Re: [OAUTH-WG] OAuth2 attack surface....
prateek mishra <prateek.mishra@oracle.com> Fri, 01 March 2013 18:50 UTC
Return-Path: <prateek.mishra@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF65821E809E for <oauth@ietfa.amsl.com>; Fri, 1 Mar 2013 10:50:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.576
X-Spam-Level:
X-Spam-Status: No, score=-6.576 tagged_above=-999 required=5 tests=[AWL=0.023, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yD6KKUgOo3o4 for <oauth@ietfa.amsl.com>; Fri, 1 Mar 2013 10:50:34 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 0A2AB21E803F for <oauth@ietf.org>; Fri, 1 Mar 2013 10:50:33 -0800 (PST)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r21IoSe0019216 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 1 Mar 2013 18:50:29 GMT
Received: from acsmt356.oracle.com (acsmt356.oracle.com [141.146.40.156]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r21IoR0W021505 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 1 Mar 2013 18:50:28 GMT
Received: from abhmt106.oracle.com (abhmt106.oracle.com [141.146.116.58]) by acsmt356.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id r21IoRXF009091; Fri, 1 Mar 2013 12:50:27 -0600
Received: from [10.152.55.88] (/10.152.55.88) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 01 Mar 2013 10:50:27 -0800
Message-ID: <5130F872.8060907@oracle.com>
Date: Fri, 01 Mar 2013 13:50:26 -0500
From: prateek mishra <prateek.mishra@oracle.com>
Organization: Oracle Corporation
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: Antonio Sanso <asanso@adobe.com>
References: <1361830944.13340.YahooMailNeo@web31812.mail.mud.yahoo.com> <E4A6D91D-2BC8-4F2E-9B1C-D1362A0E3608@oracle.com> <1361831644.50183.YahooMailNeo@web31801.mail.mud.yahoo.com> <1361832133.97884.YahooMailNeo@web31816.mail.mud.yahoo.com> <140EEABC-2787-4D9A-A1C5-6C973FED5BC8@adobe.com> <512FE091.9030508@oracle.com> <9C445AAF-BEE8-44F5-8FE6-43CA843906CC@ve7jtb.com> <5130C2A0.2010100@oracle.com> <0F011ABB-B431-47A4-8EE8-F24BBB6B6549@adobe.com>
In-Reply-To: <0F011ABB-B431-47A4-8EE8-F24BBB6B6549@adobe.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth2 attack surface....
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Mar 2013 18:50:35 -0000
> > On Mar 1, 2013, at 4:00 PM, prateek mishra wrote: > >> Yup, use of confidential clients and full checking of redirect URIs >> would mitigate these attacks. >> >> I think there is an issue of providing guidance to >> developers/deployers, about making secure choices, that needs to be >> addressed someplace. A test suite >> would also be a good complement to a document. > > do you mean having a TCK for OAuth 2.0? > > Yes, that is the general direction I was thinking of but in a language independent format. An example is the XACML 2.0 conformance suite: https://www.oasis-open.org/committees/download.php/14846/xacml2.0-ct-v.0.4.zip Of course, testing AS and RS would involve network exchanges, so it would be a bit more involved...
- [OAUTH-WG] OAuth2 attack surface.... William Mills
- Re: [OAUTH-WG] OAuth2 attack surface.... William Mills
- Re: [OAUTH-WG] OAuth2 attack surface.... Richer, Justin P.
- Re: [OAUTH-WG] OAuth2 attack surface.... John Bradley
- Re: [OAUTH-WG] OAuth2 attack surface.... Dick Hardt
- Re: [OAUTH-WG] OAuth2 attack surface.... Antonio Sanso
- Re: [OAUTH-WG] OAuth2 attack surface.... prateek mishra
- Re: [OAUTH-WG] OAuth2 attack surface.... Oleg Gryb
- Re: [OAUTH-WG] OAuth2 attack surface.... John Bradley
- Re: [OAUTH-WG] OAuth2 attack surface.... prateek mishra
- Re: [OAUTH-WG] OAuth2 attack surface.... Antonio Sanso
- Re: [OAUTH-WG] OAuth2 attack surface.... prateek mishra