumptions
> are. The client *is* one of the main threats. Full stop. A threat document
> should not be asking the adversary to play nice. Yet, 4.1.4 bullets 1 and
> 3 are doing exactly that again. If those are countermeasures, then so is
> visualizing world peace.
> 
> As for bullet two, it doesn't mention revocation, and I prefer Barry's
> section generally. I can't find a section 4.1.4.4
> 
> Mike
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth