Re: [secdir] [OAUTH-WG] ** OAuth Tutorial & OAuth Security Session **

Igor Faynberg <igor.faynberg@alcatel-lucent.com> Wed, 10 November 2010 06:57 UTC

Return-Path: <igor.faynberg@alcatel-lucent.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 925393A69A3; Tue, 9 Nov 2010 22:57:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WHx5MIc21mga; Tue, 9 Nov 2010 22:57:54 -0800 (PST)
Received: from ihemail3.lucent.com (ihemail3.lucent.com [135.245.0.37]) by core3.amsl.com (Postfix) with ESMTP id 1E1113A69A9; Tue, 9 Nov 2010 22:57:54 -0800 (PST)
Received: from umail.lucent.com (h135-3-40-63.lucent.com [135.3.40.63]) by ihemail3.lucent.com (8.13.8/IER-o) with ESMTP id oAA6aZcM011476 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 10 Nov 2010 00:36:35 -0600 (CST)
Received: from [135.244.80.3] (faynberg.lra.lucent.com [135.244.80.3]) by umail.lucent.com (8.13.8/TPES) with ESMTP id oAA6aUoF026012; Wed, 10 Nov 2010 00:36:31 -0600 (CST)
Message-ID: <4CDA3D73.10609@alcatel-lucent.com>
Date: Wed, 10 Nov 2010 01:36:35 -0500
From: Igor Faynberg <igor.faynberg@alcatel-lucent.com>
Organization: Alcatel-Lucent
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: "Richard L. Barnes" <rbarnes@bbn.com>
References: <30C8090C-AD0E-4D2A-8F26-6EFC52DCDD9D@gmx.net><4CD73075.8050408@lodderstedt.net><180155C5EA10854997314CA5E063D18FECBAC9@TK5EX14MBXC113.redmond.corp.microsoft.com> <1893623701-1289290076-cardhu_decombobulator_blackberry.rim.net-776340369-@bda356.bisx.produk.on.blackberry> <4CD90C14.2060803@bbn.com> <180155C5EA10854997314CA5E063D18FEE90B8@TK5EX14MBXC117.redmond.corp.microsoft.com> <4CDA3983.7050101@bbn.com>
In-Reply-To: <4CDA3983.7050101@bbn.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.37
X-Mailman-Approved-At: Tue, 09 Nov 2010 23:20:23 -0800
Cc: Anthony Nadalin <tonynad@microsoft.com>, "abfab@ietf.org" <abfab@ietf.org>, "rai@ietf.org" <rai@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "websec@ietf.org" <websec@ietf.org>, "xmpp@ietf.org" <xmpp@ietf.org>, "kitten@ietf.org" <kitten@ietf.org>, "iab@iab.org Board" <iab@iab.org>, "iesg@ietf.org" <iesg@ietf.org>, "Tschofenig, Hannes" <Hannes.Tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [secdir] [OAUTH-WG] ** OAuth Tutorial & OAuth Security Session **
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: igor.faynberg@alcatel-lucent.com
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Nov 2010 06:57:56 -0000

(With apologies for bringing up a tangential matter...)

Talking about the OAuth model, I still see here "Client" instead of 
"Consumer."  I thought there was an agreement on the terminology 
change.  I have no specific preference for either term, but  I think it 
is essential that our terminology be consistent, especially now that 
other SDOs are considering adopting OAuth.

This is not necessarily a question for Richard, but could someone set me 
straight: Is it "Client" or "Consumer"? 

With thanks,

Igor

Richard L. Barnes wrote:
> Of course not every scenario calls for all of the security knobs to be 
> turned to 11.  Think of things instead in terms of syllogisms: "IF you 
> want X guarantee, THEN you MUST do A, B, C."
>
> Then you can also read the same things backwards in a given deployment 
> scenario: "Given that I can't do B, I can't get assurances X, Y, but I 
> can get Z (if I do D, F as well)".
>
> I promise to produce something more concrete soon :)  In the meantime, 
> this text illustrates what I mean pretty well:
> <http://tools.ietf.org/html/draft-barnes-oauth-model-01#section-5>
>
> --Richard
>
>
> On 11/10/10 2:03 PM, Anthony Nadalin wrote:
>> Issue here is that guarantees (and what you want as a guarantee may 
>> not be what somebody else wants) can vary depending on scenario and 
>> deployment.
>>
>> -----Original Message-----
>> From: Richard L. Barnes [mailto:rbarnes@bbn.com]
>> Sent: Tuesday, November 09, 2010 12:54 AM
>> To: torsten@lodderstedt.net
>> Cc: Anthony Nadalin; Tschofenig, Hannes; abfab@ietf.org; 
>> rai@ietf.org; ietf@ietf.org; secdir@ietf.org; websec@ietf.org; 
>> xmpp@ietf.org; kitten@ietf.org; iab@iab.org Board; iesg@ietf.org; 
>> oauth@ietf.org
>> Subject: Re: [secdir] [OAUTH-WG] ** OAuth Tutorial&  OAuth Security 
>> Session **
>>
>> I would say that the security considerations should be based on a 
>> model of OAuth.  Start with a model of the protocol and the 
>> guarantees you want, then explain how to use security mechanisms to 
>> achieve those guarantees.
>>
>> I promised Hannes today to do a review of the current document (which 
>> I admit I haven't read) and start on some security considerations 
>> from that perspective.  So expect that in the next few weeks.
>>
>> --Richard
>>
>>
>>
>>
>> On 11/9/10 4:07 PM, torsten@lodderstedt.net wrote:
>>> We think the security considerations should be based on a threat 
>>> model of OAuth. But a complete threat model would blow up the spec.
>>>
>>> We therefore aim to produce a separate security document 
>>> (informational I-D/RFC) covering threat model as well as security 
>>> design and considerations. The security considerations section of 
>>> the core spec can then be distilled from this document.
>>>
>>> Regards,
>>> Torsten.
>>> Gesendet mit BlackBerry(r) Webmail von Telekom Deutschland
>>>
>>> -----Original Message-----
>>> From: Anthony Nadalin<tonynad@microsoft.com>;
>>> Date: Tue, 9 Nov 2010 01:54:57
>>> To: Torsten Lodderstedt<torsten@lodderstedt.net>;; Hannes
>>> Tschofenig<hannes.tschofenig@gmx.net>;
>>> Cc: abfab@ietf.org<abfab@ietf.org>; rai@ietf.org<rai@ietf.org>;
>>> ietf@ietf.org<ietf@ietf.org>; secdir@ietf.org<secdir@ietf.org>;
>>> websec@ietf.org<websec@ietf.org>; xmpp@ietf.org<xmpp@ietf.org>;
>>> kitten@ietf.org<kitten@ietf.org>; iab@iab.org Board<iab@iab.org>;;
>>> iesg@ietf.org<iesg@ietf.org>; oauth@ietf.org<oauth@ietf.org>
>>> Subject: RE: [OAUTH-WG] ** OAuth Tutorial&   OAuth Security Session **
>>>
>>> I was looking for less of an analysis and more of considerations (of 
>>> the current flows and actors), I'm not sure how to adapt what you 
>>> have done to actually fit in the current specification, was your 
>>> thought that you would produce a separate security analysis document?
>>>
>>> -----Original Message-----
>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>>> Of Torsten Lodderstedt
>>> Sent: Sunday, November 07, 2010 3:04 PM
>>> To: Hannes Tschofenig
>>> Cc: abfab@ietf.org; rai@ietf.org; ietf@ietf.org; secdir@ietf.org;
>>> websec@ietf.org; xmpp@ietf.org; kitten@ietf.org; iab@iab.org Board;
>>> iesg@ietf.org; oauth@ietf.org
>>> Subject: Re: [OAUTH-WG] ** OAuth Tutorial&   OAuth Security Session **
>>>
>>> Hi all,
>>>
>>> Mark McGloin and me have been working on OAuth 2.0 security 
>>> considerations for a couple of weeks now. Since we both cannot 
>>> attend the IETF-79 meetings, we would like to provide the WG with 
>>> information regarding the current status of our work. I therefore 
>>> uploaded a_preliminary_ version of our working document to the WG's 
>>> wiki at 
>>> http://trac.tools.ietf.org/wg/oauth/trac/attachment/wiki/SecurityConsiderations/oauth20_seccons_20101107.pdf. 
>>>
>>> The focus of this version was on consolidating previous work as well 
>>> as results of mailing list discussions and start working towards a 
>>> rigorous threat model.
>>>
>>> Please give us feedback.
>>>
>>> regards,
>>> Torsten.
>>>
>>> Am 07.11.2010 03:22, schrieb Hannes Tschofenig:
>>>> Hi all,
>>>>
>>>> please consider attending the following two meetings!
>>>>
>>>> ** OAuth Security Session **
>>>>
>>>>     * Date: Monday, 13:00-15:00
>>>>     * Location: IAB breakout room (Jade 2)
>>>>     * Contact: Hannes Tschofenig hannes.tschofenig@gmx.net The 
>>>> security
>>>> consideration section of OAuth 2.0 (draft -10) is still empty. 
>>>> Hence, we would like to put some time aside to discuss what 
>>>> security threats, requirements, and countermeasures need to be 
>>>> described. We will use the Monday, November 8, 1300-1500 slot to 
>>>> have a  discussion session.
>>>>
>>>> As a starting point I suggest to look at the following documents:
>>>>
>>>>     * 
>>>> http://trac.tools.ietf.org/wg/oauth/trac/wiki/SecurityConsiderations
>>>>     * http://trac.tools.ietf.org/wg/oauth/trac/wiki/SignaturesWhy
>>>>     *
>>>> http://tools.ietf.org/id/draft-tschofenig-oauth-signature-thoughts-00.
>>>> txt
>>>>
>>>> Note: If you are unfamiliar with OAuth then the OAuth tutorial 
>>>> session might be more suitable for you!
>>>>
>>>>
>>>>
>>>> ** OAuth Tutorial **
>>>>
>>>>     * Date: Wednesday, 19:30 (after the plenary)
>>>>     * Location: IAB breakout room (Jade 2)
>>>>     * Contact: Hannes Tschofenig hannes.tschofenig@gmx.net OAuth 
>>>> allows
>>>> a user to grant a third-party Web site or application access to their
>>>> resources, without necessarily revealing their credentials, or even
>>>> their identity. The OAuth working group, see
>>>> http://datatracker.ietf.org/wg/oauth/charter/, is currently trying to
>>>> finalize their main specification, namely OAuth v2:
>>>> http://datatracker.ietf.org/doc/draft-ietf-oauth-v2/
>>>>
>>>> Based on the positive response at the last IETF meeting (in
>>>> Maastricht) we decided to hold another OAuth tutorial, namely on
>>>> *Wednesday, starting at 19:30 (after the IETF Operations and
>>>> Administration Plenary) till about 21:00. (Note: I had to switch the
>>>> day because of the social event!)
>>>>
>>>> It is helpful to read through the documents available int he 
>>>> working group but not required.
>>>>
>>>> Up-to-date information can be found here:
>>>> http://www.ietf.org/registration/MeetingWiki/wiki/79bofs
>>>>
>>>> Ciao
>>>> Hannes
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>> _______________________________________________
>>> secdir mailing list
>>> secdir@ietf.org
>>> https://www.ietf.org/mailman/listinfo/secdir
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth