Re: [secdir] [OAUTH-WG] ** OAuth Tutorial & OAuth Security Session **

Mark Mcgloin <mark.mcgloin@ie.ibm.com> Tue, 09 November 2010 14:54 UTC

Return-Path: <mark.mcgloin@ie.ibm.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CCC2C3A6A04; Tue, 9 Nov 2010 06:54:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kxy8MrZ8zQvp; Tue, 9 Nov 2010 06:54:29 -0800 (PST)
Received: from mtagate3.de.ibm.com (mtagate3.de.ibm.com [195.212.17.163]) by core3.amsl.com (Postfix) with ESMTP id 949B13A69BE; Tue, 9 Nov 2010 06:54:28 -0800 (PST)
Received: from d06nrmr1307.portsmouth.uk.ibm.com (d06nrmr1307.portsmouth.uk.ibm.com [9.149.38.129]) by mtagate3.de.ibm.com (8.13.1/8.13.1) with ESMTP id oA9Esflx004036; Tue, 9 Nov 2010 14:54:41 GMT
Received: from d06av04.portsmouth.uk.ibm.com (d06av04.portsmouth.uk.ibm.com [9.149.37.216]) by d06nrmr1307.portsmouth.uk.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id oA9EsfKQ3305506; Tue, 9 Nov 2010 14:54:41 GMT
Received: from d06av04.portsmouth.uk.ibm.com (loopback [127.0.0.1]) by d06av04.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id oA9EsfPh002056; Tue, 9 Nov 2010 07:54:41 -0700
Received: from d06ml093.portsmouth.uk.ibm.com (d06ml093.portsmouth.uk.ibm.com [9.149.104.171]) by d06av04.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id oA9Esf4U002048; Tue, 9 Nov 2010 07:54:41 -0700
In-Reply-To: <4CD90C14.2060803@bbn.com>
References: <30C8090C-AD0E-4D2A-8F26-6EFC52DCDD9D@gmx.net><4CD73075.8050408@lodderstedt.net><180155C5EA10854997314CA5E063D18FECBAC9@TK5EX14MBXC113.redmond.corp.microsoft.com> <1893623701-1289290076-cardhu_decombobulator_blackberry.rim.net-776340369-@bda356.bisx.produk.on.blackberry> <4CD90C14.2060803@bbn.com>
X-KeepSent: 7957FE3B:45025425-802577D6:004F9E8F; type=4; name=$KeepSent
To: "Richard L. Barnes" <rbarnes@bbn.com>
X-Mailer: Lotus Notes Release 8.5.1 September 28, 2009
Message-ID: <OF7957FE3B.45025425-ON802577D6.004F9E8F-802577D6.0051E8D0@ie.ibm.com>
From: Mark Mcgloin <mark.mcgloin@ie.ibm.com>
Date: Tue, 9 Nov 2010 14:54:06 +0000
X-MIMETrack: Serialize by Router on D06ML093/06/M/IBM(Release 8.0.2FP6|July 15, 2010) at 09/11/2010 14:54:07
MIME-Version: 1.0
Content-type: text/plain; charset=ISO-8859-1
Content-transfer-encoding: quoted-printable
X-Mailman-Approved-At: Tue, 09 Nov 2010 22:04:43 -0800
Cc: "abfab@ietf.org" <abfab@ietf.org>, torsten@lodderstedt.net, "rai@ietf.org" <rai@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "websec@ietf.org" <websec@ietf.org>, "xmpp@ietf.org" <xmpp@ietf.org>, "kitten@ietf.org" <kitten@ietf.org>, "iab@iab.org Board" <iab@iab.org>, "iesg@ietf.org" <iesg@ietf.org>, "Tschofenig, Hannes" <Hannes.Tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>, oauth-bounces@ietf.org
Subject: Re: [secdir] [OAUTH-WG] ** OAuth Tutorial & OAuth Security Session **
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2010 14:54:31 -0000

When Torsten and I started pulling together the security considerations
over the last 4-6 weeks, we toyed with the idea of either populating the
security considerations section of the protocol with a list/tree of
considerations, or creating a more comprehensive document to ensure we
covered all aspects, list security features and which would also act as a
security aid to developers implementing the oauth protocol. We decided on
the latter and agreed it could later be distilled down to something that
will fit into the security considerations section of the protocol.

Bear in mind the document needs tidying but we wanted to push something in
before the security meeting in China

Regards
Mark McGloin

oauth-bounces@ietf.org wrote on 09/11/2010 08:53:40:

> "Richard L. Barnes" <rbarnes@bbn.com>;
> Sent by: oauth-bounces@ietf.org
>
> 09/11/2010 08:53
>
> To
>
> torsten@lodderstedt.net
>
> cc
>
> "abfab@ietf.org"; <abfab@ietf.org>;, "rai@ietf.org"; <rai@ietf.org>;,
> "ietf@ietf.org"; <ietf@ietf.org>;, "secdir@ietf.org";
> <secdir@ietf.org>;, "websec@ietf.org"; <websec@ietf.org>;,
> "xmpp@ietf.org"; <xmpp@ietf.org>;, "kitten@ietf.org";
> <kitten@ietf.org>;, "iab@iab.org Board" <iab@iab.org>;,
> "iesg@ietf.org"; <iesg@ietf.org>;, "Tschofenig, Hannes"
> <Hannes.Tschofenig@gmx.net>;, "oauth@ietf.org"; <oauth@ietf.org>;
>
> Subject
>
> Re: [OAUTH-WG] [secdir] ** OAuth Tutorial & OAuth Security Session **
>
> I would say that the security considerations should be based on a model
> of OAuth.  Start with a model of the protocol and the guarantees you
> want, then explain how to use security mechanisms to achieve those
> guarantees.
>
> I promised Hannes today to do a review of the current document (which I
> admit I haven't read) and start on some security considerations from
> that perspective.  So expect that in the next few weeks.
>
> --Richard
>
>
>
>
> On 11/9/10 4:07 PM, torsten@lodderstedt.net wrote:
> > We think the security considerations should be based on a threat
> model of OAuth. But a complete threat model would blow up the spec.
> >
> > We therefore aim to produce a separate security document
> (informational I-D/RFC) covering threat model as well as security
> design and considerations. The security considerations section of
> the core spec can then be distilled from this document.
> >
> > Regards,
> > Torsten.
> > Gesendet mit BlackBerry® Webmail von Telekom Deutschland
> >
> > -----Original Message-----
> > From: Anthony Nadalin<tonynad@microsoft.com>;
> > Date: Tue, 9 Nov 2010 01:54:57
> > To: Torsten Lodderstedt<torsten@lodderstedt.net>;; Hannes
> Tschofenig<hannes.tschofenig@gmx.net>;
> > Cc: abfab@ietf.org<abfab@ietf.org>; rai@ietf.org<rai@ietf.org>;
> ietf@ietf.org<ietf@ietf.org>; secdir@ietf.org<secdir@ietf.org>;
> websec@ietf.org<websec@ietf.org>; xmpp@ietf.org<xmpp@ietf.org>;
> kitten@ietf.org<kitten@ietf.org>; iab@iab.org Board<iab@iab.org>;;
> iesg@ietf.org<iesg@ietf.org>; oauth@ietf.org<oauth@ietf.org>
> > Subject: RE: [OAUTH-WG] ** OAuth Tutorial&  OAuth Security Session **
> >
> > I was looking for less of an analysis and more of considerations
> (of the current flows and actors), I'm not sure how to adapt what
> you have done to actually fit in the current specification, was your
> thought that you would produce a separate security analysis document?
> >
> > -----Original Message-----
> > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
> Behalf Of Torsten Lodderstedt
> > Sent: Sunday, November 07, 2010 3:04 PM
> > To: Hannes Tschofenig
> > Cc: abfab@ietf.org; rai@ietf.org; ietf@ietf.org; secdir@ietf.org;
> websec@ietf.org; xmpp@ietf.org; kitten@ietf.org; iab@iab.org Board;
> iesg@ietf.org; oauth@ietf.org
> > Subject: Re: [OAUTH-WG] ** OAuth Tutorial&  OAuth Security Session **
> >
> > Hi all,
> >
> > Mark McGloin and me have been working on OAuth 2.0 security
> considerations for a couple of weeks now. Since we both cannot
> attend the IETF-79 meetings, we would like to provide the WG with
> information regarding the current status of our work. I therefore
> uploaded a_preliminary_ version of our working document to the WG's wiki
at
> http://trac.tools.ietf.org/wg/oauth/trac/attachment/wiki/
> SecurityConsiderations/oauth20_seccons_20101107.pdf.
> > The focus of this version was on consolidating previous work as
> well as results of mailing list discussions and start working
> towards a rigorous threat model.
> >
> > Please give us feedback.
> >
> > regards,
> > Torsten.
> >
> > Am 07.11.2010 03:22, schrieb Hannes Tschofenig:
> >> Hi all,
> >>
> >> please consider attending the following two meetings!
> >>
> >> ** OAuth Security Session **
> >>
> >>    * Date: Monday, 13:00-15:00
> >>    * Location: IAB breakout room (Jade 2)
> >>    * Contact: Hannes Tschofenig hannes.tschofenig@gmx.net The security
> >> consideration section of OAuth 2.0 (draft -10) is still empty.
> Hence, we would like to put some time aside to discuss what security
> threats, requirements, and countermeasures need to be described. We
> will use the Monday, November 8, 1300-1500 slot to have a  discussion
session.
> >>
> >> As a starting point I suggest to look at the following documents:
> >>
> >>    *
http://trac.tools.ietf.org/wg/oauth/trac/wiki/SecurityConsiderations
> >>    * http://trac.tools.ietf.org/wg/oauth/trac/wiki/SignaturesWhy
> >>    *
> >> http://tools.ietf.org/id/draft-tschofenig-oauth-signature-thoughts-00.
> >> txt
> >>
> >> Note: If you are unfamiliar with OAuth then the OAuth tutorial
> session might be more suitable for you!
> >>
> >>
> >>
> >> ** OAuth Tutorial **
> >>
> >>    * Date: Wednesday, 19:30 (after the plenary)
> >>    * Location: IAB breakout room (Jade 2)
> >>    * Contact: Hannes Tschofenig hannes.tschofenig@gmx.net OAuth allows
a
> >> user to grant a third-party Web site or application access to their
> >> resources, without necessarily revealing their credentials, or even
> >> their identity. The OAuth working group, see
> >> http://datatracker.ietf.org/wg/oauth/charter/, is currently trying to
> >> finalize their main specification, namely OAuth v2:
> >> http://datatracker.ietf.org/doc/draft-ietf-oauth-v2/
> >>
> >> Based on the positive response at the last IETF meeting (in
> >> Maastricht) we decided to hold another OAuth tutorial, namely on
> >> *Wednesday, starting at 19:30 (after the IETF Operations and
> >> Administration Plenary) till about 21:00. (Note: I had to switch the
> >> day because of the social event!)
> >>
> >> It is helpful to read through the documents available int he
> working group but not required.
> >>
> >> Up-to-date information can be found here:
> >> http://www.ietf.org/registration/MeetingWiki/wiki/79bofs
> >>
> >> Ciao
> >> Hannes
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> >
> > _______________________________________________
> > secdir mailing list
> > secdir@ietf.org
> > https://www.ietf.org/mailman/listinfo/secdir
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth