AM
To: Eran Hammer-Lahav
Cc: Niv Steingarten; oauth@ietf.org
Subject: RE: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Impersonation)
It is a native app and it is external wrt the browser.
regards,
Torsten.
On Wed, 14 Sep 2011 06:59:47 -0700, Eran Hammer-Lahav wrote:
> Is this malici
g
> Subject: RE: [OAUTH-WG] Draft 20 last call comment (Resource Owner
> Impersonation)
>
> It is a native app and it is external wrt the browser.
>
> regards,
> Torsten.
>
> On Wed, 14 Sep 2011 06:59:47 -0700, Eran Hammer-Lahav wrote:
> > Is this malicious piece of s
-
From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net]
Sent: Wednesday, September 14, 2011 6:51 AM
To: Eran Hammer-Lahav
Cc: Niv Steingarten; oauth@ietf.org
Subject: RE: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Impersonation)
Hi Eran,
>> As far as I understood, in a textboo
r-Lahav
> Cc: Niv Steingarten; oauth@ietf.org
> Subject: RE: [OAUTH-WG] Draft 20 last call comment (Resource Owner
> Impersonation)
>
> Hi Eran,
>
> >> As far as I understood, in a textbook CSRF attack the attacker would
> >> create his own requests in order to ab
Hi Eran,
As far as I understood, in a textbook CSRF attack the attacker would
create
his own requests in order to abuse a user's session. This can be
prevented by
utilizing standard CSRF coutermeasures (page token, nounce,
signature as
parameter on every request URL), which bind URLs to a cert
Sorry for the late response.
> -Original Message-
> From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net]
> Sent: Sunday, August 21, 2011 10:59 AM
> To: Eran Hammer-Lahav
> Cc: Niv Steingarten; oauth@ietf.org
> Subject: Re: [OAUTH-WG] Draft 20 last call comme
no comments?
Am 21.08.2011 19:59, schrieb Torsten Lodderstedt:
Hi Eran,
This is still just a CSRF attack.
I think you may be right. I still believe this particular style of
attack on the
authorization server is worth mentioning, be it in its own separate
section or
under the existing CSRF s
Hi Eran,
This is still just a CSRF attack.
I think you may be right. I still believe this particular style of attack on the
authorization server is worth mentioning, be it in its own separate section or
under the existing CSRF section (as you suggested).
This is not a style of attack but techn
leave that up to the
editors of that document.
EHL
From: William J. Mills [mailto:wmi...@yahoo-inc.com]
Sent: Thursday, August 18, 2011 9:21 PM
To: Niv Steingarten
Cc: Eran Hammer-Lahav; oauth@ietf.org
Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Impersonation)
While I agr
is in the right way in
the spec.
From: Niv Steingarten
To: William J. Mills
Cc: Eran Hammer-Lahav ; "oauth@ietf.org"
Sent: Thursday, August 18, 2011 6:06 PM
Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Impersonation)
I suppose
To: Eran Hammer-Lahav
> Cc: "oauth@ietf.org"
> Sent: Thursday, August 18, 2011 4:33 PM
> Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
> Impersonation)
>
> How about add something like this as the second paragraph in 10.12:
>
> The aut
I proposed text that I think is more complete in a previous message...
From: Niv Steingarten
To: Eran Hammer-Lahav
Cc: "oauth@ietf.org"
Sent: Thursday, August 18, 2011 4:33 PM
Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Imp
August 18, 2011 1:04 PM
>> To: Eran Hammer-Lahav
>> Cc: Torsten Lodderstedt; oauth@ietf.org
>> Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
>> Impersonation)
>>
>> On Thu, Aug 18, 2011 at 22:19, Eran Hammer-Lahav
>> wrote:
>
> -Original Message-
> From: Niv Steingarten [mailto:nivst...@gmail.com]
> Sent: Thursday, August 18, 2011 1:04 PM
> To: Eran Hammer-Lahav
> Cc: Torsten Lodderstedt; oauth@ietf.org
> Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
> Impersonation
ilto:nivst...@gmail.com]
>> >> Sent: Thursday, August 18, 2011 11:08 AM
>> >> To: Eran Hammer-Lahav
>> >> Cc: Torsten Lodderstedt; oauth@ietf.org
>> >> Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
>> >> Impersonat
Hammer-Lahav
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Impersonation)
This is, in my opinion, another style of CSRF. I the attacker present your
browser (user agent) with a link, and your browser presents a credential
automatically to the token endpoint
mehow informing the user what
they are doign is a bad thing).
