IETF Logo Mail Archive

Re: [OAUTH-WG] problem statement

Michael Thomas <mike@mtcc.com> Wed, 07 September 2011 00:00 UTC

Return-Path: <mike@mtcc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB9A921F8F99 for <oauth@ietfa.amsl.com>; Tue, 6 Sep 2011 17:00:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aav51VomKxMS for <oauth@ietfa.amsl.com>; Tue, 6 Sep 2011 17:00:22 -0700 (PDT)
Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id 1F72521F8E62 for <oauth@ietf.org>; Tue, 6 Sep 2011 17:00:22 -0700 (PDT)
Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id p87024UF018206 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 6 Sep 2011 17:02:05 -0700
Message-ID: <4E66B47C.2020909@mtcc.com>
Date: Tue, 06 Sep 2011 17:02:04 -0700
From: Michael Thomas <mike@mtcc.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0
MIME-Version: 1.0
To: Melinda Shore <melinda.shore@gmail.com>
References: <4E665B25.6090709@mtcc.com> <4E6661FA.7050804@alcatel-lucent.com> <CD0B1909-8298-4CC3-B273-7B26E71EAB31@hueniverse.com> <4E666512.7010701@mtcc.com> <F4839FCD-CA73-4450-AD12-E07D46BB7746@hueniverse.com> <4E6667D1.3080404@mtcc.com> <1315334677.26387.YahooMailNeo@web31809.mail.mud.yahoo.com> <4E666B65.30701@mtcc.com> <29815937-0FB9-463B-B6E4-8FCAF7B3CD8C@hueniverse.com> <4E666E73.3050502@mtcc.com> <CAMrm-MJHKTxaj1iEm_Lr=X92sOiWZcYN4F6dNqb5w5gh4OPndQ@mail.gmail.com> <4E6671FA.3090503@gmail.com> <4E667469.2040007@mtcc.com> <1315337809.3136.38.camel@ground> <4E667953.9020906@mtcc.com> <71A460EE-1E2C-4165-99A8-5A97D6E9365C@jkemp.net> <4E667E2E.7090304@mtcc.com> <80A88920-A1EF-4A1C-A97E-F99379923CFB@jkemp.net> <4E66845E.7090906@mtcc.com> <E3DEC4C8-6BB0-44EE-821A-7589F5DC6462@jkemp.net> <4E669D3C.5000900@gmail.com>
In-Reply-To: <4E669D3C.5000900@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1744; t=1315353727; x=1316217727; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20<mike@mtcc.com> |Subject:=20Re=3A=20[OAUTH-WG]=20problem=20statement |Sender:=20 |To:=20Melinda=20Shore=20<melinda.shore@gmail.com> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=GSoVFHWBQfKrI0fgVc6m/eqyRi2hUlccmedr+d/ewEo=; b=Jp3FQj2PifWGN1mYrKTf33SnclAsrFEwmvs3yPk+w3qRlNL5IJQhVTStny 7tSFRu9qRbVQ9IC8hiC0g/64FHQbYxjEpEsuejVhQOReVm71Tp0OgZE++9Xe w4FrJvCi657Li070RteaEFWrXsI2ExQXIiEO9Z9MoM+1wBjF5PXjQ=;
Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] problem statement
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Sep 2011 00:00:22 -0000

On 09/06/2011 03:22 PM, Melinda Shore wrote:
> On 09/06/2011 12:59 PM, John Kemp wrote:
>> The point is that you have a point.
>
> He does, and that's in some large part why I don't
> fully understand the temperature of the responses.
> I do not think it's a particularly big deal to stick
> a couple of sentences in the security considerations
> underscoring the fact that OAUTH can't do anything
> about a compromised host or a malicious application.
> I've learned to live with the fact that sometimes
> people implementing or deploying security technologies
> don't fully understand them and it's my impression that
> there's some number of people out there who think that
> OAUTH and other third-party protocols provide sufficient
> protection against password snagging.

The thing that was baffling to me is that there is no mention
at all about the assumptions anywhere I could find. I knew of
the "trusted" web browser assumption because it appears that
oauth predates the widespread phenomenon of phone apps, and
I kind of understood where oauth was coming from. So to *not*
have that assumption discussed or even listed as an assumption
is very surprising -- does this play well in the scenario I outlined
or not? As it turns out, not. Barry thought this was "obvious",
but it wasn't obvious to me. I suspect that this will come as
quite a  surprise to the uninitiated who  would roll this out to
the masses. It's not even clear to me that Twitter or Facebook
even realize that this attack exists. Or are they cool with the fact
that anybody with an app and a webview can ship their credentials
to Romania? My guess is that it's pretty uncool.

So no, I don't get all of the hostility either.

Mike

v2.23.0 | Report a Bug | By Email