Hi Marc, You're right, the report I referred to is not a formal analysis.
Thanks for the reference to the your lab's analysis of OAuth 1.0a. I had a quick look at it, and at the Canetti tutorial on the underlying methodology that the paper refers to. It's interesting, but so complicated! It's a pity that your colleagues missed the flaw in OAuth 1.0a. In section 5.4 they say "We assume that the Consumer and Service Providers have public keys (and certificates) and that the end-user communicates with theses server entities over secure channels (SSL/TLS)". If instead of assuming it they had checked the spec they would have seen that that's not true for the consumer, and they would have been able to claim an important practical result :-) Francisco --- On Sat, 5/14/11, Mark Mcgloin <[email protected]> wrote: From: Mark Mcgloin <[email protected]> Subject: Re: [OAUTH-WG] Formal security protocol analysis of OAuth 2.0 To: [email protected] Cc: [email protected] Date: Saturday, May 14, 2011, 11:09 AM Hi Francisco Yes, I have seen that report in the past and it is good and informative but is not a substitute for formal analysis. Here is another example of the type of analysis I am looking for, this one covering Oauth 1.0a from our research lab http://domino.watson.ibm.com/library/cyberdig.nsf/papers/B0D33665257DD3A0852576410043BCDD/$File/rc24856.pdf Regards Mark Francisco Corella <[email protected]> wrote on 13/05/2011 17:58:01: > Francisco Corella <[email protected]> > 13/05/2011 17:58 > > Please respond to > [email protected] > > To > > [email protected], Mark Mcgloin/Ireland/IBM@IBMIE > > cc > > Subject > > Re: [OAUTH-WG] Formal security protocol analysis of OAuth 2.0 > > We wrote a security analysis of double redirection protocols that > has a section on OAuth 2.0 as of draft 11. You can find it at > http://pomcor.com/techreports/DoubleRedirection.pdf > > Francisco > > --- On Fri, 5/13/11, Mark Mcgloin <[email protected]> wrote: > > From: Mark Mcgloin <[email protected]> > Subject: [OAUTH-WG] Formal security protocol analysis of OAuth 2.0 > To: [email protected] > Date: Friday, May 13, 2011, 10:40 AM > > Does anyone know of a formal security protocol analysis that has been > carried out for OAuth 2.0? > > I could only find analysis done against 1.0a, like this one: > > http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5762765 > > > thanks > Mark > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
