Re: [OAUTH-WG] Partial set of last call comments on OAuth draft 20 from Yaron Goland
Eran Hammer-Lahav <eran@hueniverse.com> Fri, 12 August 2011 06:16 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5668E11E807F for <oauth@ietfa.amsl.com>; Thu, 11 Aug 2011 23:16:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.559
X-Spam-Level:
X-Spam-Status: No, score=-2.559 tagged_above=-999 required=5 tests=[AWL=0.039, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pSdK8bj006sY for <oauth@ietfa.amsl.com>; Thu, 11 Aug 2011 23:16:31 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id 4285021F8779 for <oauth@ietf.org>; Thu, 11 Aug 2011 23:16:31 -0700 (PDT)
Received: (qmail 22815 invoked from network); 12 Aug 2011 06:17:00 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 12 Aug 2011 06:17:00 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Thu, 11 Aug 2011 23:17:00 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Mike Jones <Michael.Jones@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>
Date: Thu, 11 Aug 2011 23:16:53 -0700
Thread-Topic: [OAUTH-WG] Partial set of last call comments on OAuth draft 20 from Yaron Goland
Thread-Index: AcxYt3HaNTRQrFu8TyOvn60KFmOGJA==
Message-ID: <CA6A0BC1.17D3F%eran@hueniverse.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739434A80B587@TK5EX14MBXC201.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.12.0.110505
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_CA6A0BC117D3Feranhueniversecom_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Partial set of last call comments on OAuth draft 20 from Yaron Goland
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Aug 2011 06:16:32 -0000
The following comments require a proposed text. Without it, they will not be included in my next editorial revision. I will respond or incorporate the rest of the comments after the close of LC. Others are welcomed and encouraged to discuss this (very useful and thorough) list before LC ends. EHL From: Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> Date: Wed, 10 Aug 2011 14:38:40 -0700 To: "oauth@ietf.org<mailto:oauth@ietf.org>" <oauth@ietf.org<mailto:oauth@ietf.org>> Subject: [OAUTH-WG] Partial set of last call comments on OAuth draft 20 from Yaron Goland 1.4.1. Authorization Code: Comment: “It seems odd that we can discuss the authorization code without also discussing the security issues it raises (e.g. passing secure information via a browser) and thus motivating the introduction of the refresh token. I would expect this to be referred to here. Having read the security considerations section I can find no coherent discussion there either of the relationship between the authorization code and the refresh token and why one motivated the other. I think this is something important for implementers to understand.” 1.4.2. Implicit: Comment: “I find this section confusing. I think an example is all but mandatory here if the reader is to understand what is intended. For example, when I first read this section I thought it was some kind of short cut used in cases where the client and authorization server had a close relationship and could share information such as the client’s identity so no access code was needed. No where in here is any hint that this is about browser based clients who don’t have servers and who need a way to get tokens. Seriously. Try to read this section as someone who knows nothing about OAuth and tell me that you get the right idea back from it. It needs to be written to be both explicit as to its goals and clearer as to its means.” 3.1.2.4. Invalid Endpoint: Comment on “open redirector”: “How many people even know what the heck an open redirector is? I think we need a section in the security considerations section that defines what an open redirector is and why it’s bad. Alternatively a normative reference to a complete definition somewhere else is also fine.” 4.1.2. Authorization Response: Comment on “state”: “Don’t we have to provide some guidance on how large the state value can safely be? Otherwise we are asking clients to rewrite their state mechanisms every time they throw in support for a new protected resource server. We have to set expectations across the industry if we are to hope for actual interoperability.” 4.2. Implicit Grant: Comment “I have run into multiple people (including myself) who have read the OAuth spec and came away completely confused about when the heck one is supposed to use the implicit grant flow for. It’s not immediately obvious that it’s a way to support standalone browser based clients. Can we put in an example or something to make it more obvious why it’s here?” 10.4. Refresh Tokens: Comment “As mentioned previously we really should explain why we introduced refresh tokens. Without understanding the intent of the mechanism it’s unlikely implementers will use them appropriately.” 10.7. Resource Owner Password Credentials: Comment on “password anti-pattern”: “Is it fair to expect that the reader knows what the password anti-pattern is? Shouldn’t some reference to a definition of this pattern be required?” 10.12. Cross-Site Request Forgery: Comment on first paragraph: “I challenge any reasonably intelligent person who does not already know what a CSRF is to read this paragraph and come away any clearer as to what is being discussed. At a minimum isn’t some reference to a complete definition of CSRF needed if there is to be any hope of user compliance?” 10.12. Cross-Site Request Forgery: Comment on “The "state" request parameter MUST contain a non-guessable value”: “Actually a non-guessable value won’t stop the attack discussed in the previous paragraph on its own. What’s also needed is a way to uniquely (and unbreakably) associate the state with a particular user so that if an authorization code swap occurs it can be reliably detected.” ________________________________
- [OAUTH-WG] Partial set of last call comments on O… Mike Jones
- Re: [OAUTH-WG] Partial set of last call comments … Eran Hammer-Lahav
- Re: [OAUTH-WG] Partial set of last call comments … Anthony Nadalin
- Re: [OAUTH-WG] Partial set of last call comments … Eran Hammer-Lahav
- Re: [OAUTH-WG] Partial set of last call comments … Anthony Nadalin
- Re: [OAUTH-WG] Partial set of last call comments … Eran Hammer-Lahav
- Re: [OAUTH-WG] Partial set of last call comments … Eran Hammer-Lahav
- Re: [OAUTH-WG] Partial set of last call comments … Lodderstedt, Torsten
- Re: [OAUTH-WG] Partial set of last call comments … Anthony Nadalin
- Re: [OAUTH-WG] Partial set of last call comments … Igor Faynberg
- Re: [OAUTH-WG] Partial set of last call comments … Eran Hammer-Lahav
- Re: [OAUTH-WG] Partial set of last call comments … Barry Leiba