Re: [OAUTH-WG] Auth Code Swap Attack
"William J. Mills" <wmills@yahoo-inc.com> Mon, 15 August 2011 17:06 UTC
Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EC2221F8C96 for <oauth@ietfa.amsl.com>; Mon, 15 Aug 2011 10:06:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.2
X-Spam-Level:
X-Spam-Status: No, score=-17.2 tagged_above=-999 required=5 tests=[AWL=0.398, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cIkH9U6PZRqx for <oauth@ietfa.amsl.com>; Mon, 15 Aug 2011 10:06:51 -0700 (PDT)
Received: from nm3-vm0.bullet.mail.bf1.yahoo.com (nm3-vm0.bullet.mail.bf1.yahoo.com [98.139.212.154]) by ietfa.amsl.com (Postfix) with SMTP id 50DA521F8C90 for <oauth@ietf.org>; Mon, 15 Aug 2011 10:06:51 -0700 (PDT)
Received: from [98.139.212.145] by nm3.bullet.mail.bf1.yahoo.com with NNFMP; 15 Aug 2011 17:07:30 -0000
Received: from [98.139.212.244] by tm2.bullet.mail.bf1.yahoo.com with NNFMP; 15 Aug 2011 17:07:30 -0000
Received: from [127.0.0.1] by omp1053.mail.bf1.yahoo.com with NNFMP; 15 Aug 2011 17:07:30 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 550475.55893.bm@omp1053.mail.bf1.yahoo.com
Received: (qmail 87098 invoked by uid 60001); 15 Aug 2011 17:07:30 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1313428050; bh=Qb2saCMiziqseBmmMydXSq5+mz3W4+t0SfZ8DA6fuBs=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=WW/9rqTmtZG895htcMWFp1+CJ26YdnFwhkkYbdpdx20VrVAuCBOaUcc8L9dyQ1gc6LSKsAcklp2jocCNIERhbRh60BJZ9t2dx3Li2b0YqWLS0L63atVA7FN+JuadYjkiLsi1a/r2pc9X1onzrtSafpYEH0uXX/XNgGKjlaq9GIo=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=QDbNq+X+qIedQUZIzAafEHC24i0hURVxufFRuqDSoj1QimzYQIw0RNEwJJJ5+SIFZSA3bCAO5nbUTxOhXN9EIdWj2YLU+XVVqC4VjbyWOT67w5hHa+p6p5SWyhkxDe7BZTJl3x8LqNbC+CCcYJPporw40VMw1qRYLJv/X3cHjUs=;
X-YMail-OSG: g7vZnygVM1mxbTdDOejOXWqRS6AtOQ2z7m4X9farIX.O6XT uAa5lom7K8VLPe596qxSrgXStcwSKjfSgP_mVrMvswyYh4e_Dtjfq8uRIQiP T47TVzIg9bBTnGnp64ORgGNmnY8AqfjWtReA6tpI5eaiW2YW5BA0tM1KV5no TROJ45Hdj04RTnZs33t2pi3vYkA6LEcJHBjHhNIKyvlEVhzE5TX1Jr2UEMjs .a3FkKSk2z28lift_84X5j3we44nrjHpyNqfOAYgLblQYohXhEwjHRNzbt5J BpTqwfnfqp1dE7m9JkvvqAb.c7dXjOa25NOC0Tre8lQCkPCBFW7Tfs45amvB 8n2Jq8cjloFT9V.zrWbg1OWyntKIWIQsUv9lpX2O.7w12sS5F1lnwtFxexCC .z9Ah_uZUlj3ehC4FU18-
Received: from [99.31.212.42] by web31811.mail.mud.yahoo.com via HTTP; Mon, 15 Aug 2011 10:07:29 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.113.315625
References: <4E46207A.6080404@lodderstedt.net> <CA6BD89B.17E85%eran@hueniverse.com> <90C41DD21FB7C64BB94121FBBC2E7234502498CDDB@P3PW5EX1MB01.EX1.SECURESERVER.NET> <B26C1EF377CB694EAB6BDDC8E624B6E723BB563D@SN2PRD0302MB137.namprd03.prod.outlook.com> <CAC4RtVACp8+YD2j3xf7ZCpbS=pt3WE1-U4w-17xFiqFZ3ovYHA@mail.gmail.com>
Message-ID: <1313428049.81355.YahooMailNeo@web31811.mail.mud.yahoo.com>
Date: Mon, 15 Aug 2011 10:07:29 -0700
From: "William J. Mills" <wmills@yahoo-inc.com>
To: Barry Leiba <barryleiba@computer.org>, Anthony Nadalin <tonynad@microsoft.com>
In-Reply-To: <CAC4RtVACp8+YD2j3xf7ZCpbS=pt3WE1-U4w-17xFiqFZ3ovYHA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-995464739-1313428049=:81355"
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>, "eran@sled.com" <eran@sled.com>
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: "William J. Mills" <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2011 17:06:52 -0000
