Re: [OAUTH-WG] Auth Code Swap Attack

Barry Leiba <> Mon, 15 August 2011 15:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2031B21F8C1E for <>; Mon, 15 Aug 2011 08:24:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -103.04
X-Spam-Status: No, score=-103.04 tagged_above=-999 required=5 tests=[AWL=-0.063, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fSK8WrL6SdlZ for <>; Mon, 15 Aug 2011 08:24:44 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 70E7421F8BEF for <>; Mon, 15 Aug 2011 08:24:44 -0700 (PDT)
Received: by yie12 with SMTP id 12so3680580yie.31 for <>; Mon, 15 Aug 2011 08:25:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=7wZCBr/X6/MQa6wzr9AwTXRkerUdTriCKEjavtbvbUE=; b=SrvhWQkjaoayTKuu02ite42Xr3Xbbxg1WtGWUHh0AmnDPs1t9VZEzQOQY5l4OP8tjP CsAYntAB3r65jmVKYlHFSKhzxkPr9x0BKKQWCFEoCLjJtYRq0XtQh6GiZdieaw6MPgHz d2MX9DlptLGEiE5eqnCQdD57Bpvrm9kJ2nl00=
MIME-Version: 1.0
Received: by with SMTP id o66mr12065775yhj.211.1313421923852; Mon, 15 Aug 2011 08:25:23 -0700 (PDT)
Received: by with HTTP; Mon, 15 Aug 2011 08:25:22 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234502498CE4A@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <> <> <90C41DD21FB7C64BB94121FBBC2E7234502498CDDB@P3PW5EX1MB01.EX1.SECURESERVER.NET> <> <> <90C41DD21FB7C64BB94121FBBC2E7234502498CE4A@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Mon, 15 Aug 2011 11:25:22 -0400
X-Google-Sender-Auth: 3dcHAvFoqx8B9tyNZrg2PWrJ_7o
Message-ID: <>
From: Barry Leiba <>
To: Eran Hammer-Lahav <>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "OAuth WG (" <>
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 15 Aug 2011 15:24:45 -0000

> I'll ask the chairs to open an issue for this.

The chairs consider themselves asked, and have opened a ticket:

> My proposed requires CSRF protected without adding additional requirements,
> and therefore, is within the scope of my editorial discretion. IOW, my text is
> already well-within working group consensus. Your text has not established
> consensus, and I have listed actual issues with the proposed text which none
> of the authors have addressed so far.

This chair disagrees with the editorial prerogative at this point.  I
have not discussed this with my co-chairs, and perhaps they don't
agree with me.

I agree with Eran that the issue isn't settled -- that the
Tony/Yaron/Torsten/Phil text, and the normative change it proposes,
does not yet have WG consensus.  And I note Eran's objection and the
reasons for it, and I agree that it needs more discussion.

But I believe the T/Y/T/P proposal has enough backing that it's the
one that should be floated in the next version of the document right
now.  That by no means makes it final, and the chairs will track the
discussion and make a proper consensus judgment at the appropriate

I also think it's perfectly acceptable for the editor to put both
versions of the text in, with a note that the WG must choose which way
to go.  Eran, is that a path you can tolerate?

Barry, as chair