On Wed, Apr 14, 2010 at 5:06 PM, Allen Tom <a...@yahoo-inc.com> wrote: > As a security person, I'm hesitant to bring this up, but perhaps the Device > Flow should just be the flow for native client apps.
I'm open to this. I'd suggest differentiating between devices that can open a web browser (native apps), and apps that can't open a browser (refrigerators). For refrigerators: you need a device code that is short enough to type. Because the code is short, an attacker could theoretically brute force the code and link someone else's device to the attacker's account. See [2] for the math on how long the attack would take. For native apps: the native app can open a web browser with the device code on the URL. The code can be very long and impossible to brute-force. The session fixation/phishing attack still exists, but I agree that could be addressed with good UI. [2] http://trac.tools.ietf.org/wg/oauth/trac/attachment/wiki/SecurityConsiderations/OAuth%20WRAP%202.0%20Security%20Considerations.pdf, last two pages have the math on the device profile. Marius has pointed out that the device secret completely prevents one of the attacks I was worried about. But brute forcing the device code is still a risk. Cheers, Brian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
