Acceptable, but not ideal
-Original Message-
From: Eran Hammer-Lahav [mailto:e...@hueniverse.com]
Sent: Sunday, September 04, 2011 4:20 PM
To: William J. Mills; Anthony Nadalin; Torsten Lodderstedt
Cc: OAuth WG (oauth@ietf.org)
Subject: RE: [OAUTH-WG] Auth Code Swap Attack
This is my
ction 10.12.
>>
>> EHL
>>
>>> -Original Message-
>>> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
>>> Of Eran Hammer-Lahav
>>> Sent: Sunday, September 04, 2011 4:20 PM
>>> To: William J. Mills; Anthony N
y, September 04, 2011 4:20 PM
>> To: William J. Mills; Anthony Nadalin; Torsten Lodderstedt
>> Cc: OAuth WG (oauth@ietf.org)
>> Subject: Re: [OAUTH-WG] Auth Code Swap Attack
>>
>> This is my proposed text for -21 (based on Bill's text as a starting point):
>&
04, 2011 4:20 PM
> To: William J. Mills; Anthony Nadalin; Torsten Lodderstedt
> Cc: OAuth WG (oauth@ietf.org)
> Subject: Re: [OAUTH-WG] Auth Code Swap Attack
>
> This is my proposed text for -21 (based on Bill's text as a starting point):
>
> 10.12. Cross-Site Request Forger
ain authorization without the awareness and explicit consent of
the resource owner.
EHL
From: William J. Mills [mailto:wmi...@yahoo-inc.com]
Sent: Thursday, August 25, 2011 12:11 PM
To: Anthony Nadalin; Eran Hammer-Lahav; Torsten Lodderstedt
Cc: OAuth WG (oauth@ietf.org)
Subject: Re: [OAUTH-WG
1 09:25:30 -0700
To: Anthony Nadalin mailto:tony...@microsoft.com>>
Cc: Eran Hammer-lahav mailto:e...@hueniverse.com>>,
Torsten Lodderstedt mailto:tors...@lodderstedt.net>>,
"OAuth WG (oauth@ietf.org<mailto:oauth@ietf.org>)"
mailto:oauth@ietf.org>>
No that is not what I said; you seemed to have interpreted it that way,
From: Eran Hammer-Lahav [mailto:e...@hueniverse.com]
Sent: Thursday, August 25, 2011 9:54 AM
To: Anthony Nadalin; Torsten Lodderstedt
Cc: OAuth WG (oauth@ietf.org)
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
Everyone
ailto:oauth@ietf.org>)"
mailto:oauth@ietf.org>>
Subject: RE: [OAUTH-WG] Auth Code Swap Attack
I have not seen any updated text, so I don’t believe we have consensus. Also we
have a flawed protocol and we are not providing a fix, suggest that MUST be on
the state also unless someone has
n Hammer-Lahav
> Sent: Wednesday, August 24, 2011 7:54 AM
> To: Torsten Lodderstedt
> Cc: OAuth WG (oauth@ietf.org)
> Subject: Re: [OAUTH-WG] Auth Code Swap Attack
>
> I believe we have full consensus on this approach.
>
> EHL
>
> From: Torsten Lodderstedt [mailto
ammer-Lahav
Sent: Wednesday, August 24, 2011 7:54 AM
To: Torsten Lodderstedt
Cc: OAuth WG (oauth@ietf.org)
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
I believe we have full consensus on this approach.
EHL
From: Torsten Lodderstedt
[mailto:tors...@lodderstedt.net]<mailto:[mai
> I believe we have full consensus on this approach.
I agree, and I will close the issue.
Barry, happy chair
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
I believe we have full consensus on this approach.
EHL
From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net]
Sent: Tuesday, August 23, 2011 11:06 PM
To: Eran Hammer-Lahav
Cc: OAuth WG (oauth@ietf.org)
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
making CSRF prevention a MUST and
s the best approach?
EHL
*From:*Torsten Lodderstedt [mailto:tors...@lodderstedt.net]
*Sent:* Sunday, August 21, 2011 11:04 AM
*To:* Eran Hammer-Lahav
*Cc:* OAuth WG (oauth@ietf.org)
*Subject:* Re: [OAUTH-WG] Auth Code Swap Attack
My intention is to require clients to implement CSRF prevention. I
thou
That's what we are saying. Not sure what exactly are you arguing against now.
EHL
From: Anthony Nadalin [mailto:tony...@microsoft.com]
Sent: Monday, August 22, 2011 2:59 PM
To: Eran Hammer-Lahav; Phil Hunt
Cc: OAuth WG (oauth@ietf.org)
Subject: RE: [OAUTH-WG] Auth Code Swap Attack
Concern
something better the
so be it
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Eran
Hammer-Lahav
Sent: Monday, August 22, 2011 12:16 PM
To: Phil Hunt
Cc: OAuth WG (oauth@ietf.org)
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
Sounds like a good compromise. I will play
com<mailto:record...@gmail.com>"
mailto:record...@gmail.com>>, "OAuth WG
(oauth@ietf.org<mailto:oauth@ietf.org>)" mailto:oauth@ietf.org>>
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
Eran, to summarize,
1. The server cannot tell if the client did its job - so t
s a MUST.
