Re: [OAUTH-WG] Auth Code Swap Attack
Barry Leiba <barryleiba@computer.org> Mon, 15 August 2011 15:24 UTC
Return-Path: <barryleiba.mailing.lists@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2031B21F8C1E for <oauth@ietfa.amsl.com>; Mon, 15 Aug 2011 08:24:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.04
X-Spam-Level:
X-Spam-Status: No, score=-103.04 tagged_above=-999 required=5 tests=[AWL=-0.063, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fSK8WrL6SdlZ for <oauth@ietfa.amsl.com>; Mon, 15 Aug 2011 08:24:44 -0700 (PDT)
Received: from mail-yi0-f44.google.com (mail-yi0-f44.google.com [209.85.218.44]) by ietfa.amsl.com (Postfix) with ESMTP id 70E7421F8BEF for <oauth@ietf.org>; Mon, 15 Aug 2011 08:24:44 -0700 (PDT)
Received: by yie12 with SMTP id 12so3680580yie.31 for <oauth@ietf.org>; Mon, 15 Aug 2011 08:25:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=7wZCBr/X6/MQa6wzr9AwTXRkerUdTriCKEjavtbvbUE=; b=SrvhWQkjaoayTKuu02ite42Xr3Xbbxg1WtGWUHh0AmnDPs1t9VZEzQOQY5l4OP8tjP CsAYntAB3r65jmVKYlHFSKhzxkPr9x0BKKQWCFEoCLjJtYRq0XtQh6GiZdieaw6MPgHz d2MX9DlptLGEiE5eqnCQdD57Bpvrm9kJ2nl00=
MIME-Version: 1.0
Received: by 10.236.145.102 with SMTP id o66mr12065775yhj.211.1313421923852; Mon, 15 Aug 2011 08:25:23 -0700 (PDT)
Sender: barryleiba.mailing.lists@gmail.com
Received: by 10.147.181.13 with HTTP; Mon, 15 Aug 2011 08:25:22 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234502498CE4A@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <4E46207A.6080404@lodderstedt.net> <CA6BD89B.17E85%eran@hueniverse.com> <90C41DD21FB7C64BB94121FBBC2E7234502498CDDB@P3PW5EX1MB01.EX1.SECURESERVER.NET> <B26C1EF377CB694EAB6BDDC8E624B6E723BB563D@SN2PRD0302MB137.namprd03.prod.outlook.com> <CAC4RtVACp8+YD2j3xf7ZCpbS=pt3WE1-U4w-17xFiqFZ3ovYHA@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E7234502498CE4A@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Mon, 15 Aug 2011 11:25:22 -0400
X-Google-Sender-Auth: 3dcHAvFoqx8B9tyNZrg2PWrJ_7o
Message-ID: <CAC4RtVBx1g767nW5cC-YcgOomA3gN7FYrdjtmdhL8=2HahG1gA@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2011 15:24:45 -0000
> I'll ask the chairs to open an issue for this. The chairs consider themselves asked, and have opened a ticket: http://trac.tools.ietf.org/wg/oauth/trac/ticket/23 > My proposed requires CSRF protected without adding additional requirements, > and therefore, is within the scope of my editorial discretion. IOW, my text is > already well-within working group consensus. Your text has not established > consensus, and I have listed actual issues with the proposed text which none > of the authors have addressed so far. This chair disagrees with the editorial prerogative at this point. I have not discussed this with my co-chairs, and perhaps they don't agree with me. I agree with Eran that the issue isn't settled -- that the Tony/Yaron/Torsten/Phil text, and the normative change it proposes, does not yet have WG consensus. And I note Eran's objection and the reasons for it, and I agree that it needs more discussion. But I believe the T/Y/T/P proposal has enough backing that it's the one that should be floated in the next version of the document right now. That by no means makes it final, and the chairs will track the discussion and make a proper consensus judgment at the appropriate time. I also think it's perfectly acceptable for the editor to put both versions of the text in, with a note that the WG must choose which way to go. Eran, is that a path you can tolerate? Barry, as chair
- Re: [OAUTH-WG] Auth Code Swap Attack William J. Mills
- Re: [OAUTH-WG] Auth Code Swap Attack Phillip Hunt
- [OAUTH-WG] Auth Code Swap Attack Anthony Nadalin
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Torsten Lodderstedt
- Re: [OAUTH-WG] Auth Code Swap Attack Phil Hunt
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack William J. Mills
- Re: [OAUTH-WG] Auth Code Swap Attack Phil Hunt
- Re: [OAUTH-WG] Auth Code Swap Attack John Kemp
- Re: [OAUTH-WG] Auth Code Swap Attack John Kemp
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Anthony Nadalin
- Re: [OAUTH-WG] Auth Code Swap Attack Barry Leiba
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Barry Leiba
- Re: [OAUTH-WG] Auth Code Swap Attack John Kemp
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Barry Leiba
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Blaine Cook
- Re: [OAUTH-WG] Auth Code Swap Attack William J. Mills
- Re: [OAUTH-WG] Auth Code Swap Attack William J. Mills
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Phil Hunt
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Anthony Nadalin
- Re: [OAUTH-WG] Auth Code Swap Attack Torsten Lodderstedt
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack David Recordon
- Re: [OAUTH-WG] Auth Code Swap Attack Phil Hunt
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Phil Hunt
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Torsten Lodderstedt
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Barry Leiba
- Re: [OAUTH-WG] Auth Code Swap Attack Anthony Nadalin
- Re: [OAUTH-WG] Auth Code Swap Attack Phil Hunt
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Anthony Nadalin
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Phil Hunt
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Anthony Nadalin