IETF Logo Mail Archive

Re: [OAUTH-WG] Publication has been requested for draft-ietf-oauth-device-flow-07

Justin Richer <jricher@mit.edu> Mon, 19 March 2018 15:19 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8DBD129C5D for <oauth@ietfa.amsl.com>; Mon, 19 Mar 2018 08:19:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.229
X-Spam-Level:
X-Spam-Status: No, score=-4.229 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oncbU05f9Fr6 for <oauth@ietfa.amsl.com>; Mon, 19 Mar 2018 08:19:14 -0700 (PDT)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EBD3128D2E for <oauth@ietf.org>; Mon, 19 Mar 2018 08:19:13 -0700 (PDT)
X-AuditID: 1209190d-149ff70000007c82-0a-5aafd4ef50a5
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id 87.75.31874.0F4DFAA5; Mon, 19 Mar 2018 11:19:13 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id w2JFJ8YA023994; Mon, 19 Mar 2018 11:19:09 -0400
Received: from dhcp-90dd.meeting.ietf.org (dhcp-90dd.meeting.ietf.org [31.133.144.221]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w2JFJ5m0001363 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 19 Mar 2018 11:19:06 -0400
From: Justin Richer <jricher@mit.edu>
Message-Id: <109E791D-B34A-45C9-80C5-9A94B0540335@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_79FE328E-FD1E-49B9-A4D6-D0A71293490B"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Mon, 19 Mar 2018 15:19:04 +0000
In-Reply-To: <CAAP42hB4-hSMKzk_5PNczX+fooRwrmHmEk7coAkgJOH=g6q3Aw@mail.gmail.com>
Cc: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, "<oauth@ietf.org>" <oauth@ietf.org>
To: William Denniss <wdenniss@google.com>
References: <151517342925.14706.13583633097065531665.idtracker@ietfa.amsl.com> <831693C2CDA2E849A7D7A712B24E257F7F91B492@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <CAGL6epKjqn_c-XZ_B=O8zbQdPpy15BS155W601ybZPU4g-j-wA@mail.gmail.com> <CAAP42hDA=w=Q9C0PQShZ=np_kAx2-8w=ALLO_V215vYEW+KKAg@mail.gmail.com> <49D385E2-0E71-4913-8012-E6F479EF318F@mit.edu> <CAAP42hB4-hSMKzk_5PNczX+fooRwrmHmEk7coAkgJOH=g6q3Aw@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.5.20)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrOKsWRmVeSWpSXmKPExsUixG6nrvvxyvoog0lTmCxOvn3FZrHzRSub xaY5zewOzB47Z91l91iwqdRjyZKfTAHMUVw2Kak5mWWpRfp2CVwZnbs/sRdsS6jYvPI+cwPj yZAuRk4OCQETialvG9i7GLk4hAQWM0ncvdcN5WxklJh/eBIThHOFSWL1k+nMIC1sAqoS09e0 MIHYvAJWEuuObGQHsZkFkiT2TnvLChE3kXj/9iFYjbBAjMTb/2vAaliAeucv7GEBsTkFAiVO z10A1RsjMfXdWrB6EQFNiZdnD7BALF7ILLHhSA87xK1KEtO/32abwMg/C8m+WUj2QcS1JZYt fM0MYWtK7O9ezoIpriHR+W0i6wJGtlWMsim5Vbq5iZk5xanJusXJiXl5qUW6Rnq5mSV6qSml mxhB4c4pybuD8d9dr0OMAhyMSjy8DkfXRQmxJpYVV+YeYpTkYFIS5c2fuD5KiC8pP6UyI7E4 I76oNCe1+BCjBAezkgjv0ytA5bwpiZVVqUX5MClpDhYlcV53E+0oIYH0xJLU7NTUgtQimKwM B4eSBO/Ny0BDBYtS01Mr0jJzShDSTBycIMN5gIZrA9ODEG9xQWJucWY6RP4UoyXHlkcv25g5 DoDJGy9etzELseTl56VKifM6gTQIgDRklObBzQSlL/nWCXdfMYoDvSjMexlkNQ8w9cFNfQW0 kAlooc/SNSALSxIRUlINjL4Pd0ZJrTMz8t6zvXZPbszKx0v4Dbz59T+e+rHfOogxLY/T28HV ak9crPvnrcEpbGHvg1NEZ13JlrzY8y32qdBJE41H5bmcaREps016S48X2TuH/mc8eOKqkIJL 7fYXD31sTNSuxi9417vXYSHPYbHlcm0CQfvzpbyYJzObiZvvinik/1hRiaU4I9FQi7moOBEA xvMfDjoDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/wqDcIDgipSIjKQbAZBmzkY4_7JA>
Subject: Re: [OAUTH-WG] Publication has been requested for draft-ietf-oauth-device-flow-07
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Mar 2018 15:19:18 -0000

