Re: [secdir] [OAUTH-WG] ** OAuth Tutorial & OAuth Security Session **

[Igor Faynberg <igor.faynberg@alcatel-lucent.com>]

(With apologies for bringing up a tangential matter...)

Talking about the OAuth model, I still see here "Client" instead of 
"Consumer."  I thought there was an agreement on the terminology 
change.  I have no specific preference for either term, but  I think it 
is essential that our terminology be consistent, especially now that 
other SDOs are considering adopting OAuth.

This is not necessarily a question for Richard, but could someone set me 
straight: Is it "Client" or "Consumer"? 

With thanks,

Igor

Richard L. Barnes wrote:
> Of course not every scenario calls for all of the security knobs to be 
> turned to 11.  Think of things instead in terms of syllogisms: "IF you 
> want X guarantee, THEN you MUST do A, B, C."
>
> Then you can also read the same things backwards in a given deployment 
> scenario: "Given that I can't do B, I can't get assurances X, Y, but I 
> can get Z (if I do D, F as well)".
>
> I promise to produce something more concrete soon :)  In the meantime, 
> this text illustrates what I mean pretty well:
> <http://tools.ietf.org/html/draft-barnes-oauth-model-01#section-5>
>
> --Richard
>
>
> On 11/10/10 2:03 PM, Anthony Nadalin wrote:
>> Issue here is that guarantees (and what you want as a guarantee may 
>> not be what somebody else wants) can vary depending on scenario and 
>> deployment.
>>
>> -----Original Message-----
>> From: Richard L. Barnes [mailto:rbarnes@bbn.com]
>> Sent: Tuesday, November 09, 2010 12:54 AM
>> To: torsten@lodderstedt.net
>> Cc: Anthony Nadalin; Tschofenig, Hannes; abfab@ietf.org; 
>> rai@ietf.org; ietf@ietf.org; secdir@ietf.org; websec@ietf.org; 
>> xmpp@ietf.org; kitten@ietf.org; iab@iab.org Board; iesg@ietf.org; 
>> oauth@ietf.org
>> Subject: Re: [secdir] [OAUTH-WG] ** OAuth Tutorial&  OAuth Security 
>> Session **
>>
>> I would say that the security considerations should be based on a 
>> model of OAuth.  Start with a model of the protocol and the 
>> guarantees you want, then explain how to use security mechanisms to 
>> achieve those guarantees.
>>
>> I promised Hannes today to do a review of the current document (which 
>> I admit I haven't read) and start on some security considerations 
>> from that perspective.  So expect that in the next few weeks.
>>
>> --Richard
>>
>>
>>
>>
>> On 11/9/10 4:07 PM, torsten@lodderstedt.net wrote:
>>> We think the security considerations should be based on a threat 
>>> model of OAuth. But a complete threat model would blow up the spec.
>>>
>>> We therefore aim to produce a separate security document 
>>> (informational I-D/RFC) covering threat model as well as security 
>>> design and considerations. The security considerations section of 
>>> the core spec can then be distilled from this document.
>>>
>>> Regards,
>>> Torsten.
>>> Gesendet mit BlackBerry(r) Webmail von Telekom Deutschland
>>>
>>> -----Original Message-----
>>> From: Anthony Nadalin<tonynad@microsoft.com>
>>> Date: Tue, 9 Nov 2010 01:54:57
>>> To: Torsten Lodderstedt<torsten@lodderstedt.net>; Hannes
>>> Tschofenig<hannes.tschofenig@gmx.net>
>>> Cc: abfab@ietf.org<abfab@ietf.org>; rai@ietf.org<rai@ietf.org>;
>>> ietf@ietf.org<ietf@ietf.org>; secdir@ietf.org<secdir@ietf.org>;
>>> websec@ietf.org<websec@ietf.org>; xmpp@ietf.org<xmpp@ietf.org>;
>>> kitten@ietf.org<kitten@ietf.org>; iab@iab.org Board<iab@iab.org>;
>>> iesg@ietf.org<iesg@ietf.org>; oauth@ietf.org<oauth@ietf.org>
>>> Subject: RE: [OAUTH-WG] ** OAuth Tutorial&   OAuth Security Session **
>>>
>>> I was looking for less of an analysis and more of considerations (of 
>>> the current flows and actors), I'm not sure how to adapt what you 
>>> have done to actually fit in the current specification, was your 
