On 01/04/2012 03:42 PM, William Mills wrote:
I think the threat draft should simply say, "OAuth does not and can not protect the
user against credential compromise as a result of phishing, malware, social engineering,
or machine compromise."
I could live with something like this, but I think it needs to be much more
explicit that it applies to any authentication service that allows native apps
as clients
with no form of strong app vetting. It may even be useful to point to a couple
of
large deployments who are at risk from this, like, oh say, twitterbook.
If this draft doesn't take a strong stand against that practice, it's doing
nothing
more than giving a wink and a nod that what twitterbook is currently doing is
safe.
That's bad, but I suspect it's the elephant in the room.
Mike
Get rid of the fancy rhetoric, we don't need to explain a lot more than this.
I don't agree that OAuth purports to solve these problems. What it solves is
limiting the credentials granted to allow the user more control and limited
damage in the event of credential misuse.
-bill
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--
*From:* Michael Thomas <m...@mtcc.com>
*To:* Barry Leiba <barryle...@computer.org>
*Cc:* oauth WG <oauth@ietf.org>
*Sent:* Wednesday, January 4, 2012 1:06 PM
*Subject:* Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9
Dec 2011
On 01/04/2012 12:41 PM, Barry Leiba wrote:
> up being a compromised browser or a native application that the user
> perhaps unwisely installed, all the security in the framework goes out
^^^^^^^^^
> the window, because an untrustworthy UA can fiddle with pretty much
> everything.
>
I think the "perhaps unwisely" goes to the heart of my objection. You
might as well be talking about "perhaps unwisely" driving a car,
or "perhaps unwisely" eating food: the reality is that people download
apps by the *billions*. When I was initially blown off, many of the
participants including document editors implied that only idiots get
apps for their phones. That is *completely* unhelpful as the reality
is that OAUTH's use is hugely if not primarily deployed in that sort of
environment.
This is a threat that cuts to the very heart of what OAUTH is, and purports
to defend against: keeping user credentials out of the hands of an
untrusted third party. If there really aren't any good ways to mitigate this
in an app environment, why is OAUTH being deployed so aggressively there?
Shouldn't the threat draft say in blinking bold: "DEPLOYING OAUTH
IN NATIVE APPS CONSIDERED HARMFUL"?
Mike
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
