Am 09.11.2010 16:51, schrieb Hannes Tschofenig:
Hi Mark, Richard, and Torsten,there is certainly a very good piece of work available to us for getting the security consideration text pulled together. We still have to find out how to best tackle the work. We obviously cannot put an extended version of the current document into the security consideration section of the OAuth main specification.
I see two main objectives: - getting confidence in the security of the protocol- document security aspects to be taken into considerations by implementers (security considerations)
I would propose the following approach:We enhance the security document based on the feedback from your security sesssions and Richard's contributions. Having taken a look at http://tools.ietf.org/html/draft-barnes-oauth-model-01, I would say the objective of this document is comparable to our document whereas the approach differs. I assume we will find a common way, although I believe that the level of detail in draft-barnes-oauth-model-01 could be to much for OAuth 2.0 because of the significantly increased protocol features. But I'm (and I think Mark as well) open to proposals on the approach to be taken.
I would expect this revision to take until the end of the year. The result should be reviewed by the WG.
Once we got confidence in the security properties of the protocol itself, we start deriving the security considerations for the different specs (core, bearer token, signed requests) from the security document.
What do you think? regards, Torsten.
Note: I have taken the other mailing lists from CC to avoid cross-posting. Ciao Hannes On Nov 9, 2010, at 10:54 PM, Mark Mcgloin wrote:When Torsten and I started pulling together the security considerations over the last 4-6 weeks, we toyed with the idea of either populating the security considerations section of the protocol with a list/tree of considerations, or creating a more comprehensive document to ensure we covered all aspects, list security features and which would also act as a security aid to developers implementing the oauth protocol. We decided on the latter and agreed it could later be distilled down to something that will fit into the security considerations section of the protocol. Bear in mind the document needs tidying but we wanted to push something in before the security meeting in China Regards Mark McGloin oauth-boun...@ietf.org wrote on 09/11/2010 08:53:40:"Richard L. Barnes"<rbar...@bbn.com> Sent by: oauth-boun...@ietf.org 09/11/2010 08:53 To tors...@lodderstedt.net cc "ab...@ietf.org"<ab...@ietf.org>, "r...@ietf.org"<r...@ietf.org>, "i...@ietf.org"<i...@ietf.org>, "sec...@ietf.org" <sec...@ietf.org>, "web...@ietf.org"<web...@ietf.org>, "x...@ietf.org"<x...@ietf.org>, "kit...@ietf.org" <kit...@ietf.org>, "i...@iab.org Board"<i...@iab.org>, "i...@ietf.org"<i...@ietf.org>, "Tschofenig, Hannes" <hannes.tschofe...@gmx.net>, "oauth@ietf.org"<oauth@ietf.org> Subject Re: [OAUTH-WG] [secdir] ** OAuth Tutorial& OAuth Security Session ** I would say that the security considerations should be based on a model of OAuth. Start with a model of the protocol and the guarantees you want, then explain how to use security mechanisms to achieve those guarantees. I promised Hannes today to do a review of the current document (which I admit I haven't read) and start on some security considerations from that perspective. So expect that in the next few weeks. --Richard On 11/9/10 4:07 PM, tors...@lodderstedt.net wrote:We think the security considerations should be based on a threatmodel of OAuth. But a complete threat model would blow up the spec.We therefore aim to produce a separate security document(informational I-D/RFC) covering threat model as well as security design and considerations. The security considerations section of the core spec can then be distilled from this document.Regards, Torsten. Gesendet mit BlackBerry® Webmail von Telekom Deutschland -----Original Message----- From: Anthony Nadalin<tony...@microsoft.com> Date: Tue, 9 Nov 2010 01:54:57 To: Torsten Lodderstedt<tors...