On 01/16/2012 05:52 AM, Mark Mcgloin wrote:
Countermeasures:
First off the title: it says Countermeasures. Therefore, anything here
must be a real and meaningful "countermeasure".
1. The OAuth flow is designed so that client applications never need to
know user passwords. Client applications
those will be applicable to all developers
Regards
Mark
William Mills wrote on 05/01/2012 16:29:02:
>
> Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec
2011
>
> There's going to be a whole class of apps tat will be in violation
> of "Client applicati
--
-
--
*From:* Mark Mcgloin
*To:* William Mills
*Cc:* Barry Leiba ; Michael Thomas
; oauth WG ; oauth-boun...@ietf.org;
Torsten Lodderst
...@ietf.org; Torsten Lodderstedt
*Sent:* Thursday, January 5, 2012 6:03 AM
*Subject:* Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9
Dec 2011
Why do you think this William? Apple does it? Google android market had to
pull 30 apps recently because they contained malware. The
ry 5, 2012 6:03 AM
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec
2011
Why do you think this William? Apple does it? Google android market had to
pull 30 apps recently because they contained malware. There are automated
tools that will do some sanity checks on apps
ark Mcgloin
To: OAuth WG
Sent: Thursday, January 5, 2012 6:01 AM
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec
2011
Having read the suggested wording from Eran, William and Michael, I think
Eran's description is the most succinct and relevant: "OA
On 01/05/2012 07:54 AM, Justin Richer wrote:
However, the contention about native apps that Mike brings up is misleading for
one key reason: if the user's browser is compromised (which is the attack
vector in question), then all OAuth-backed webapps will *also* be compromised,
since the bad p
-
-
--
*From:* Michael Thomas
*To:* Barry Leiba
*Cc:* oauth WG
*Sent:* Wednesday, January 4, 2012 1:06 PM
*Subject:* Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01,
ends 9 Dec 2011
On 01/04/2012
an Hammer-Lahav
To:
Michael Thomas, Torsten Lodderstedt
Cc:
Barry Leiba, oauth WG
Date:
05/01/2012 00:05
Subject:
Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec
2011
Sent by:
oauth-boun...@ietf.org
-Original Message-
From: oauth-boun...@ietf.org [mailto
t;
> From: Michael Thomas
> To: Torsten Lodderstedt
> Cc: Barry Leiba ; oauth WG
> Sent: Wednesday, January 4, 2012 3:40 PM
> Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01,
> ends 9 Dec 2011
>
> On 01/04/2012 02:14 PM, Torsten Lodderstedt wrote:
> >
ark
oauth-boun...@ietf.org wrote on 05/01/2012 00:05:04:
> From:
>
> Eran Hammer-Lahav
>
> To:
>
> Michael Thomas , Torsten Lodderstedt
>
> Cc:
>
> Barry Leiba , oauth WG
>
> Date:
>
> 05/01/2012 00:05
>
> Subject:
>
> Re: [OAUTH-WG]
-
--
*From:* Michael Thomas
*To:* Eran Hammer-Lahav
*Cc:* oauth WG ; Barry Leiba
*Sent:* Wednesday, January 4, 2012 4:39 PM
*Subject:* Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9
Dec 2011
On 01/04
uth WG ; Barry Leiba
Sent: Wednesday, January 4, 2012 4:39 PM
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec
2011
On 01/04/2012 04:05 PM, Eran Hammer-Lahav wrote:
>
>> -Original Message-
>> From: oauth-boun...@ietf.org [mailto:oauth-boun...@
On 01/04/2012 04:05 PM, Eran Hammer-Lahav wrote:
-Original Message-
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
Of Michael Thomas
Sent: Wednesday, January 04, 2012 3:40 PM
My concern is that putting on a veneer of "security" will lull people into
thinking "Oh,
> -Original Message-
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of Michael Thomas
> Sent: Wednesday, January 04, 2012 3:40 PM
> My concern is that putting on a veneer of "security" will lull people into
> thinking "Oh, it's safe to enter my credentials her
--
*From:* Michael Thomas
*To:* Barry Leiba
*Cc:* oauth WG
*Sent:* Wednesday, January 4, 2012 1:06 PM
*Subject:* Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9
Dec 2011
On 01/04/2012 12:41 PM, Barry Leiba wrote:
> up being a compromised browser or a
eful suggestion.
From: Michael Thomas
To: Torsten Lodderstedt
Cc: Barry Leiba ; oauth WG
Sent: Wednesday, January 4, 2012 3:40 PM
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec
2011
On 01/04/2012 02:14 PM, Torsten Lodderstedt wrote:
>
WG
Sent: Wednesday, January 4, 2012 1:06 PM
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec
2011
On 01/04/2012 12:41 PM, Barry Leiba wrote:
> up being a compromised browser or a native application that the user
> perhaps unwisely installed, all the security
On 01/04/2012 02:14 PM, Torsten Lodderstedt wrote:
Hi Michael,
Am 04.01.2012 22:06, schrieb Michael Thomas:
I think the "perhaps unwisely" goes to the heart of my objection. You
might as well be talking about "perhaps unwisely" driving a car,
or "perhaps unwisely" eating food: the reality is th
Hi Michael,
Am 04.01.2012 22:06, schrieb Michael Thomas:
I think the "perhaps unwisely" goes to the heart of my objection. You
might as well be talking about "perhaps unwisely" driving a car,
or "perhaps unwisely" eating food: the reality is that people download
apps by the *billions*. When I w
On 01/04/2012 12:41 PM, Barry Leiba wrote:
up being a compromised browser or a native application that the user
perhaps unwisely installed, all the security in the framework goes out
^
the window, because an untrustworthy UA can fiddle with pretty much
everything.