I'm a -1 on both of these until I re-read the attack description and really parse this again. Perhaps I'm being confused by the usage of "client" here. My initial reaction is that any time we are relying on the client to protect itself from CSRF it is a mistake. I do think that CSRF protection is REQUIRED, the remaining question is whether it's reasonable to force folks to use the state parameter. My gut says it's not unreasonable to force this simple model. I also don't particularly like either CSRF description used. As I've said before I think there are better discussions of it out there. More later when I have more time to think on this. -bill ________________________________ From: Barry Leiba <barryleiba@computer.org> To: Anthony Nadalin <tonynad@microsoft.com> Cc: "eran@sled.com" <eran@sled.com>; "OAuth WG (oauth@ietf.org)" <oauth@ietf.org> Sent: Monday, August 15, 2011 8:06 AM Subject: Re: [OAUTH-WG] Auth Code Swap Attack On Mon, Aug 15, 2011 at 10:51 AM, Anthony Nadalin <tonynad@microsoft.com> wrote: > That's nice, four people come up with text and you decide to use your text. > Making state optional does nothing to fix the protocol issue, people will get > this wrong and have. Our developers have been through this and agreed > upon the text that was generated. They find the text in the current draft > unacceptable and confusing and think that new text is acceptable. I have to agree with what Tony says above. The text proposed in his message was agreed upon by several WG participants, and unless there's some significant objection to it I think we should use it in the -21 version, subject to final WG review. Barry, as chair _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Auth Code Swap Attack Anthony Nadalin
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Torsten Lodderstedt
- Re: [OAUTH-WG] Auth Code Swap Attack Phil Hunt
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack William J. Mills
- Re: [OAUTH-WG] Auth Code Swap Attack Phil Hunt
- Re: [OAUTH-WG] Auth Code Swap Attack William J. Mills
- Re: [OAUTH-WG] Auth Code Swap Attack Phillip Hunt
- Re: [OAUTH-WG] Auth Code Swap Attack John Kemp
- Re: [OAUTH-WG] Auth Code Swap Attack John Kemp
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Anthony Nadalin
- Re: [OAUTH-WG] Auth Code Swap Attack Barry Leiba
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Barry Leiba
- Re: [OAUTH-WG] Auth Code Swap Attack John Kemp
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Barry Leiba
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Blaine Cook
- Re: [OAUTH-WG] Auth Code Swap Attack William J. Mills
- Re: [OAUTH-WG] Auth Code Swap Attack William J. Mills
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Phil Hunt
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Torsten Lodderstedt
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack David Recordon
- Re: [OAUTH-WG] Auth Code Swap Attack Phil Hunt
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Phil Hunt
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Anthony Nadalin
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Torsten Lodderstedt
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Barry Leiba
- Re: [OAUTH-WG] Auth Code Swap Attack Anthony Nadalin
- Re: [OAUTH-WG] Auth Code Swap Attack Phil Hunt
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Anthony Nadalin
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Phil Hunt
- Re: [OAUTH-WG] Auth Code Swap Attack Eran Hammer-Lahav
- Re: [OAUTH-WG] Auth Code Swap Attack Anthony Nadalin