Phil
@independentid
www.independentid.com
phil.h...@oracle.com
On 2011-08-21, at 10:53 PM, Eran Hammer-Lahav wrote:
>
>
>> -Original Message-
>> From: Phil Hunt [mailto:phil.h...@oracle.com]
>> Sent: Sunday, August 21, 2011 10:39 PM
>> To: Davi
> -Original Message-
> From: Phil Hunt [mailto:phil.h...@oracle.com]
> Sent: Sunday, August 21, 2011 10:39 PM
> To: David Recordon
> Cc: Eran Hammer-Lahav; OAuth WG (oauth@ietf.org)
> Subject: Re: [OAUTH-WG] Auth Code Swap Attack
>
> I think the complication here
ent discussion, do you still feel that changing ‘state’
>> from optional to required is the best approach?
>>
>>
>>
>> EHL
>>
>>
>>
>> From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net]
>> Sent: Sunday, August 21, 2011 11
‘state’
> from optional to required is the best approach?
>
>
>
> EHL
>
>
>
> From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net]
> Sent: Sunday, August 21, 2011 11:04 AM
> To: Eran Hammer-Lahav
> Cc: OAuth WG (oauth@ietf.org)
>
> Subject: Re: [OAUTH-WG]
st yet.
EHL
From: oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org>
[mailto:oauth-boun...@ietf.org] On Behalf Of Eran Hammer-Lahav
Sent: Monday, August 15, 2011 9:35 AM
To: OAuth WG (oauth@ietf.org<mailto:oauth@ietf.org>)
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
To dem
oun...@ietf.org [mailto:oauth-boun...@ietf.org] *On
Behalf Of *Eran Hammer-Lahav
*Sent:* Monday, August 15, 2011 9:35 AM
*To:* OAuth WG (oauth@ietf.org)
*Subject:* Re: [OAUTH-WG] Auth Code Swap Attack
To demonstrate why making state required as proposed isn't very
helpful, here is an inco
Lahav
Cc: OAuth WG (oauth@ietf.org)
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
I felt the argument provided was persuasive and that the current spec leaves
implementers open to attack. I get concerned when the core spec says "OPTIONAL"
for state and then Security Considerations says RE
> To clarify – I am not proposing we close this issue just yet.
>
> EHL
>
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of
> Eran Hammer-Lahav
> Sent: Monday, August 15, 2011 9:35 AM
> To: OAuth WG (oauth@ietf.org)
> Subject: Re: [OAUT
rify - I am not proposing we close this issue just yet.
EHL
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Eran
Hammer-Lahav
Sent: Monday, August 15, 2011 9:35 AM
To: OAuth WG (oauth@ietf.org)
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
To demonstrate why making st
server includes the value of the "state" parameter
when redirecting the user-agent back to the client which MUST then ensure the
received value matches the stored value.
____________
From: William J. Mills
To: Barry Leiba ; Anthony Nadalin
Cc: "OAuth WG (oauth@ietf.org
I think there are better discussions of it out there.
More later when I have more time to think on this.
-bill
From: Barry Leiba
To: Anthony Nadalin
Cc: "e...@sled.com" ; "OAuth WG (oauth@ietf.org)"
Sent: Monday, August 15, 2011 8:06 AM
S
ation can be
> non-intuitive or complicated for some developers/platforms.
>
>
>
> EHL
>
>
>
>
>
>
>
>
>
> From: Eran Hammer-Lahav
> Sent: Friday, August 12, 2011 2:53 PM
> To: Anthony Nadalin; OAuth WG (oauth@ietf.org)
> Subject: Re: [OAUTH-WG]
some developers/platforms.
EHL
From: Eran Hammer-Lahav
Sent: Friday, August 12, 2011 2:53 PM
To: Anthony Nadalin; OAuth WG (oauth@ietf.org)
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
This is really just a flavor of CSRF attacks. I have no objections to better
documenting it (tho
> I do not plan to publish another draft until this issue is closed and
> resolved.
> I plan to seek WG consensus to every change made to -21 prior to publication
> to reduce the need for another WG draft.
...
> and I informed the list of my intention of using the edited text. Mr. Nadalin
> then
> -Original Message-
> From: barryleiba.mailing.li...@gmail.com
> [mailto:barryleiba.mailing.li...@gmail.com] On Behalf Of Barry Leiba
> Sent: Monday, August 15, 2011 8:25 AM
> To: Eran Hammer-Lahav
> Cc: Anthony Nadalin; OAuth WG (oauth@ietf.org)
> Subject: Re: [OAU
t;
>> -Original Message-
>> From: Anthony Nadalin [mailto:tony...@microsoft.com]
>> Sent: Monday, August 15, 2011 7:51 AM
>> To: Eran Hammer-Lahav; e...@sled.com; Torsten Lodderstedt
>> Cc: OAuth WG (oauth@ietf.org)
>> Subject: RE: [OAUTH-WG] Auth Code Swa
> I'll ask the chairs to open an issue for this.
