Hi Marc, You're right, the report I referred to is not a formal analysis.
Thanks for the reference to the your lab's analysis of OAuth 1.0a. I had a quick look at it, and at the Canetti tutorial on the underlying methodology that the paper refers to. It's interesting, but so complicated! It's a pity that your colleagues missed the flaw in OAuth 1.0a. In section 5.4 they say "We assume that the Consumer and Service Providers have public keys (and certificates) and that the end-user communicates with theses server entities over secure channels (SSL/TLS)". If instead of assuming it they had checked the spec they would have seen that that's not true for the consumer, and they would have been able to claim an important practical result :-) Francisco --- On Sat, 5/14/11, Mark Mcgloin <mark.mcgl...@ie.ibm.com> wrote: From: Mark Mcgloin <mark.mcgl...@ie.ibm.com> Subject: Re: [OAUTH-WG] Formal security protocol analysis of OAuth 2.0 To: fcore...@pomcor.com Cc: oauth@ietf.org Date: Saturday, May 14, 2011, 11:09 AM Hi Francisco Yes, I have seen that report in the past and it is good and informative but is not a substitute for formal analysis. Here is another example of the type of analysis I am looking for, this one covering Oauth 1.0a from our research lab http://domino.watson.ibm.com/library/cyberdig.nsf/papers/B0D33665257DD3A0852576410043BCDD/$File/rc24856.pdf Regards Mark Francisco Corella <fcore...@pomcor.com> wrote on 13/05/2011 17:58:01: > Francisco Corella <fcore...@pomcor.com> > 13/05/2011 17:58 > > Please respond to > fcore...@pomcor.com > > To > > oauth@ietf.org, Mark Mcgloin/Ireland/IBM@IBMIE > > cc > > Subject > > Re: [OAUTH-WG] Formal security protocol analysis of OAuth 2.0 > > We wrote a security analysis of double redirection protocols that > has a section on OAuth 2.0 as of draft 11. You can find it at > http://pomcor.com/techreports/DoubleRedirection.pdf > > Francisco > > --- On Fri, 5/13/11, Mark Mcgloin <mark.mcgl...@ie.ibm.com> wrote: > > From: Mark Mcgloin <mark.mcgl...@ie.ibm.com> > Subject: [OAUTH-WG] Formal security protocol analysis of OAuth 2.0 > To: oauth@ietf.org > Date: Friday, May 13, 2011, 10:40 AM > > Does anyone know of a formal security protocol analysis that has been > carried out for OAuth 2.0? > > I could only find analysis done against 1.0a, like this one: > > http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5762765 > > > thanks > Mark > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