I think the "per
> I have asked you to clearly describe the threat, not the mitigation.
>
> It obviously was either not clear or convincing the first time and I am not
> going to start digging through emails when you clearly understand it.
To try to shortcut this:
Mike did lay it out clearly, I think, in his first
rom:
>
> Michael Thomas
>
> To:
>
> Peter Saint-Andre
>
> Cc:
>
> Mark Mcgloin/Ireland/IBM@IBMIE, Barry Leiba
> , oauth WG , "oauth-
> boun...@ietf.org"
>
> Date:
>
> 04/01/2012 20:07
>
> Subject:
>
> Re: [OAUTH-WG] WGLC on dr
On 01/04/2012 11:47 AM, Peter Saint-Andre wrote:
I've already done that in my original last call comments. Given that you
rejected my comments out of hand, it doesn't appear that it was for
lack of clarity.
Mike, rather put off by the attitude of the editors in this wg
Mike:
In my experience, t
On 1/4/12 12:38 PM, Michael Thomas wrote:
> On 01/04/2012 03:42 AM, Mark Mcgloin wrote:
>> Hi Michael
>>
>> Can you clearly word the threat for which this countermeasure (or lack
>> of)
>> applies
>
> I've already done that in my original last call comments. Given that you
> rejected my comments o
23:53
Subject:
Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec
2011
On 01/03/2012 03:46 PM, Phillip Hunt wrote:
-1. I think you should be suggesting alternative text at this
stage. We all have same responsibilities here.
My "responsibility", such as it is, is t
iba
> , oauth WG , "oauth-
> boun...@ietf.org"
>
> Date:
>
> 03/01/2012 23:53
>
> Subject:
>
> Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec
2011
>
> On 01/03/2012 03:46 PM, Phillip Hunt wrote:
> > -1. I think you should b
come up with a better mitigation, then that
*is* what should be there, not some hand waving nonsense that
doesn't work.
Mike, "instruct users..." feh
Regards
Mark
oauth-boun...@ietf.org wrote on 15/12/2011 18:15:45:
From:
Michael Thomas
To:
Phil Hunt
Cc:
Barry Leiba, oauth
gt;> Mike, "instruct users..." feh
>>
>>> Regards
>>> Mark
>>>
>>> oauth-boun...@ietf.org wrote on 15/12/2011 18:15:45:
>>>
>>>> From:
>>>>
>>>> Michael Thomas
>>>>
>>>> To:
er mitigation, then that
*is* what should be there, not some hand waving nonsense that
doesn't work.
Mike, "instruct users..." feh
Regards
Mark
oauth-boun...@ietf.org wrote on 15/12/2011 18:15:45:
From:
Michael Thomas
To:
Phil Hunt
Cc:
Barry Leiba, oauth WG
Date:
15/12/2011
then that
*is* what should be there, not some hand waving nonsense that
doesn't work.
Mike, "instruct users..." feh
Regards
Mark
oauth-boun...@ietf.org wrote on 15/12/2011 18:15:45:
From:
Michael Thomas
To:
Phil Hunt
Cc:
Barry Leiba, oauth WG
Date:
15/12/2011 18:16
Subj
el Thomas
>
> To:
>
> Phil Hunt
>
> Cc:
>
> Barry Leiba , oauth WG
>
> Date:
>
> 15/12/2011 18:16
>
> Subject:
>
> Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec
2011
>
> Sent by:
>
> oauth-boun...@ietf.
On 12/15/2011 09:54 AM, Phil Hunt wrote:
Note: one change recommended below...
With regards to 4.1.4…
4.1.4. Threat: End-user credentials phished using compromised or
embedded browser
A malicious application could attempt to phish end-user passwords by
misusing an embedded bro
Note: one change recommended below...
With regards to 4.1.4…
4.1.4. Threat: End-user credentials phished using compromised or
embedded browser
A malicious application could attempt to phish end-user passwords by
misusing an embedded browser in the end-user authorization process,
This hasn't been addressed:
http://www.ietf.org/mail-archive/web/oauth/current/msg07867.html
Perhaps no one thinks it is a problem?
There are several grammatical nits that should be fixed. I've had all
the best intentions of reporting those last week but simply have not
yet had the time.
Regards,
14:30
>
> Subject:
>
> Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-threatmodel-01, ends 9 Dec
2011
>
> Sent by:
>
> oauth-boun...@ietf.org
>
> > Working group last call begins today on the threat model document:
> > http://tools.ietf.org/html/draft-ietf-oauth
> Working group last call begins today on the threat model document:
> http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-01
>
> Please review this version and post last call comments by 9 December.
Sorry, folks: I got a little behind here.
Working-group last call is now over. There were
> Working group last call begins today on the threat model document:
> http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-01
>
> Please review this version and post last call comments by 9 December.
Here's a reminder that we have about a week left for the working group
last call on this, a
Working group last call begins today on the threat model document:
http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-01
Please review this version and post last call comments by 9 December.
Barry, as chair
___
OAuth mailing list
OAuth@ietf.org
39 matches
Mail list logo
