Hi Valdimir, this is exactly what we did in our research paper. We also analyzed and established a proof of security for one of the proposed mitigations.
Of course, any proof always depends on some assumptions (e.g., no untrusted third-party code on RP's web site) and aims at specific security properties. As you can see from the paper, due to the web itself being complex, the analysis is also rather lengthy. In the related work section we also refer to other approaches of formally analyzing web protocols. We do not think that approaches "unrelated to web protocols" can produce useful results, because the web brings many very specific features and constraints. Cheers, Daniel On 23.02.2016 10:09, Vladimir Dzhuvinov wrote: > Hi Mike, > > You mention that you spent considerable time in research. I wonder if > there is existing theory, in communications or information theory, that > can be used to formally establish and prove (or disprove) the security > of the proposed OAuth measures? Perhaps some work that is totally > unrelated to identity and the web protocols, but could well apply here? > > My reasoning is that we have a closed system that is fairly simple, so > formal analysis must be entirely possible. > > 1. We have 5 parties (client, AS, RS, user, user agent). > > 2. The OAuth protocol follows a simple and well-defined pattern of > messages between the parties. > > 3. The points and the number of ways by which an adversary may break > into OAuth must therefore be finite. > > 4. The security requirement is essentially to guarantee the precedence > and authenticity of the messages from discovery endpoint to RS, and the > preferred way to do that is by establishing a binding between the > messages, which can be forward or backward binding. > > > Right now the WG concern is whether all possible attacks have been > recognised, and then taken care of. If we can have a formal model that > can reliably reveal and prove that, this will be a huge breakthrough. > > Cheers, > > Vladimir > > -- Informationssicherheit und Kryptografie Universität Trier - Tel. 0651 201 2847 - H436 _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
