> I have asked you to clearly describe the threat, not the mitigation. > > It obviously was either not clear or convincing the first time and I am not > going to start digging through emails when you clearly understand it.
To try to shortcut this: Mike did lay it out clearly, I think, in his first note (which I linked at the beginning of this thread), and that should be the only one that needs to be read to understand his point. The basic point is that the OAuth framework relies on both the end user and the authorization server being able to trust the user's UA. If that winds up being a compromised browser or a native application that the user perhaps unwisely installed, all the security in the framework goes out the window, because an untrustworthy UA can fiddle with pretty much everything. Mike's note said much more than that, but I think I've encapsulated things in an oversimplified version above. I agree that this is something that needs to be made very clear... and that I don't see any way to mitigate it -- it's basically an aspect of what we're working with here. I don't think this is a difficult issue to document, and perhaps two paragraphs should be enough to do it. Identifying the right place and the right two paragraphs should be something that a combination of Mike and the documnet editors can do, if you can do it without getting on each others' nerves. :-) Barry _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
