IETF Logo Mail Archive

Re: [OAUTH-WG] problem statement

Phil Hunt <phil.hunt@oracle.com> Wed, 07 September 2011 18:21 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3843F21F8D16 for <oauth@ietfa.amsl.com>; Wed, 7 Sep 2011 11:21:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.878
X-Spam-Level:
X-Spam-Status: No, score=-4.878 tagged_above=-999 required=5 tests=[AWL=1.121, BAYES_00=-2.599, J_CHICKENPOX_53=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RRtV98KjvxXx for <oauth@ietfa.amsl.com>; Wed, 7 Sep 2011 11:20:59 -0700 (PDT)
Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) by ietfa.amsl.com (Postfix) with ESMTP id 4C47821F8CF2 for <oauth@ietf.org>; Wed, 7 Sep 2011 11:20:59 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by acsinet15.oracle.com (Switch-3.4.4/Switch-3.4.4) with ESMTP id p87IMkYA030719 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 7 Sep 2011 18:22:48 GMT
Received: from acsmt358.oracle.com (acsmt358.oracle.com [141.146.40.158]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id p87IMj1L003316 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 7 Sep 2011 18:22:46 GMT
Received: from abhmt101.oracle.com (abhmt101.oracle.com [141.146.116.53]) by acsmt358.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id p87IMeYv013481; Wed, 7 Sep 2011 13:22:40 -0500
Received: from [192.168.1.8] (/24.85.235.164) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 07 Sep 2011 11:22:40 -0700
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <4E67B1C3.60306@mtcc.com>
Date: Wed, 07 Sep 2011 11:22:43 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <2DEC7481-6359-4E6D-9F98-D97F42AF1A19@oracle.com>
References: <4E665B25.6090709@mtcc.com> <CD0B1909-8298-4CC3-B273-7B26E71EAB31@hueniverse.com> <4E666512.7010701@mtcc.com> <F4839FCD-CA73-4450-AD12-E07D46BB7746@hueniverse.com> <4E6667D1.3080404@mtcc.com> <1315334677.26387.YahooMailNeo@web31809.mail.mud.yahoo.com> <4E666B65.30701@mtcc.com> <29815937-0FB9-463B-B6E4-8FCAF7B3CD8C@hueniverse.com> <4E666E73.3050502@mtcc.com> <CAMrm-MJHKTxaj1iEm_Lr=X92sOiWZcYN4F6dNqb5w5gh4OPndQ@mail.gmail.com> <4E6671FA.3090503@gmail.com> <4E667469.2040007@mtcc.com> <1315337809.3136.38.camel@ground> <4E667953.9020906@mtcc.com> <71A460EE-1E2C-4165-99A8-5A97D6E9365C@jkemp.net> <4E667E2E.7090304@mtcc.com> <80A88920-A1EF-4A1C-A97E-F99379923CFB@jkemp.net> <4E66845E.7090906@mtcc.com> <E3DEC4C8-6BB0-44EE-821A-7589F5DC6462@jkemp.net> <4E669D3C.5000900@gmail.com> <7D4DF72E-B211-4D41-B447-4CF04E9CB1D8@hueniverse.com> <4E67A710.9070505@alcatel-lucent.com> <4E67A942.1070200@mtcc.com> <D3A6B9B9-AC0A-4D0E-ACA8-AEB1BF8D5ECF@jkemp.net> <4E67B1C3.60306@mtcc.com>
To: Michael Thomas <mike@mtcc.com>
X-Mailer: Apple Mail (2.1084)
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
X-Auth-Type: Internal IP
X-CT-RefId: str=0001.0A090206.4E67B678.0111:SCFMA922111,ss=1,re=-4.000,fgs=0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] problem statement
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Sep 2011 18:21:00 -0000

Michael,

You should read the threat model document. This document has more editorial on these kinds of issues.

The core spec deals in specific items implementors must do or not do from an inter-op perspective.

The threat model document goes into some details about the need for authenticating clients, etc and the counter-measures that should be considered. This is likely more in line with your concerns.

In my opinion, the issue of malware and of component "trust" is to me something that belongs in whitepapers, product manuals, etc and does not belong in the protocol specification.  In a sense the issue is the kind of thing a "consultant" would provide and thus this type of consultative information fits into broader best practices of desktops and servers management and has no direct relevance on OAuth.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com





On 2011-09-07, at 11:02 AM, Michael Thomas wrote:

> On 09/07/2011 10:49 AM, John Kemp wrote:
>> Mike,
>> 
>> On Sep 7, 2011, at 1:26 PM, Michael Thomas wrote:
>> 
>>   
>>> On 09/07/2011 10:17 AM, Igor Faynberg wrote:
>>>     
>>>> +300 (if I can do that) to indicate my strong agreement.  But if somehow it is decided to add a few sentences on saying that OAuth cannot deal with key-logging, I will insist on adding two sentences each on OAuth being unable to deal with 1) earthquakes, 2) certain contageous diseases, etc., [...]
>>>>       
>>> Please, enough of the hyperbole. It is not clear or obvious whether this is
>>> a protocol issue or not. It brings into question whether the protocol is worth
>>> deploying at all, and that is surely an issue. As far as I can tell, there is very
>>> little upside to deploying OAuth in the general case over, say, Basic+TLS. In
>>> fact, you guys have convinced me that OAuth gives inferior protection at
>>> considerable expense for all concerned.
>>>     
>> I'm sorry that you haven't received an easy introduction to the OAuth WG. But that's no reason to spout nonsense. OAuth seeks to replace something that was once rather common - the need for a user to type (and/or store) his password for site A at site B, to let site B get their content from site A. Now, site B gets a token in the common case, rather than the user's password for site A. This doesn't remove the need for a user to exercise common sense in deciding where to type her password. But it does, in the common case, mitigate the password being shared among websites, or across networks multiple times.
>> 
>> You are right that OAuth doesn't mitigate key logging or other similar attacks on the client OS/platform itself. But that doesn't make it inferior to other methods of web authorization.
>> 
>>   
> 
> It's not nonsense:
> 
> 1) App prompts me for my credentials to Facebook -- I wonder whether
>    I trust the app.
> 2) App puts me in a Facebook login window -- I figure that it's secure and
>    don't wonder whether I trust the app.
> 
> #2 sure looks worse than #1.
> 
> Mike
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email