Phil said... > **However** Editorially I feel strongly the comments fall outside the > intended scope > and purpose for this document. This document is about threats specifically > related > to the OAuth protocol. It's intent is to go beyond security considerations > to give > implementers a feel for the issues the group has considered specific to the > protocol. > > Michael's comments are directed at general trusted computing platform. And > while I > agree they are valid, they don't fit in this document.
I'll add one thing to this consideration: while I agree that we can't discuss every threat that one might encounter in a web services environment, I think it's useful and important to discuss issues that people are likely to think are addressed, mitigated, or solved by OAuth, *even if we don't think that, and even if we know they're not really OAuth issues.* DKIM had a related problem (which I do NOT want to open up for discussion here; I mention it only for comparison). DKIM was often oversold as being something that would "block spam" or "stop phishing in its tracks." It will do neither, though it's a tool to be used in systems that aim at both. Similarly, while OAuth solves a real problem and is a good step, it will not *stop* impersonation attacks, credential-theft attacks, and so on. We all know that, but many people who will read the OAuth spec will think it can do that. The threats document should be addressing that "overselling" problem[1], and if that means highlighting a few things that we think should be obvious, I'm in favour of it. I think the things that Mike Thomas has bought up fall into that category. I'm sympathetic to the argument that this is a long document, bordering on (or perhaps having crossed the border into) "tl;dr" territory. Perhaps there are other things that can be trimmed. But at this point, I've made a proposal to add a few paragraphs, and mostly (not completely) gotten feedback from the editors that my text is acceptable. Mike has asked for one paragraph to be added to that, and I think his proposal is reasonable. If we go with that set of additions, I think we'll address some of the overselling problem, and I think the document will be better for it. If the editors want to post my suggested addition here, they may do so; yes, it was meant for a small group to iron out first, but the WG will have to see and agree to it at some point anyway. If the editors want to trim a bit elsewhere in the document to make room, they may also do that -- with the consent of the WG. But let's please not get hung up on this to the point of losing traction on the whole document. And everyone please relax and not get hot or snarky: we're all trying to make a better document, and calm discussion, rather than sarcasm and hyperbole, is the best way to do that. We're almost there. We'll get there soon. Barry, document shepherd _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
