Re: [OAUTH-WG] Shepherd review of draft-ietf-oauth-v2-threatmodel

Michael Thomas <mike@mtcc.com> Tue, 24 April 2012 15:05 UTC

Return-Path: <mike@mtcc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C084621F85F1; Tue, 24 Apr 2012 08:05:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.524
X-Spam-Level:
X-Spam-Status: No, score=-2.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m4nq2y2dKj7A; Tue, 24 Apr 2012 08:05:51 -0700 (PDT)
Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id 2235121F85DB; Tue, 24 Apr 2012 08:05:51 -0700 (PDT)
Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id q3OF5i9U017172 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 24 Apr 2012 08:05:45 -0700
Message-ID: <4F96C148.6010408@mtcc.com>
Date: Tue, 24 Apr 2012 08:05:44 -0700
From: Michael Thomas <mike@mtcc.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0
MIME-Version: 1.0
To: Mark Mcgloin <mark.mcgloin@ie.ibm.com>
References: <CALaySJLy6jpuPqxQXfKfpx0TpcK1gav1NtcTOoh+NOr11JSCbw@mail.gmail.com> <4F8DE789.4030704@mtcc.com> <CALaySJK1ej_HkP5Jz26XT-KjULirD2iFfVOpRkHgPZp-CbJCrg@mail.gmail.com> <4F957EA7.3060004@mtcc.com> <OF3ECF645E.478720A4-ON802579EA.002D0B13-802579EA.002D8D07@ie.ibm.com> <4F96A99F.7010303@mtcc.com> <OF827108F6.2A40EB27-ON802579EA.004D6EF2-802579EA.004DDCE8@ie.ibm.com>
In-Reply-To: <OF827108F6.2A40EB27-ON802579EA.004D6EF2-802579EA.004DDCE8@ie.ibm.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1074; t=1335279945; x=1336143945; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20<mike@mtcc.com> |Subject:=20Re=3A=20[OAUTH-WG]=20Shepherd=20review=20of=20d raft-ietf-oauth-v2-threatmodel |Sender:=20 |To:=20Mark=20Mcgloin=20<mark.mcgloin@ie.ibm.com> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=ENjkIn0r+VUHx2HT5SnZjUQGQIpgX5GiKoWTRlgncnw=; b=mmZ4jE9q6etQXyucM8Lqh/Rptu70ssq+IxblhxrStf7pfTm6XAEG8EFn24 DYWyR8C0UMd7/T2+1wqq2reN5hShKM6yY/iGhMy87g2f7HtnCe+nnZuMufYX gsbGqG8WgUhcQuobtrf/40nLK9L/QCfAE+lRIRDzLH12wFDOKMxhI=;
Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com
Cc: Barry Leiba <barryleiba@computer.org>, "oauth@ietf.org" <oauth@ietf.org>, oauth-bounces@ietf.org
Subject: Re: [OAUTH-WG] Shepherd review of draft-ietf-oauth-v2-threatmodel
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2012 15:05:51 -0000

On 04/24/2012 07:10 AM, Mark Mcgloin wrote:
> Michael Thomas<mike@mtcc.com>  wrote on 24/04/2012 14:24:47:
>
>
> The more I read this draft, the more borked I think its base assumptions
> are. The client *is* one of the main threats. Full stop. A threat
> document
>> should not be asking the adversary to play nice. Yet, 4.1.4 bullets 1 and
>> 3 are doing exactly that again. If those are countermeasures, then so is
>> visualizing world peace.
>>
> Irrelevant - we are only discussing bullet 2

Barry: to the extent that your shepherd's review was to take into
account my last call comments which went unanswered, this was
part of my last call comments and obviously haven't been accounted
for. Removing useless countermeasures from this document was part
of what I asked for and I still ask for.

I remain very disturbed by the prickliness of adding text that point
out the shortcomings of oauth in embedded/app environments or
removing supposed mitigations that are not plausible.  This is a
threat document, not a sales booster pamphlet.

Mike