On 9/7/11 12:34 PM, Melinda Shore wrote: > On 09/07/2011 10:22 AM, Phil Hunt wrote: >> You should read the threat model document. This document has more >> editorial on these kinds of issues. > > This seems reasonable to me, and thank you so much for departing > from what seems to be standard working group mode by dealing with > this like an adult.
Is it really juvenile to point out that specs for widely-deployed security technologies also don't cover threats like keyloggers? > It seems to me that there are some usability problems that while > not being unique to oauth, really aren't that much like what > we usually run into with on-the-wire protocols. Documents in > the security area have typically not dealt with usability issues > even when, perhaps, they should, given their impact on how > secure a technology is in the field. Getting that into a threat > model document sounds about right to me. Agreed. In fact, I hope that we'll all be able to turn more attention to the threat-model document soon, because it's quite comprehensive and useful. The usability issues are indeed a bit different here, although usability is not exactly easy in the case of, say, TLS with PKI certs issued by certification authorities (as witness recent events -- have you scrubbed your root cert store lately?). Peter -- Peter Saint-Andre https://stpeter.im/ _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
