Re: [OAUTH-WG] [Editorial Errata Reported] RFC6819 (4267)

Sun, 01 Mar 2015 02:14:03 -0800 

Hi all,

@David: Thanks for reporting this issue.

Mark, Phil and I discussed the errata and came to the following conclusion:
The introduction is correct because this section is about "DoS Attacks That Exhaust Resources" caused by the fact that the AS creates a nontrivial amount of entropy for every token. BUT one recommended counter-measure is
- The authorization server should include a nontrivial amount of entropy in authorization "codes"
which definitely does not make sense because it recommends to do what the AS already does (and what enables this attack angle). 

Our recommendation as authors is to remove this bullet.

kind regards,
Torsten.

Am 09.02.2015 um 21:10 schrieb RFC Errata System:

The following errata report has been submitted for RFC6819,
"OAuth 2.0 Threat Model and Security Considerations".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=6819&eid=4267

--------------------------------------
Type: Editorial
Reported by: David Gladstone <david.gladst...@nib.co.nz>

Section: 4.4.1.11

Original Text
-------------
If an authorization server includes a nontrivial amount of entropy

Corrected Text
--------------
If an authorization server includes a trivial amount of entropy

Notes
-----
The threat being described outlines a scenario where too little entropy is 
involved; countermeasures include using non-trivial amounts of entropy.

Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party (IESG)
can log in to change the status and edit the report, if necessary.

--------------------------------------
RFC6819 (draft-ietf-oauth-v2-threatmodel-08)
--------------------------------------
Title               : OAuth 2.0 Threat Model and Security Considerations
Publication Date    : January 2013
Author(s)           : T. Lodderstedt, Ed., M. McGloin, P. Hunt
Category            : INFORMATIONAL
Source              : Web Authorization Protocol
Area                : Security
Stream              : IETF
Verifying Party     : IESG



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to