@lodderstedt.net>; HannesTschofenig<hannes.tschofe...@gmx.net>Cc: ab...@ietf.org<ab...@ietf.org>; r...@ietf.org<r...@ietf.org>;i...@ietf.org<i...@ietf.org>; sec...@ietf.org<sec...@ietf.org>; web...@ietf.org<web...@ietf.org>; x...@ietf.org<x...@ietf.org>; kit...@ietf.org<kit...@ietf.org>; i...@iab.org Board<i...@iab.org>; i...@ietf.org<i...@ietf.org>; oauth@ietf.org<oauth@ietf.org>Subject: RE: [OAUTH-WG] ** OAuth Tutorial& OAuth Security Session ** I was looking for less of an analysis and more of considerations(of the current flows and actors), I'm not sure how to adapt what you have done to actually fit in the current specification, was your thought that you would produce a separate security analysis document?-----Original Message----- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] OnBehalf Of Torsten LodderstedtSent: Sunday, November 07, 2010 3:04 PM To: Hannes Tschofenig Cc: ab...@ietf.org; r...@ietf.org; i...@ietf.org; sec...@ietf.org;web...@ietf.org; x...@ietf.org; kit...@ietf.org; i...@iab.org Board; i...@ietf.org; oauth@ietf.orgSubject: Re: [OAUTH-WG] ** OAuth Tutorial& OAuth Security Session ** Hi all, Mark McGloin and me have been working on OAuth 2.0 securityconsiderations for a couple of weeks now. Since we both cannot attend the IETF-79 meetings, we would like to provide the WG with information regarding the current status of our work. I therefore uploaded a_preliminary_ version of our working document to the WG's wikiathttp://trac.tools.ietf.org/wg/oauth/trac/attachment/wiki/ SecurityConsiderations/oauth20_seccons_20101107.pdf.The focus of this version was on consolidating previous work aswell as results of mailing list discussions and start working towards a rigorous threat model.Please give us feedback. regards, Torsten. Am 07.11.2010 03:22, schrieb Hannes Tschofenig:Hi all, please consider attending the following two meetings! ** OAuth Security Session ** * Date: Monday, 13:00-15:00 * Location: IAB breakout room (Jade 2) * Contact: Hannes Tschofenig hannes.tschofe...@gmx.net The security consideration section of OAuth 2.0 (draft -10) is still empty.Hence, we would like to put some time aside to discuss what security threats, requirements, and countermeasures need to be described. We will use the Monday, November 8, 1300-1500 slot to have a discussionsession.As a starting point I suggest to look at the following documents: *http://trac.tools.ietf.org/wg/oauth/trac/wiki/SecurityConsiderations* http://trac.tools.ietf.org/wg/oauth/trac/wiki/SignaturesWhy * http://tools.ietf.org/id/draft-tschofenig-oauth-signature-thoughts-00. txt Note: If you are unfamiliar with OAuth then the OAuth tutorialsession might be more suitable for you!** OAuth Tutorial ** * Date: Wednesday, 19:30 (after the plenary) * Location: IAB breakout room (Jade 2) * Contact: Hannes Tschofenig hannes.tschofe...@gmx.net OAuth allowsauser to grant a third-party Web site or application access to their resources, without necessarily revealing their credentials, or even their identity. The OAuth working group, see http://datatracker.ietf.org/wg/oauth/charter/, is currently trying to finalize their main specification, namely OAuth v2: http://datatracker.ietf.org/doc/draft-ietf-oauth-v2/ Based on the positive response at the last IETF meeting (in Maastricht) we decided to hold another OAuth tutorial, namely on *Wednesday, starting at 19:30 (after the IETF Operations and Administration Plenary) till about 21:00. (Note: I had to switch the day because of the social event!) It is helpful to read through the documents available int heworking group but not required.Up-to-date information can be found here: http://www.ietf.org/registration/MeetingWiki/wiki/79bofs Ciao Hannes _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ secdir mailing list sec...@ietf.org https://www.ietf.org/mailman/listinfo/secdir_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth_______________________________________________ Kitten mailing list kit...@ietf.org https://www.ietf.org/mailman/listinfo/kitten
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
