On 09/06/2011 03:22 PM, Melinda Shore wrote:
On 09/06/2011 12:59 PM, John Kemp wrote:
The point is that you have a point.
He does, and that's in some large part why I don't
fully understand the temperature of the responses.
I do not think it's a particularly big deal to stick
a couple of sentences in the security considerations
underscoring the fact that OAUTH can't do anything
about a compromised host or a malicious application.
I've learned to live with the fact that sometimes
people implementing or deploying security technologies
don't fully understand them and it's my impression that
there's some number of people out there who think that
OAUTH and other third-party protocols provide sufficient
protection against password snagging.
The thing that was baffling to me is that there is no mention
at all about the assumptions anywhere I could find. I knew of
the "trusted" web browser assumption because it appears that
oauth predates the widespread phenomenon of phone apps, and
I kind of understood where oauth was coming from. So to *not*
have that assumption discussed or even listed as an assumption
is very surprising -- does this play well in the scenario I outlined
or not? As it turns out, not. Barry thought this was "obvious",
but it wasn't obvious to me. I suspect that this will come as
quite a surprise to the uninitiated who would roll this out to
the masses. It's not even clear to me that Twitter or Facebook
even realize that this attack exists. Or are they cool with the fact
that anybody with an app and a webview can ship their credentials
to Romania? My guess is that it's pretty uncool.
So no, I don't get all of the hostility either.
Mike
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