The chairs consider themselves asked, and have opened a ticket:
http://trac.tools.ietf.org/wg/oauth/trac/ticket/23
> My proposed requires CSRF protected without adding additional requirements,
> and therefore, is within the scope of my editorial di
dderstedt; OAuth WG
> (oauth@ietf.org)
> Subject: Re: [OAUTH-WG] Auth Code Swap Attack
>
> On Mon, Aug 15, 2011 at 10:51 AM, Anthony Nadalin
> wrote:
> > That's nice, four people come up with text and you decide to use your text.
> > Making state optional does nothi
sten Lodderstedt
> Cc: OAuth WG (oauth@ietf.org)
> Subject: RE: [OAUTH-WG] Auth Code Swap Attack
>
> That's nice, four people come up with text and you decide to use your text.
> Making state optional does nothing to fix the protocol issue, people will get
> this wrong and have. Our
On Mon, Aug 15, 2011 at 10:51 AM, Anthony Nadalin wrote:
> That's nice, four people come up with text and you decide to use your text.
> Making state optional does nothing to fix the protocol issue, people will get
> this wrong and have. Our developers have been through this and agreed
> upon the
OAuth WG (oauth@ietf.org)
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
I'm using my proposed text in -21.
EHL
> -Original Message-
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of Eran Hammer-Lahav
> Sent: Saturday, August 13, 2011
I'm using my proposed text in -21.
EHL
> -Original Message-
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of Eran Hammer-Lahav
> Sent: Saturday, August 13, 2011 8:14 AM
> To: Torsten Lodderstedt
> Cc: OAuth WG (oauth@ietf.org)
> Su
tf.org>)"
<<mailto:oauth@ietf.org>oauth@ietf.org<mailto:oauth@ietf.org>>
Sent: Saturday, August 13, 2011 4:41 PM
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
There are two CSRF variations scenarios that I see.
I can attack you and give my client access to your re
server".
- John
>
> Phil
>
> On 2011-08-13, at 21:16, "William J. Mills" wrote:
>
>> The defense is the same though, correct?
>>
>> From: Phil Hunt
>> To: Eran Hammer-Lahav
>> Cc: "OAuth WG (oauth@ietf.org)"
>> Se
Hi Tony (et al),
On Aug 12, 2011, at 3:06 PM, Anthony Nadalin wrote:
[…]
> 2.Gene opens the spam mail and clicks on the link.
> 3.The server running Basil's website initiates an authorization
> request to Live. The request uses Plaxo's redirection URI.
And why does Live
is the same though, correct?
>
> From: Phil Hunt
> To: Eran Hammer-Lahav
> Cc: "OAuth WG (oauth@ietf.org)"
> Sent: Saturday, August 13, 2011 4:41 PM
> Subject: Re: [OAUTH-WG] Auth Code Swap Attack
>
> There are two CSRF variations scenarios that I see.
>
The defense is the same though, correct?
From: Phil Hunt
To: Eran Hammer-Lahav
Cc: "OAuth WG (oauth@ietf.org)"
Sent: Saturday, August 13, 2011 4:41 PM
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
There are two CSRF variations scenarios that I s
client.
>
> EHL
>
> From: Phil Hunt
> Date: Sat, 13 Aug 2011 00:21:50 -0700
> To: Torsten Lodderstedt
> Cc: Eran Hammer-lahav , "OAuth WG (oauth@ietf.org)"
>
> Subject: Re: [OAUTH-WG] Auth Code Swap Attack
>
>> +1 (to putting more detail in the T
w.rfc-editor.org/rfc/rfc6265.txt
-bill
From: Eran Hammer-Lahav
To: Phil Hunt ; Torsten Lodderstedt
Cc: "OAuth WG (oauth@ietf.org)"
Sent: Saturday, August 13, 2011 7:30 AM
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
All OAuth CSRF attacks are on the cl
ue stored with the resource
owner's user-agent.
EHL
From: Torsten Lodderstedt
Date: Fri, 12 Aug 2011 23:58:02 -0700
To: Eran Hammer-lahav
Cc: Anthony Nadalin , "OAuth WG (oauth@ietf.org)"
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
>
>
>
>
>
>
g<mailto:oauth@ietf.org>)"
mailto:oauth@ietf.org>>
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
+1 (to putting more detail in the Threat Model document)
Yes, this is another CSRF attack (hence the change to 10.2).
What is *new* is this is an attack on the client application rather tha
+1 (to putting more detail in the Threat Model document)
Yes, this is another CSRF attack (hence the change to 10.2).
What is *new* is this is an attack on the client application rather than the
resource server. As such, I agree this new attack vector is well deserving of
wider review and disc
Am 12.08.2011 23:52, schrieb Eran Hammer-Lahav:
This is really just a flavor of CSRF attacks. I have no objections to
better documenting it (though I feel the current text is already
sufficient), but we can't realistically expect to identify and close
every possible browser-based attack. A ne
This is really just a flavor of CSRF attacks. I have no objections to better
documenting it (though I feel the current text is already sufficient), but we
can't realistically expect to identify and close every possible browser-based
attack. A new one is invented every other week.
The problem wi
50 matches
Mail list logo
