Re: [secdir] [OAUTH-WG] ** OAuth Tutorial & OAuth Security Session **
Igor Faynberg <igor.faynberg@alcatel-lucent.com> Wed, 10 November 2010 06:57 UTC
Return-Path: <igor.faynberg@alcatel-lucent.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 925393A69A3; Tue, 9 Nov 2010 22:57:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WHx5MIc21mga; Tue, 9 Nov 2010 22:57:54 -0800 (PST)
Received: from ihemail3.lucent.com (ihemail3.lucent.com [135.245.0.37]) by core3.amsl.com (Postfix) with ESMTP id 1E1113A69A9; Tue, 9 Nov 2010 22:57:54 -0800 (PST)
Received: from umail.lucent.com (h135-3-40-63.lucent.com [135.3.40.63]) by ihemail3.lucent.com (8.13.8/IER-o) with ESMTP id oAA6aZcM011476 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 10 Nov 2010 00:36:35 -0600 (CST)
Received: from [135.244.80.3] (faynberg.lra.lucent.com [135.244.80.3]) by umail.lucent.com (8.13.8/TPES) with ESMTP id oAA6aUoF026012; Wed, 10 Nov 2010 00:36:31 -0600 (CST)
Message-ID: <4CDA3D73.10609@alcatel-lucent.com>
Date: Wed, 10 Nov 2010 01:36:35 -0500
From: Igor Faynberg <igor.faynberg@alcatel-lucent.com>
Organization: Alcatel-Lucent
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: "Richard L. Barnes" <rbarnes@bbn.com>
References: <30C8090C-AD0E-4D2A-8F26-6EFC52DCDD9D@gmx.net><4CD73075.8050408@lodderstedt.net><180155C5EA10854997314CA5E063D18FECBAC9@TK5EX14MBXC113.redmond.corp.microsoft.com> <1893623701-1289290076-cardhu_decombobulator_blackberry.rim.net-776340369-@bda356.bisx.produk.on.blackberry> <4CD90C14.2060803@bbn.com> <180155C5EA10854997314CA5E063D18FEE90B8@TK5EX14MBXC117.redmond.corp.microsoft.com> <4CDA3983.7050101@bbn.com>
In-Reply-To: <4CDA3983.7050101@bbn.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.37
X-Mailman-Approved-At: Tue, 09 Nov 2010 23:20:23 -0800
Cc: Anthony Nadalin <tonynad@microsoft.com>, "abfab@ietf.org" <abfab@ietf.org>, "rai@ietf.org" <rai@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "websec@ietf.org" <websec@ietf.org>, "xmpp@ietf.org" <xmpp@ietf.org>, "kitten@ietf.org" <kitten@ietf.org>, "iab@iab.org Board" <iab@iab.org>, "iesg@ietf.org" <iesg@ietf.org>, "Tschofenig, Hannes" <Hannes.Tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [secdir] [OAUTH-WG] ** OAuth Tutorial & OAuth Security Session **
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: igor.faynberg@alcatel-lucent.com
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Nov 2010 06:57:56 -0000
(With apologies for bringing up a tangential matter...) Talking about the OAuth model, I still see here "Client" instead of "Consumer." I thought there was an agreement on the terminology change. I have no specific preference for either term, but I think it is essential that our terminology be consistent, especially now that other SDOs are considering adopting OAuth. This is not necessarily a question for Richard, but could someone set me straight: Is it "Client" or "Consumer"? With thanks, Igor Richard L. Barnes wrote: > Of course not every scenario calls for all of the security knobs to be > turned to 11. Think of things instead in terms of syllogisms: "IF you > want X guarantee, THEN you MUST do A, B, C." > > Then you can also read the same things backwards in a given deployment > scenario: "Given that I can't do B, I can't get assurances X, Y, but I > can get Z (if I do D, F as well)". > > I promise to produce something more concrete soon :) In the meantime, > this text illustrates what I mean pretty well: > <http://tools.ietf.org/html/draft-barnes-oauth-model-01#section-5> > > --Richard > > > On 11/10/10 2:03 PM, Anthony Nadalin wrote: >> Issue here is that guarantees (and what you want as a guarantee may >> not be what somebody else wants) can vary depending on scenario and >> deployment. >> >> -----Original Message----- >> From: Richard L. Barnes [mailto:rbarnes@bbn.com] >> Sent: Tuesday, November 09, 2010 12:54 AM >> To: torsten@lodderstedt.net >> Cc: Anthony Nadalin; Tschofenig, Hannes; abfab@ietf.org; >> rai@ietf.org; ietf@ietf.org; secdir@ietf.org; websec@ietf.org; >> xmpp@ietf.org; kitten@ietf.org; iab@iab.org Board; iesg@ietf.org; >> oauth@ietf.org >> Subject: Re: [secdir] [OAUTH-WG] ** OAuth Tutorial& OAuth Security >> Session ** >> >> I would say that the security considerations should be based on a >> model of OAuth. Start with a model of the protocol and the >> guarantees you want, then explain how to use security mechanisms to >> achieve those guarantees. >> >> I promised Hannes today to do a review of the current document (which >> I admit I haven't read) and start on some security considerations >> from that perspective. So expect that in the next few weeks. >> >> --Richard >> >> >> >> >> On 11/9/10 4:07 PM, torsten@lodderstedt.net wrote: >>> We think the security considerations should be based on a threat >>> model of OAuth. But a complete threat model would blow up the spec. >>> >>> We therefore aim to produce a separate security document >>> (informational I-D/RFC) covering threat model as well as security >>> design and considerations. The security considerations section of >>> the core spec can then be distilled from this document. >>> >>> Regards, >>> Torsten. >>> Gesendet mit BlackBerry(r) Webmail von Telekom Deutschland >>> >>> -----Original Message----- >>> From: Anthony Nadalin<tonynad@microsoft.com> >>> Date: Tue, 9 Nov 2010 01:54:57 >>> To: Torsten Lodderstedt<torsten@lodderstedt.net>; Hannes >>> Tschofenig<hannes.tschofenig@gmx.net> >>> Cc: abfab@ietf.org<abfab@ietf.org>; rai@ietf.org<rai@ietf.org>; >>> ietf@ietf.org<ietf@ietf.org>; secdir@ietf.org<secdir@ietf.org>; >>> websec@ietf.org<websec@ietf.org>; xmpp@ietf.org<xmpp@ietf.org>; >>> kitten@ietf.org<kitten@ietf.org>; iab@iab.org Board<iab@iab.org>; >>> iesg@ietf.org<iesg@ietf.org>; oauth@ietf.org<oauth@ietf.org> >>> Subject: RE: [OAUTH-WG] ** OAuth Tutorial& OAuth Security Session ** >>> >>> I was looking for less of an analysis and more of considerations (of >>> the current flows and actors), I'm not sure how to adapt what you >>> have done to actually fit in the current specification, was your >>> thought that you would produce a separate security analysis document? >>> >>> -----Original Message----- >>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf >>> Of Torsten Lodderstedt >>> Sent: Sunday, November 07, 2010 3:04 PM >>> To: Hannes Tschofenig >>> Cc: abfab@ietf.org; rai@ietf.org; ietf@ietf.org; secdir@ietf.org; >>> websec@ietf.org; xmpp@ietf.org; kitten@ietf.org; iab@iab.org Board; >>> iesg@ietf.org; oauth@ietf.org >>> Subject: Re: [OAUTH-WG] ** OAuth Tutorial& OAuth Security Session ** >>> >>> Hi all, >>> >>> Mark McGloin and me have been working on OAuth 2.0 security >>> considerations for a couple of weeks now. Since we both cannot >>> attend the IETF-79 meetings, we would like to provide the WG with >>> information regarding the current status of our work. I therefore >>> uploaded a_preliminary_ version of our working document to the WG's >>> wiki at >>> http://trac.tools.ietf.org/wg/oauth/trac/attachment/wiki/SecurityConsiderations/oauth20_seccons_20101107.pdf. >>> >>> The focus of this version was on consolidating previous work as well >>> as results of mailing list discussions and start working towards a >>> rigorous threat model. >>> >>> Please give us feedback. >>> >>> regards, >>> Torsten. >>> >>> Am 07.11.2010 03:22, schrieb Hannes Tschofenig: >>>> Hi all, >>>> >>>> please consider attending the following two meetings! >>>> >>>> ** OAuth Security Session ** >>>> >>>> * Date: Monday, 13:00-15:00 >>>> * Location: IAB breakout room (Jade 2) >>>> * Contact: Hannes Tschofenig hannes.tschofenig@gmx.net The >>>> security >>>> consideration section of OAuth 2.0 (draft -10) is still empty. >>>> Hence, we would like to put some time aside to discuss what >>>> security threats, requirements, and countermeasures need to be >>>> described. We will use the Monday, November 8, 1300-1500 slot to >>>> have a discussion session. >>>> >>>> As a starting point I suggest to look at the following documents: >>>> >>>> * >>>> http://trac.tools.ietf.org/wg/oauth/trac/wiki/SecurityConsiderations >>>> * http://trac.tools.ietf.org/wg/oauth/trac/wiki/SignaturesWhy >>>> * >>>> http://tools.ietf.org/id/draft-tschofenig-oauth-signature-thoughts-00. >>>> txt >>>> >>>> Note: If you are unfamiliar with OAuth then the OAuth tutorial >>>> session might be more suitable for you! >>>> >>>> >>>> >>>> ** OAuth Tutorial ** >>>> >>>> * Date: Wednesday, 19:30 (after the plenary) >>>> * Location: IAB breakout room (Jade 2) >>>> * Contact: Hannes Tschofenig hannes.tschofenig@gmx.net OAuth >>>> allows >>>> a user to grant a third-party Web site or application access to their >>>> resources, without necessarily revealing their credentials, or even >>>> their identity. The OAuth working group, see >>>> http://datatracker.ietf.org/wg/oauth/charter/, is currently trying to >>>> finalize their main specification, namely OAuth v2: >>>> http://datatracker.ietf.org/doc/draft-ietf-oauth-v2/ >>>> >>>> Based on the positive response at the last IETF meeting (in >>>> Maastricht) we decided to hold another OAuth tutorial, namely on >>>> *Wednesday, starting at 19:30 (after the IETF Operations and >>>> Administration Plenary) till about 21:00. (Note: I had to switch the >>>> day because of the social event!) >>>> >>>> It is helpful to read through the documents available int he >>>> working group but not required. >>>> >>>> Up-to-date information can be found here: >>>> http://www.ietf.org/registration/MeetingWiki/wiki/79bofs >>>> >>>> Ciao >>>> Hannes >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> _______________________________________________ >>> secdir mailing list >>> secdir@ietf.org >>> https://www.ietf.org/mailman/listinfo/secdir >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [secdir] ** OAuth Tutorial & OAuth Security Sessi… Hannes Tschofenig
- Re: [secdir] [OAUTH-WG] ** OAuth Tutorial & OAuth… Torsten Lodderstedt
- Re: [secdir] [OAUTH-WG] ** OAuth Tutorial & OAuth… Anthony Nadalin
- Re: [secdir] [OAUTH-WG] ** OAuth Tutorial & OAuth… torsten
- Re: [secdir] [OAUTH-WG] ** OAuth Tutorial & OAuth… Richard L. Barnes
- Re: [secdir] [OAUTH-WG] ** OAuth Tutorial & OAuth… Mark Mcgloin
- Re: [secdir] [OAUTH-WG] ** OAuth Tutorial & OAuth… Anthony Nadalin
- Re: [secdir] [OAUTH-WG] ** OAuth Tutorial & OAuth… Richard L. Barnes
- Re: [secdir] [kitten] [OAUTH-WG] ** OAuth Tutoria… Nicolas Williams
- Re: [secdir] [OAUTH-WG] ** OAuth Tutorial & OAuth… Igor Faynberg