On 9/6/11 4:22 PM, Melinda Shore wrote: > On 09/06/2011 12:59 PM, John Kemp wrote: >> The point is that you have a point. > > He does, and that's in some large part why I don't > fully understand the temperature of the responses. > I do not think it's a particularly big deal to stick > a couple of sentences in the security considerations > underscoring the fact that OAUTH can't do anything > about a compromised host or a malicious application. > I've learned to live with the fact that sometimes > people implementing or deploying security technologies > don't fully understand them and it's my impression that > there's some number of people out there who think that > OAUTH and other third-party protocols provide sufficient > protection against password snagging.
I just looked at the most recent specifications for TLS (RFC 5246) and secure shell (RFC 4253), which I think we'd all agree are two quite successful security technologies. Neither of those specs says anything about not protecting humans users from malicious clients that perform keylogging to capture security-critical data the user might enter. Not only is OAuth "not a superhero" as John Kemp said, but I fail to see why we need to document exactly which superhero powers OAuth lacks (given that it's not reasonable to expect *any* security protocol to have those powers). IMHO this is gilding the documentation lily. Peter -- Peter Saint-Andre https://stpeter.im/ _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