>>> thought that you would produce a separate security analysis document?
>>>
>>> -----Original Message-----
>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>>> Of Torsten Lodderstedt
>>> Sent: Sunday, November 07, 2010 3:04 PM
>>> To: Hannes Tschofenig
>>> Cc: abfab@ietf.org; rai@ietf.org; ietf@ietf.org; secdir@ietf.org;
>>> websec@ietf.org; xmpp@ietf.org; kitten@ietf.org; iab@iab.org Board;
>>> iesg@ietf.org; oauth@ietf.org
>>> Subject: Re: [OAUTH-WG] ** OAuth Tutorial&   OAuth Security Session **
>>>
>>> Hi all,
>>>
>>> Mark McGloin and me have been working on OAuth 2.0 security 
>>> considerations for a couple of weeks now. Since we both cannot 
>>> attend the IETF-79 meetings, we would like to provide the WG with 
>>> information regarding the current status of our work. I therefore 
>>> uploaded a_preliminary_ version of our working document to the WG's 
>>> wiki at 
>>> http://trac.tools.ietf.org/wg/oauth/trac/attachment/wiki/SecurityConsiderations/oauth20_seccons_20101107.pdf. 
>>>
>>> The focus of this version was on consolidating previous work as well 
>>> as results of mailing list discussions and start working towards a 
>>> rigorous threat model.
>>>
>>> Please give us feedback.
>>>
>>> regards,
>>> Torsten.
>>>
>>> Am 07.11.2010 03:22, schrieb Hannes Tschofenig:
>>>> Hi all,
>>>>
>>>> please consider attending the following two meetings!
>>>>
>>>> ** OAuth Security Session **
>>>>
>>>>     * Date: Monday, 13:00-15:00
>>>>     * Location: IAB breakout room (Jade 2)
>>>>     * Contact: Hannes Tschofenig hannes.tschofenig@gmx.net The 
>>>> security
>>>> consideration section of OAuth 2.0 (draft -10) is still empty. 
>>>> Hence, we would like to put some time aside to discuss what 
>>>> security threats, requirements, and countermeasures need to be 
>>>> described. We will use the Monday, November 8, 1300-1500 slot to 
>>>> have a  discussion session.
>>>>
>>>> As a starting point I suggest to look at the following documents:
>>>>
>>>>     * 
>>>> http://trac.tools.ietf.org/wg/oauth/trac/wiki/SecurityConsiderations
>>>>     * http://trac.tools.ietf.org/wg/oauth/trac/wiki/SignaturesWhy
>>>>     *
>>>> http://tools.ietf.org/id/draft-tschofenig-oauth-signature-thoughts-00.
>>>> txt
>>>>
>>>> Note: If you are unfamiliar with OAuth then the OAuth tutorial 
>>>> session might be more suitable for you!
>>>>
>>>>
>>>>
>>>> ** OAuth Tutorial **
>>>>
>>>>     * Date: Wednesday, 19:30 (after the plenary)
>>>>     * Location: IAB breakout room (Jade 2)
>>>>     * Contact: Hannes Tschofenig hannes.tschofenig@gmx.net OAuth 
>>>> allows
>>>> a user to grant a third-party Web site or application access to their
>>>> resources, without necessarily revealing their credentials, or even
>>>> their identity. The OAuth working group, see
>>>> http://datatracker.ietf.org/wg/oauth/charter/, is currently trying to
>>>> finalize their main specification, namely OAuth v2:
>>>> http://datatracker.ietf.org/doc/draft-ietf-oauth-v2/
>>>>
>>>> Based on the positive response at the last IETF meeting (in
>>>> Maastricht) we decided to hold another OAuth tutorial, namely on
>>>> *Wednesday, starting at 19:30 (after the IETF Operations and
>>>> Administration Plenary) till about 21:00. (Note: I had to switch the
>>>> day because of the social event!)
>>>>
>>>> It is helpful to read through the documents available int he 
>>>> working group but not required.
>>>>
>>>> Up-to-date information can be found here:
>>>> http://www.ietf.org/registration/MeetingWiki/wiki/79bofs
>>>>
>>>> Ciao
>>>> Hannes
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>> _______________________________________________
>>> secdir mailing list
>>> secdir@ietf.org
>>> https://www.ietf.org/mailman/listinfo/secdir
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth