IETF Logo Mail Archive

Re: [OAUTH-WG] Auth Code Swap Attack

Barry Leiba <barryleiba@computer.org> Mon, 15 August 2011 15:05 UTC

Return-Path: <barryleiba.mailing.lists@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98ABD21F8C35 for <oauth@ietfa.amsl.com>; Mon, 15 Aug 2011 08:05:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.041
X-Spam-Level:
X-Spam-Status: No, score=-103.041 tagged_above=-999 required=5 tests=[AWL=-0.064, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gA-8RRp7gBv8 for <oauth@ietfa.amsl.com>; Mon, 15 Aug 2011 08:05:59 -0700 (PDT)
Received: from mail-yi0-f44.google.com (mail-yi0-f44.google.com [209.85.218.44]) by ietfa.amsl.com (Postfix) with ESMTP id 0657521F8C31 for <oauth@ietf.org>; Mon, 15 Aug 2011 08:05:58 -0700 (PDT)
Received: by yie12 with SMTP id 12so3667969yie.31 for <oauth@ietf.org>; Mon, 15 Aug 2011 08:06:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=GIH438fvFR7k970bHg5nz8i01f+u9K9dg9wh6MxF1PQ=; b=i0+TjRzVBQWiaHKznPanWeMlQy3dIGRJrfps3OjRdl/79QqzU1EcQVx/RmAJ+erToj 3AEwKFX++Y2NhzreAreKgt+LA+kdCku8kkWR/PL6JRJNL1q46nHzpVfe5PJZWMjyk3y1 ZGnTLjVMMO7q0DIowXhNsSUlq3naodnW/t5ho=
MIME-Version: 1.0
Received: by 10.236.115.73 with SMTP id d49mr12429228yhh.245.1313420804553; Mon, 15 Aug 2011 08:06:44 -0700 (PDT)
Sender: barryleiba.mailing.lists@gmail.com
Received: by 10.147.181.13 with HTTP; Mon, 15 Aug 2011 08:06:44 -0700 (PDT)
In-Reply-To: <B26C1EF377CB694EAB6BDDC8E624B6E723BB563D@SN2PRD0302MB137.namprd03.prod.outlook.com>
References: <4E46207A.6080404@lodderstedt.net> <CA6BD89B.17E85%eran@hueniverse.com> <90C41DD21FB7C64BB94121FBBC2E7234502498CDDB@P3PW5EX1MB01.EX1.SECURESERVER.NET> <B26C1EF377CB694EAB6BDDC8E624B6E723BB563D@SN2PRD0302MB137.namprd03.prod.outlook.com>
Date: Mon, 15 Aug 2011 11:06:44 -0400
X-Google-Sender-Auth: fTuIEZV67rrAO55rkhZXjX8Owqo
Message-ID: <CAC4RtVACp8+YD2j3xf7ZCpbS=pt3WE1-U4w-17xFiqFZ3ovYHA@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Anthony Nadalin <tonynad@microsoft.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "eran@sled.com" <eran@sled.com>, "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2011 15:05:59 -0000

On Mon, Aug 15, 2011 at 10:51 AM, Anthony Nadalin <tonynad@microsoft.com> wrote:
> That's nice, four people come up with text and you decide to use your text.
> Making state optional does nothing to fix the protocol issue, people will get
> this wrong and have. Our developers have been through this and agreed
> upon the text that was generated. They find the text in the current draft
> unacceptable and confusing and think that new text is acceptable.

I have to agree with what Tony says above.  The text proposed in his
message was agreed upon by several WG participants, and unless there's
some significant objection to it I think we should use it in the -21
version, subject to final WG review.

Barry, as chair

v2.23.0 | Report a Bug | By Email