Issue here is that guarantees (and what you want as a guarantee may not be what somebody else wants) can vary depending on scenario and deployment.
-----Original Message----- From: Richard L. Barnes [mailto:rbar...@bbn.com] Sent: Tuesday, November 09, 2010 12:54 AM To: tors...@lodderstedt.net Cc: Anthony Nadalin; Tschofenig, Hannes; ab...@ietf.org; r...@ietf.org; i...@ietf.org; sec...@ietf.org; web...@ietf.org; x...@ietf.org; kit...@ietf.org; i...@iab.org Board; i...@ietf.org; oauth@ietf.org Subject: Re: [secdir] [OAUTH-WG] ** OAuth Tutorial & OAuth Security Session ** I would say that the security considerations should be based on a model of OAuth. Start with a model of the protocol and the guarantees you want, then explain how to use security mechanisms to achieve those guarantees. I promised Hannes today to do a review of the current document (which I admit I haven't read) and start on some security considerations from that perspective. So expect that in the next few weeks. --Richard On 11/9/10 4:07 PM, tors...@lodderstedt.net wrote: > We think the security considerations should be based on a threat model of > OAuth. But a complete threat model would blow up the spec. > > We therefore aim to produce a separate security document (informational > I-D/RFC) covering threat model as well as security design and considerations. > The security considerations section of the core spec can then be distilled > from this document. > > Regards, > Torsten. > Gesendet mit BlackBerry(r) Webmail von Telekom Deutschland > > -----Original Message----- > From: Anthony Nadalin<tony...@microsoft.com> > Date: Tue, 9 Nov 2010 01:54:57 > To: Torsten Lodderstedt<tors...@lodderstedt.net>; Hannes > Tschofenig<hannes.tschofe...@gmx.net> > Cc: ab...@ietf.org<ab...@ietf.org>; r...@ietf.org<r...@ietf.org>; > i...@ietf.org<i...@ietf.org>; sec...@ietf.org<sec...@ietf.org>; > web...@ietf.org<web...@ietf.org>; x...@ietf.org<x...@ietf.org>; > kit...@ietf.org<kit...@ietf.org>; i...@iab.org Board<i...@iab.org>; > i...@ietf.org<i...@ietf.org>; oauth@ietf.org<oauth@ietf.org> > Subject: RE: [OAUTH-WG] ** OAuth Tutorial& OAuth Security Session ** > > I was looking for less of an analysis and more of considerations (of the > current flows and actors), I'm not sure how to adapt what you have done to > actually fit in the current specification, was your thought that you would > produce a separate security analysis document? > > -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Torsten Lodderstedt > Sent: Sunday, November 07, 2010 3:04 PM > To: Hannes Tschofenig > Cc: ab...@ietf.org; r...@ietf.org; i...@ietf.org; sec...@ietf.org; > web...@ietf.org; x...@ietf.org; kit...@ietf.org; i...@iab.org Board; > i...@ietf.org; oauth@ietf.org > Subject: Re: [OAUTH-WG] ** OAuth Tutorial& OAuth Security Session ** > > Hi all, > > Mark McGloin and me have been working on OAuth 2.0 security considerations > for a couple of weeks now. Since we both cannot attend the IETF-79 meetings, > we would like to provide the WG with information regarding the current status > of our work. I therefore uploaded a_preliminary_ version of our working > document to the WG's wiki at > http://trac.tools.ietf.org/wg/oauth/trac/attachment/wiki/SecurityConsiderations/oauth20_seccons_20101107.pdf. > The focus of this version was on consolidating previous work as well as > results of mailing list discussions and start working towards a rigorous > threat model. > > Please give us feedback. > > regards, > Torsten. > > Am 07.11.2010 03:22, schrieb Hannes Tschofenig: >> Hi all, >> >> please consider attending the following two meetings! >> >> ** OAuth Security Session ** >> >> * Date: Monday, 13:00-15:00 >> * Location: IAB breakout room (Jade 2) >> * Contact: Hannes Tschofenig hannes.tschofe...@gmx.net The security >> consideration section of OAuth 2.0 (draft -10) is still empty. Hence, we >> would like to put some time aside to discuss what security threats, >> requirements, and countermeasures need to be described. We will use the >> Monday, November 8, 1300-1500 slot to have a discussion session. >> >> As a starting point I suggest to look at the following documents: >> >> * http://trac.tools.ietf.org/wg/oauth/trac/wiki/SecurityConsiderations >> * http://trac.tools.ietf.org/wg/oauth/trac/wiki/SignaturesWhy >> * >> http://tools.ietf.org/id/draft-tschofenig-oauth-signature-thoughts-00. >> txt >> >> Note: If you are unfamiliar with OAuth then the OAuth tutorial session might >> be more suitable for you! >> >> >> >> ** OAuth Tutorial ** >> >> * Date: Wednesday, 19:30 (after the plenary) >> * Location: IAB breakout room (Jade 2) >> * Contact: Hannes Tschofenig hannes.tschofe...@gmx.net OAuth allows >> a user to grant a third-party Web site or application access to their >> resources, without necessarily revealing their credentials, or even >> their identity. The OAuth working group, see >> http://datatracker.ietf.org/wg/oauth/charter/, is currently trying to >> finalize their main specification, namely OAuth v2: >> http://datatracker.ietf.org/doc/draft-ietf-oauth-v2/ >> >> Based on the positive response at the last IETF meeting (in >> Maastricht) we decided to hold another OAuth tutorial, namely on >> *Wednesday, starting at 19:30 (after the IETF Operations and >> Administration Plenary) till about 21:00. (Note: I had to switch the >> day because of the social event!) >> >> It is helpful to read through the documents available int he working group >> but not required. >> >> Up-to-date information can be found here: >> http://www.ietf.org/registration/MeetingWiki/wiki/79bofs >> >> Ciao >> Hannes >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > secdir mailing list > sec...@ietf.org > https://www.ietf.org/mailman/listinfo/secdir _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth