Re: [OAUTH-WG] Barry Leiba's Discuss on draft-ietf-oauth-spop-12: (with DISCUSS and COMMENT)

Barry Leiba <barryleiba@computer.org> Thu, 11 June 2015 19:10 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B4301B2D16; Thu, 11 Jun 2015 12:10:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iK1Xbfpodveb; Thu, 11 Jun 2015 12:10:19 -0700 (PDT)
Received: from mail-ig0-x22c.google.com (mail-ig0-x22c.google.com [IPv6:2607:f8b0:4001:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5C421B2D08; Thu, 11 Jun 2015 12:10:19 -0700 (PDT)
Received: by igbhj9 with SMTP id hj9so59911878igb.1; Thu, 11 Jun 2015 12:10:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=lzvkcE/paqSvD6JdlFK2Qq9njuNTYjzEj/1Yo6z0vok=; b=D97+pwa5zqMZ2UN+sog2b518HbdjldfhAXCoxn0xQAllfFTPeN277/FWs7VK4vz2c5 cUX0ubV1VAj4+BM3F/DzgxL9qP3WNHYoAglqgkZQC6m37Aei08ehrIbnyE5Wb7DGFahR snQtnP/1o50B1WW1v3leXvmeem7Mn53iS3kPr9ZiWGasNAOxm53H7Z0SxRGzHlxJa1EN 1vk4Jwyc59rqE2k7su4KGhL/qEu9teYjVF9MUApDK4IYkkDqQ6107JPbdAY6VDbeVjDp QCybIYBxH+svEKQ9o3UEr2LYByCy3RC0ZFNdrnkMdDv7MsU1sBWWBlynYV31C0QmGDqL g7Ew==
MIME-Version: 1.0
X-Received: by 10.50.7.68 with SMTP id h4mr15095142iga.40.1434049818328; Thu, 11 Jun 2015 12:10:18 -0700 (PDT)
Sender: barryleiba@gmail.com
Received: by 10.107.16.222 with HTTP; Thu, 11 Jun 2015 12:10:18 -0700 (PDT)
In-Reply-To: <CALaySJJKwOVAWHry41khzNg6fDpkW6No2QQsz5PG6amvnNHSaQ@mail.gmail.com>
References: <20150611184955.1618.38149.idtracker@ietfa.amsl.com> <5579DB31.30807@gmx.net> <CALaySJJKwOVAWHry41khzNg6fDpkW6No2QQsz5PG6amvnNHSaQ@mail.gmail.com>
Date: Thu, 11 Jun 2015 20:10:18 +0100
X-Google-Sender-Auth: hzpDUKAVcUq61uhLXgGm6FKbij4
Message-ID: <CALaySJKQYkVjZPDr=4n-+JPdfH2o1DrHRP9c_kLAuJXLLW_ptA@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/obMcpNdzKRcsKgaQJyNSbwTIUs4>
Cc: draft-ietf-oauth-spop@ietf.org, oauth WG <oauth@ietf.org>, draft-ietf-oauth-spop.shepherd@ietf.org, The IESG <iesg@ietf.org>, oauth-chairs@ietf.org, draft-ietf-oauth-spop.ad@ietf.org
Subject: Re: [OAUTH-WG] Barry Leiba's Discuss on draft-ietf-oauth-spop-12: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jun 2015 19:10:20 -0000

> Hi, Hannes, and thanks for clearing this bit up.
>
>>>    4) The attacker (via the installed app) is able to observe responses
>>>       from the authorization endpoint.  As a more sophisticated attack
>>>       scenario the attacker is also able to observe requests (in
>>>       addition to responses) to the authorization endpoint.
> ..
>> In this model the adversary will see response messages. However, it is
>> possible for an attacker to also compromise the smart phone OS in such a
>> way that he/she is also able to see the request as well as the
>> responses. In such a "more sophisticated attack" the proposed mechanism
>> does not help.
>
> Ah, got it.  Then it would be good for (4) to say that, maybe just by
> adding to the end, "This mechanism does not protect again the more
> sophisticated attack."  Sound OK?

That should be "against", of course, not "again".  I hate tupos.

Barry