Something to consider in the new security text that’s just occurred to me: 

If an attacker gets their account tied to a user’s device, there’s a risk that the attacker would potentially be able to get that user’s information as input through the device. Setting aside the obvious alexa-style panopticon boxes for a minute, just think of a set-top box that allows you to enter your credit card information through the device itself. You’d then be buying your attacker the new season of Stargate, or whatever.

 — Justin

> On Mar 19, 2018, at 12:06 PM, William Denniss <wdenniss@google.com> wrote:
> 
> The update has been posted and is now available. https://tools.ietf.org/html/draft-ietf-oauth-device-flow-08 <https://tools.ietf.org/html/draft-ietf-oauth-device-flow-08>
> 
> Thanks Scott for the feedback, and Justin for reviewing!
> 
> 
> On Thu, Mar 8, 2018 at 6:19 PM Justin Richer <jricher@mit.edu <mailto:jricher@mit.edu>> wrote:
> +1
> 
>> On Mar 5, 2018, at 10:23 PM, William Denniss <wdenniss@google.com <mailto:wdenniss@google.com>> wrote:
>> 
>> Thanks again for the feedback Scott. I've staged an update here: https://github.com/WilliamDenniss/draft-ietf-oauth-device-flow/pull/6 <https://github.com/WilliamDenniss/draft-ietf-oauth-device-flow/pull/6>
>> 
>> It expands on the brute force attack section to include some detail on this attack, as it is quite unique for OAuth brute-force attacks (since the victim actually ends up with the attacker's grant on the device, instead of the other way around – not that this is totally safe of course, it's just unique).  It also adds some further discussion around what factors need to be considered by authorization servers when creating the user code format.
>> 
>> I'll post this once my co-authors have reviewed, and the submission tool re-opens.
>> 
>> 
>> On Fri, Jan 5, 2018 at 10:56 AM Rifaat Shekh-Yusef <rifaat.ietf@gmail.com <mailto:rifaat.ietf@gmail.com>> wrote:
>> Hi Scott,
>> 
>> Sorry, I missed that last discussion that you had with William.
>> 
>> 
>> William,
>> 
>> Can you please update the document based on your last discussion with Scott?
>> I will then update the request for publication to use the new updated version.
>> 
>> Regards,
>>  Rifaat
>> 
>> 
>> 
>> On Fri, Jan 5, 2018 at 12:40 PM, Hollenbeck, Scott <shollenbeck@verisign.com <mailto:shollenbeck@verisign.com>> wrote:
>> > -----Original Message-----
>> > From: OAuth [mailto:oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org>] On Behalf Of Rifaat Shekh-
>> > Yusef
>> > Sent: Friday, January 05, 2018 12:30 PM
>> > To: ekr@rtfm.com <mailto:ekr@rtfm.com>
>> > Cc: oauth@ietf.org <mailto:oauth@ietf.org>; iesg-secretary@ietf.org <mailto:iesg-secretary@ietf.org>; oauth-chairs@ietf.org <mailto:oauth-chairs@ietf.org>
>> > Subject: [EXTERNAL] [OAUTH-WG] Publication has been requested for draft-
>> > ietf-oauth-device-flow-07
>> >
>> > Rifaat Shekh-Yusef has requested publication of draft-ietf-oauth-device-
>> > flow-07 as Proposed Standard on behalf of the OAUTH working group.
>> >
>> > Please verify the document's state at
>> > https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/ <https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/>
>> 
>> The document really should be updated to reflect the last call discussions prior to requesting publication for the -07 version that needs to be updated.
>> 
>> Scott
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>

v2.23.0 | Report a Bug | By Email