IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011

Mark Mcgloin <mark.mcgloin@ie.ibm.com> Wed, 04 January 2012 20:34 UTC

Return-Path: <mark.mcgloin@ie.ibm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDB5011E80A6 for <oauth@ietfa.amsl.com>; Wed, 4 Jan 2012 12:34:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.585
X-Spam-Level:
X-Spam-Status: No, score=-2.585 tagged_above=-999 required=5 tests=[AWL=0.014, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V7McZ3bMgRsu for <oauth@ietfa.amsl.com>; Wed, 4 Jan 2012 12:34:37 -0800 (PST)
Received: from e06smtp17.uk.ibm.com (e06smtp17.uk.ibm.com [195.75.94.113]) by ietfa.amsl.com (Postfix) with ESMTP id C76F111E80A1 for <oauth@ietf.org>; Wed, 4 Jan 2012 12:34:36 -0800 (PST)
Received: from /spool/local by e06smtp17.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <oauth@ietf.org> from <mark.mcgloin@ie.ibm.com>; Wed, 4 Jan 2012 20:34:35 -0000
Received: from d06nrmr1707.portsmouth.uk.ibm.com ([9.149.39.225]) by e06smtp17.uk.ibm.com ([192.168.101.147]) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 4 Jan 2012 20:34:32 -0000
Received: from d06av06.portsmouth.uk.ibm.com (d06av06.portsmouth.uk.ibm.com [9.149.37.217]) by d06nrmr1707.portsmouth.uk.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q04KYWgt1777896; Wed, 4 Jan 2012 20:34:32 GMT
Received: from d06av06.portsmouth.uk.ibm.com (loopback [127.0.0.1]) by d06av06.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q04KYNaj028414; Wed, 4 Jan 2012 13:34:24 -0700
Received: from d06ml091.portsmouth.uk.ibm.com (d06ml091.portsmouth.uk.ibm.com [9.149.104.170]) by d06av06.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id q04KYNoJ028411; Wed, 4 Jan 2012 13:34:23 -0700
In-Reply-To: <4F04B101.3070708@mtcc.com>
References: <CALaySJKhYQQdmjvWBLS3mwzzrDt35jfDn2xZCuDOk=hpwEUiKQ@mail.gmail.com> <CAC4RtVDyiuqCGO25nZQEVxi0uchTi2gu_peh=+FwmWwZsQ=LEQ@mail.gmail.com> <CAC4RtVCvnz7n9Ei08h7QRruesJ=GeOMOOvBkNAVmcc8_gzg7QQ@mail.gmail.com> <8AB6F5CC-E9A2-4A07-9AA0-83FB7C67A221@oracle.com> <4EEA3951.5010904@mtcc.com> <OF6C9EBE7C.1B053FE3-ON80257968.003C02DF-80257968.003CAA12@ie.ibm.com> <4EEB5BDD.7080401@mtcc.com> <4F038CB9.1040403@mtcc.com> <F674B8D6-54D6-4B39-A494-9D7EB6E058D6@oracle.com> <4F0394D6.1090006@mtcc.com> <OFD88021B6.E1FD29B9-ON8025797B.004036CF-8025797B.00404EA6@ie.ibm.com> <4F04AAAE.6080702@mtcc.com> <4F04ACE4.1070006@stpeter.im> <4F04B101.3070708@mtcc.com>
X-KeepSent: 0587BA9E:B7B40207-8025797B:00702BFB; type=4; name=$KeepSent
To: Michael Thomas <mike@mtcc.com>
X-Mailer: Lotus Notes Release 8.5.1FP5 SHF29 November 12, 2010
Message-ID: <OF0587BA9E.B7B40207-ON8025797B.00702BFB-8025797B.007103EA@ie.ibm.com>
From: Mark Mcgloin <mark.mcgloin@ie.ibm.com>
Date: Wed, 04 Jan 2012 20:34:21 +0000
X-MIMETrack: Serialize by Router on D06ML091/06/M/IBM(Release 8.5.2FP1 ZX852FP1HF12|September 28, 2011) at 04/01/2012 20:34:26
MIME-Version: 1.0
Content-type: text/plain; charset="US-ASCII"
x-cbid: 12010420-0542-0000-0000-0000009284F6
Cc: Barry Leiba <barryleiba@computer.org>, oauth WG <oauth@ietf.org>, "oauth-bounces@ietf.org" <oauth-bounces@ietf.org>
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec 2011
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2012 20:34:37 -0000

Hi Michael

I have asked you to clearly describe the threat, not the mitigation.

It obviously was either not clear or convincing the first time and I am not
going to start digging through emails when you clearly understand it.


Regards
Mark

Michael Thomas <mike@mtcc.com> wrote on 04/01/2012 20:05:21:

> From:
>
> Michael Thomas <mike@mtcc.com>
>
> To:
>
> Peter Saint-Andre <stpeter@stpeter.im>
>
> Cc:
>
> Mark Mcgloin/Ireland/IBM@IBMIE, Barry Leiba
> <barryleiba@computer.org>, oauth WG <oauth@ietf.org>, "oauth-
> bounces@ietf.org" <oauth-bounces@ietf.org>
>
> Date:
>
> 04/01/2012 20:07
>
> Subject:
>
> Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec
2011
>
> On 01/04/2012 11:47 AM, Peter Saint-Andre wrote:
> > I've already done that in my original last call comments. Given that
you
> > rejected my comments out of hand, it doesn't appear that it was for
> > lack of clarity.
> >
> > Mike, rather put off by the attitude of the editors in this wg
> > Mike:
> >
> > In my experience, the IETF tradition is not to passively complain, but
> > to actively contribute. Thus if I don't like the fact that there's no
> > specification for some feature or protocol I care about, it's my
> > responsibility to write an Internet-Draft to fill that gap. Similarly,
> > if I have concerns about someone else's Internet-Draft, it's incumbent
> > on me to propose new or alternative text. Sure, I could wait for the
> > authors, editors, working group chairs, or area directors to take
> > action, but you will have much greater success if you actively
contribute.
> >
>
> I am not an IETF noob. The problem here is that I DO NOT KNOW
> HOW TO MITIGATE THE THREATS I brought up as inadequately
> mitigated in the threat draft. I don't know how I can state that more
> plainly. I would *hope* that the participants of this working group who
> have been working on this for years could do a better job. But if they
> can't then the threat draft should just say that there is no known
defense
> instead of feel-good things like "educate users".
>
> And I completely disagree that this isn't "active" participation. It
> denigrates draft reviewers as being lesser participants. Nor does it
> match IETF reality: cross area reviewers typically just point out the
> problems and leave it to the working group participants to work it
> out. Same goes for an IESG DISCUSS.
>
> Mike
>

v2.15.0 | Report a Bug | By Email