-bill
From: Niv Steingarten
To: Eran Hammer-Lahav
Cc: "oauth@ietf.org"
Sent: Thursday, August 18, 2011 12:11 PM
Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Imper
> -Original Message-
> From: Niv Steingarten [mailto:nivst...@gmail.com]
> Sent: Thursday, August 18, 2011 12:12 PM
> To: Eran Hammer-Lahav
> Cc: Torsten Lodderstedt; oauth@ietf.org
> Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
> Impersonation
ilto:nivst...@gmail.com]
>> >> Sent: Thursday, August 18, 2011 10:16 AM
>> >> To: Eran Hammer-Lahav
>> >> Cc: Torsten Lodderstedt; oauth@ietf.org
>> >> Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
>> >> Impersonation)
>
> -Original Message-
> From: Niv Steingarten [mailto:nivst...@gmail.com]
> Sent: Thursday, August 18, 2011 11:08 AM
> To: Eran Hammer-Lahav
> Cc: Torsten Lodderstedt; oauth@ietf.org
> Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
> Impersonation
On Thu, Aug 18, 2011 at 20:31, Eran Hammer-Lahav wrote:
>
>
>> -Original Message-
>> From: Niv Steingarten [mailto:nivst...@gmail.com]
>> Sent: Thursday, August 18, 2011 10:16 AM
>> To: Eran Hammer-Lahav
>> Cc: Torsten Lodderstedt; oauth@ietf.org
>
>> Yes, the example I provided is a very lightweight one which does take the
>> form of CSRF, but it is only the simplest example of a family of automated
>> authorization flow attacks. Indeed, a nonce (or hidden token, both serve the
>> same purpose in this case) would be enough here.
>
> Great. S
> I'd like to ask the chairs to open an issue for this.
http://trac.tools.ietf.org/wg/oauth/trac/ticket/24
> I didn't realize how hyper sensitive this working group has become that every
> proposal being questioned needs a ticket to prove to people that they are not
> being dismissed.
It's OK: t
> -Original Message-
> From: Niv Steingarten [mailto:nivst...@gmail.com]
> Sent: Thursday, August 18, 2011 10:16 AM
> To: Eran Hammer-Lahav
> Cc: Torsten Lodderstedt; oauth@ietf.org
> Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
> Impersonation)
AM
>> To: Eran Hammer-Lahav
>> Cc: Torsten Lodderstedt; oauth@ietf.org
>> Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
>> Impersonation)
>>
>> Here are two very simple examples. They are very naive ones, but get the
>> point across and I wou
gt; I'm keeping this proposed text out until we resolve this questions.
>
> EHL
>
>
> > -Original Message-
> > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> > Of Torsten Lodderstedt
> > Sent: Friday, August 12, 2011 7:56 AM
> > To:
> -Original Message-
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of Igor Faynberg
> Sent: Thursday, August 18, 2011 8:49 AM
> To: oauth@ietf.org
> Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
> Impersonation)
>
Hey Torsten,
> -Original Message-
> From: Lodderstedt, Torsten [mailto:t.lodderst...@telekom.de]
> Sent: Thursday, August 18, 2011 12:52 AM
> To: Eran Hammer-Lahav; Torsten Lodderstedt; oauth@ietf.org
> Subject: AW: [OAUTH-WG] Draft 20 last call comment (Resource Owner
com]
> Sent: Thursday, August 18, 2011 5:49 AM
> To: Eran Hammer-Lahav
> Cc: Torsten Lodderstedt; oauth@ietf.org
> Subject: Re: [OAUTH-WG] Draft 20 last call comment (Resource Owner
> Impersonation)
>
> Here are two very simple examples. They are very naive ones, but get the
> point
uth-boun...@ietf.org] On Behalf
Of Torsten Lodderstedt
Sent: Friday, August 12, 2011 7:56 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] Draft 20 last call comment (Resource Owner
Impersonation)
Hi all,
I think the impersonation issue as raised by Niv on the list should be covered
by the core spec. It d
s.
>
> EHL
>
>
>> -Original Message-
>> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
>> Of Torsten Lodderstedt
>> Sent: Friday, August 12, 2011 7:56 AM
>> To: oauth@ietf.org
>> Subject: [OAUTH-WG] Draft 20 last call comme
cess, but several people
agreed with it and no one (except you) objected. Why do you hold it back?
regards,
Torsten.
EHL
> -Original Message-
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of Torsten Lodderstedt
> Sent: Friday, August 12, 2011 7:
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of Torsten Lodderstedt
> Sent: Friday, August 12, 2011 7:56 AM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] Draft 20 last call comment (Resource Owner
> Impersonation)
>
> Hi all,
>
> I think the imper
> Please find below the text Niv and I prepared. In comparison to Niv's
> original proposal, it covers resource owner impersonation for all client
> categories.
This makes sense to me, and I like the proposed text.
Barry, as participant
___
OAuth maili
Hi all,
I think the impersonation issue as raised by Niv on the list should be
covered by the core spec. It directly aims at the trustworthiness of the
user consent, which in my opinion is one of the core principles of
OAuth. I therefore suggest to add a description to section 10.
Please fin
35 matches
Mail list logo
