There is a lot of history on this thread. At the heart of it is a request from a working group member that the specification makes it clear that OAuth does not protect against malware and viruses, or other malicious software installed on the user device. During the first (or second, I can't recall) run of this debate, the chair *did* make a consensus call that the WG did not feel this was an OAuth specific threat. The chair's proposed resolution at the time was clearly too vague to close the issue and hence we are still arguing about it.
Adding the requested threat will make the document look less credible for stating the obvious. I do not agree that any threat mentioned should be listed. At some point, and we're almost there, you lose the forest for the trees. And BTW, as a response to Michael's original comment, I have requested that the threat of earthquakes will also be listed under UX considerations to prevent a user from clicking 'Approve' during an earthquake if it is too close to the 'Deny' button. Is my threat, which is clearly valid (no matter how unlikely), going to be added as well? Please don't, but I hope you see my point here. Many bad things can happen to you while using OAuth. I don't care how this is resolved. At this point I don't mind the threat being added just to close the issue. EH > -----Original Message----- > From: Derek Atkins [mailto:de...@ihtfp.com] > Sent: Tuesday, April 24, 2012 10:11 AM > To: Eran Hammer > Cc: oauth-cha...@tools.ietf.org; oauth@ietf.org > Subject: Re: [OAUTH-WG] Shepherd review of draft-ietf-oauth-v2- > threatmodel > > Eran Hammer <e...@hueniverse.com> writes: > > > We've been kicking this can of silliness for months now because one > > person refuses to move on even in the face of otherwise unanimous > > consensus from the group. > > > > Chairs - Please take this ridiculous and never ending thread off list > > and resolve it once and for all. > > Sure, I'll gladly stop the thread when the document is updated to actually > mention all threats that someone has considered and brought to the group's > attention. That *is* the point of a threats document, after all. > > In a threats document nothing should be implicit or assumed -- the reader > does not have the advantage of our group's knowledge of the space or > operational guidance. As a result, everything should be explicitly stated. > > Every threat that is brought to the attention of this gorup should be > mentioned, explicitly, even if it's only a single sentence as part of a > paragraph > of "threats that fall outside the aforementioned assumptions" > or "threats that have a simple workaround". > > -derek > > -- > Derek Atkins 617-623-3745 > de...@ihtfp.com www.ihtfp.com > Computer and Internet Security Consultant _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
