Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

Sat, 20 Feb 2016 01:54:00 -0800 

We can and will bring more of the threat descriptions into the full document.  
For what it's worth, in the initial versions we referenced the German 
researcher's threat descriptions but intentionally didn't try to repeat them in 
detail in the spec, so that people would read their research publications if 
they wanted to know more.  The researchers did the hard work to discover the 
problems and deserved credit for them.

Have you read both of their publications?  If not, do yourself a favor and do.  
They're actually both very readable and quite informative.

                                Cheers,
                                -- Mike

-----Original Message-----
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Saturday, February 20, 2016 1:47 AM
To: William Denniss <wdenn...@google.com>; Phil Hunt (IDM) 
<phil.h...@oracle.com>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for 
Adoption

Just a quick reply to two of your remarks:

On 02/20/2016 09:49 AM, William Denniss wrote:
> The security researcher documents are only informative references

I think they should be informative references since the motivate the reason for 
doing the work but there is nothing in these publications that raises 
interoperability concerns.

I believe the solution documents need to be descriptive enough that they 
explain the threats so that a reader who does not read through the informative 
reference section still understands what's going on.

> For my own knowledge: what are some of the use-cases that are subject 
> to these attacks? I'm not convinced every RP that talks to more than
> 1 AS is at risk today. What are some risky situations that exist which 
> are mitigated by this draft?

This is something I criticized in my review as well. IMHO the documents could 
do a better job in describing the threats and particularly the assumptions that 
need to hold in order for the attacks to work. Without those it will be 
difficult to inform readers when this is a concern and what level of risk this 
represents.

Ciao
Hannes

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to