I think the only potential mitigation OAuth can offer is that the
authenticating sites can do more due dilligence about the clients they allow.
I say this knowing that it's not likely to happen in most cases, but it's
possible. Sites *can* limit the clients they allow, *but* it doesn't really
work for installed clients on the desktop, software copy protection being the
hard problem that it has proved to be.
Nobody dismisses the problem you're talking about, it's definitely a problem.
What you have not do is provided any concrete way in which OAuth can mitigate
it beyond it's present state.
I personally want OAuth 2.0 to get out the door. What you seem to be asking
for (if we really go there) is a far more comprehensive and general security
considerations section that's goign to cover a huge swath of space not specific
to OAuth. I don't think what you're asking for is specific to OAuth, so I
don't think it's appropriate to take this spec there.
If you really think you've got something here, draft language and propose it.
That takes this from the theory of the problem to specifics. It's got to be
concrete though and actionable. The recent discussions around CSRF identified
a problem of CSRF in the auth server, and the new language addresses that in an
actionable way.
________________________________
From: Michael Thomas <m...@mtcc.com>
To: Peter Saint-Andre <stpe...@stpeter.im>
Cc: oauth@ietf.org
Sent: Tuesday, September 6, 2011 6:13 PM
Subject: Re: [OAUTH-WG] problem statement
On 09/06/2011 06:08 PM, Peter Saint-Andre wrote:
> Put me in the "may not have been avoided" camp. We can't legislate
> common sense (which, sadly, is all too uncommon).
>
Can somebody show me in the archives where this has been
discussed before? Specifically about oauth clients that also
have control of the web UA?
In any case, you site this as common sense. It's not. You are
close to the problem. Nobody else is.
Mike
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
