IETF Logo Mail Archive

Re: [OAUTH-WG] Adam Roach's No Objection on draft-ietf-oauth-native-apps-11: (with COMMENT)

Alexey Melnikov <aamelnikov@fastmail.fm> Tue, 23 May 2017 09:06 UTC

Return-Path: <aamelnikov@fastmail.fm>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF8171294E8; Tue, 23 May 2017 02:06:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.719
X-Spam-Level:
X-Spam-Status: No, score=-2.719 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.fm header.b=DnjARNSl; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=sbkcQxpy
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kjV3KkbTB3ds; Tue, 23 May 2017 02:06:57 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E4DC128B44; Tue, 23 May 2017 02:06:57 -0700 (PDT)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id B674C208B2; Tue, 23 May 2017 05:06:56 -0400 (EDT)
Received: from frontend2 ([10.202.2.161]) by compute7.internal (MEProxy); Tue, 23 May 2017 05:06:56 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.fm; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=JtrfSNAKaNHoarolxA Mceb2sDRjuWhWSvOdnuB/kAec=; b=DnjARNSl4haSj/99CYj/I4nyATYjB0c4e/ Pk/Go503/o4BRHpL11Of6LG9vkWeaxPknq2bbr2rhzwPayrOP0WBf5mpgUdgEJdU l1yLm1w+XdmfjB6Wd5yXkpyh6VBemi9BI7pL8o88kyfYe1illGIfFW8Oy+mCe2qO ECGKf+Tmct58T5NRAeHv+4E4yI+u0OOl7mnh+TB8eQT84XpZ+3mbfoApUPOpNI91 Nc4U90ivflHBQIt6Jphda5FBoso8o4mnMBT1DZuKvqXrgclu61hhuuW+AYCdEAM7 GnvHenTiyWyaN3IrQhT604RHhCe2oFouBcVFhppeu64X62EJsc2g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s= fm1; bh=JtrfSNAKaNHoarolxAMceb2sDRjuWhWSvOdnuB/kAec=; b=sbkcQxpy 7vAQKScnptZDRGys3JRDLSJ6wfO5/zPfd7dXmdtRlofy8EZTAl2GTLJxMkWVMkF0 E5rPJbyQhRE4b2ImKbV511l0mWKtFsinRCFSZExu4ZXE11iZRqQ670NGjFfVVNNp KorotaTBbANWiuDbV2yiYKQo5mej9ncIet81WJrheb2jkVX/ViU7GF0/46vqmWcW T8Yi8wo4TjOBOzzhOuzto13/O4KnC4/nqeWKHj2LiMoxrK/h2uFfNZhjmiwVMF0I 2dvpm8uIyTvWCzPxo8/NfvDNLFPx6uTVE/E+8gHmoiVfYOfJ0SldQ+8zd9hv8Q/e otnNrMOeLMUufg==
X-ME-Sender: <xms:sPsjWU8oP48YuPv2EkxCUp1vIf3vRnDiP8OuEjx8HlbjlTiR9QOR1g>
X-Sasl-enc: ivLHyXpIRxJNKAO3MVrPFbGRx+bCVXjfg22Lrl0CiZPu 1495530416
Received: from [10.13.86.3] (unknown [85.255.237.123]) by mail.messagingengine.com (Postfix) with ESMTPA id 5945224753; Tue, 23 May 2017 05:06:56 -0400 (EDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-EB9E0507-F693-4610-8D05-C085ED8E290D"
Mime-Version: 1.0 (1.0)
From: Alexey Melnikov <aamelnikov@fastmail.fm>
X-Mailer: iPhone Mail (13G35)
In-Reply-To: <CAAP42hAcc5qGCxMC-Qj=G5BKQ9kRv9N6_pdtjH8mxUCcFCD_8g@mail.gmail.com>
Date: Tue, 23 May 2017 10:24:12 +0100
Cc: Adam Roach <adam@nostrum.com>, draft-ietf-oauth-native-apps@ietf.org, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>, The IESG <iesg@ietf.org>, oauth-chairs@ietf.org
Content-Transfer-Encoding: 7bit
Message-Id: <1D2FDD6E-3DA0-4E7C-BBF3-1A6146F7889B@fastmail.fm>
References: <149548482877.9096.13896958451655712801.idtracker@ietfa.amsl.com> <CAAP42hAcc5qGCxMC-Qj=G5BKQ9kRv9N6_pdtjH8mxUCcFCD_8g@mail.gmail.com>
To: William Denniss <wdenniss@google.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/uBzRnCwwTKyPgOyy3onsjiLuIpY>
Subject: Re: [OAUTH-WG] Adam Roach's No Objection on draft-ietf-oauth-native-apps-11: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2017 09:06:59 -0000

Hi William,

On 22 May 2017, at 23:14, William Denniss <wdenniss@google.com> wrote:

>> Section 8.1 makes the statement that "Loopback IP based redirect URIs may
>> be susceptible to interception by other apps listening on the same
>> loopback interface." That's not how TCP listener sockets work: for any
>> given IP address, they guarantee single-process access to a port at any
>> one time. (Exceptions would include processes with root access, but an
>> attacking process with that level of access is going to be impossible to
>> defend against). While mostly harmless, the statement appears to be false
>> on its face, and should be removed or clarified.
> 
> Will be removed in the next update. Thank you.

Actually, I disagree with Adam on this, because what he says is OS specific. So I think the text is valuable and should stay.

v2.23.0 | Report a Bug | By Email