Re: [OAUTH-WG] Auth Code Swap Attack

Eran Hammer-Lahav <> Mon, 15 August 2011 15:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1C35B21F8BBA for <>; Mon, 15 Aug 2011 08:53:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.56
X-Spam-Status: No, score=-2.56 tagged_above=-999 required=5 tests=[AWL=0.039, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6IBkcdphdVW3 for <>; Mon, 15 Aug 2011 08:53:18 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id 799A121F8BA0 for <>; Mon, 15 Aug 2011 08:53:18 -0700 (PDT)
Received: (qmail 20734 invoked from network); 15 Aug 2011 15:54:03 -0000
Received: from unknown (HELO ( by with SMTP; 15 Aug 2011 15:54:01 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([]) with mapi; Mon, 15 Aug 2011 08:53:52 -0700
From: Eran Hammer-Lahav <>
To: Barry Leiba <>
Date: Mon, 15 Aug 2011 08:52:33 -0700
Thread-Topic: [OAUTH-WG] Auth Code Swap Attack
Thread-Index: AcxbX5tsYmpwsjEkSd+c07Pecx0gMQAACskA
Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234502498CE6B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <> <> <90C41DD21FB7C64BB94121FBBC2E7234502498CDDB@P3PW5EX1MB01.EX1.SECURESERVER.NET> <> <> <90C41DD21FB7C64BB94121FBBC2E7234502498CE4A@P3PW5EX1MB01.EX1.SECURESERVER.NET> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "OAuth WG (" <>
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 15 Aug 2011 15:53:19 -0000

> -----Original Message-----
> From:
> [] On Behalf Of Barry Leiba
> Sent: Monday, August 15, 2011 8:25 AM
> To: Eran Hammer-Lahav
> Cc: Anthony Nadalin; OAuth WG (
> Subject: Re: [OAUTH-WG] Auth Code Swap Attack
> > I'll ask the chairs to open an issue for this.
> The chairs consider themselves asked, and have opened a ticket:
> > My proposed requires CSRF protected without adding additional
> > requirements, and therefore, is within the scope of my editorial
> > discretion. IOW, my text is already well-within working group
> > consensus. Your text has not established consensus, and I have listed
> > actual issues with the proposed text which none of the authors have
> addressed so far.
> This chair disagrees with the editorial prerogative at this point.  I have not
> discussed this with my co-chairs, and perhaps they don't agree with me.

What does "at this point" mean?

This is how this working group has operated for 20 revisions. Does "at this point" references the late stage of the specification and closing of WGLC? If so, then your support for making such a significant normative change is puzzling. Seems like *not* making this change first and discussing later is the appropriate action "at this point".

I would suggest you compare the two texts side by side to see that the only real difference is the use of MUST vs. RECOMMENDED. I didn't just make stuff up. "My" text is just an editorial cleanup with exclusion of the new MUST. And this new MUST is clearly against past established consensus since version -00 (!) of this document and even earlier in its wrap_client_state form in WRAP. It is even a noticeable departure from the authors' own original security consideration text submitted before.

> I agree with Eran that the issue isn't settled -- that the
> Tony/Yaron/Torsten/Phil text, and the normative change it proposes, does
> not yet have WG consensus.  And I note Eran's objection and the reasons for
> it, and I agree that it needs more discussion.
> But I believe the T/Y/T/P proposal has enough backing that it's the one that
> should be floated in the next version of the document right now.  That by no
> means makes it final, and the chairs will track the discussion and make a
> proper consensus judgment at the appropriate time.
> I also think it's perfectly acceptable for the editor to put both versions of the
> text in, with a note that the WG must choose which way to go.  Eran, is that a
> path you can tolerate?

I do not plan to publish another draft until this issue is closed and resolved. I plan to seek WG consensus to every change made to -21 prior to publication to reduce the need for another WG draft. This is why I am informing the list with every change I make on my local copy so that people can raise their concerns or objections.

Of course, like any WG document, -21 will be subject to review, but there is a difference between publishing a document known to include issues to one that can be safely considered stable.

Ignoring Mr. Nadalin unproductive tone, this is exactly what has happened here. Text was proposed, issues raised, an alternative was proposed, and I informed the list of my intention of using the edited text. Mr. Nadalin then raised his disagreement with the proposed edit. Fine. Now we wait for more participants to express their views.