Eran, > I don’t think your statement that ‘the IETF should endorse > lack of security’ is accurate or helpful.
If the IETF endorsed a protocol such that a compliant implementation allows user impersonation and unauthorized access to protected resource, then the IETF would be endorsing lack of security. How is that inaccurate? The statement is helpful from the point of view of the users who would be the victims of the attacks. You seem to be concerned about companies and developers but not about users. > I completely rejects the notion that a SHOULD with strong > language explaining the risk is any less “secure” than a > MUST. > > The only impact of using a MUST vs. a SHOULD is that > companies deploying it without requiring TLS on the > redirection endpoint will not be able to claim full > compliance if we use a MUST, but will be able to if we use a > SHOULD. > > RFC 2616 defines compliance as follows: > > An implementation is not compliant if it fails to satisfy one or more > of the MUST or REQUIRED level requirements for the protocols it > implements. An implementation that satisfies all the MUST or REQUIRED > level and all the SHOULD level requirements for its protocols is said > to be "unconditionally compliant"; one that satisfies all the MUST > level requirements but not all the SHOULD level requirements for its > protocols is said to be "conditionally compliant." > > If we used a SHOULD for TLS, and added such a language, it > will enable the definition of three classes of > implementations: non-compliant, unconditionally compliant > (your definition of secure), and conditionally compliant > (what Facebook, Yahoo, Google, and Kiva are likely to > deploy). Therefore we should use MUST, otherwise there can be "conditionally compliant" implementations that put users at risk. > But my point is that trying to paint the SHOULD option with > strong security guidance as ‘the IETF endorsing an insecure > protocol’ or ‘destroy the credibility of OAuth outside the > silly social networking circle’ (I’m paraphrasing but the > spirit of the comments is accurate) is just an overblown > reaction and scare tactic. What are you paraphrasing? I think social networking is very important. Furthermore, I think social login may very well become the default user authentication method of the Web. So the security of social login is essential for the security of the Web at large. > Both options are legitimate and produce the same deployment > reality. They only differ in how the spec talks about > security and how implementers can talk about their > conformance. If they differ about how implementers can talk about their conformance then they do not produce the same deployment reality. Francisco
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
