Folks this is a "scoping" debate. Because this document is a brand new type of specification, I can see why there is some confusion.
First, I want to point out the concerns Michael Thomas are making are *valid*. **However** Editorially I feel strongly the comments fall outside the intended scope and purpose for this document. This document is about threats specifically related to the OAuth protocol. It's intent is to go beyond security considerations to give implementers a feel for the issues the group has considered specific to the protocol. Michael's comments are directed at general trusted computing platform. And while I agree they are valid, they don't fit in this document. At no time did the OAuth WG set out to solve or debate trusted computing platform issues. It is simply not within the charter of the WG. Michael feels the premise for the document is "borked" because his comments are not included. However, there are those of us that feel the document instead needs to be sharply edited back to focus even tighter on OAuth specific issues. As for "consensus" there seems to be two issues/questions at hand: 1. Do we go back and extend the document scope to general trusted computing platforms issues? 2. Is the document correct for the content that it has now? I suspect there is strong consensus for number 2. I suspect there is quite a lot of debate about number 1. For me, I will push very hard to cut the document in half (the opposite). My worry is the document is too long, and many are already not reading it because it is only an Informational document. Phil @independentid www.independentid.com [email protected] On 2012-04-24, at 9:20 AM, Eran Hammer wrote: > We've been kicking this can of silliness for months now because one person > refuses to move on even in the face of otherwise unanimous consensus from the > group. > > Chairs - Please take this ridiculous and never ending thread off list and > resolve it once and for all. > > EH > >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On Behalf >> Of Phil Hunt >> Sent: Tuesday, April 24, 2012 7:59 AM >> To: Michael Thomas >> Cc: Barry Leiba; [email protected]; [email protected] >> Subject: Re: [OAUTH-WG] Shepherd review of draft-ietf-oauth-v2- >> threatmodel >> >> Are we at this stage re-opening the entire document? I thought we were >> responding only to specific shepherd text edits. >> >> Phil >> >> On 2012-04-24, at 6:24, Michael Thomas <[email protected]> wrote: >> >>> On 04/24/2012 01:17 AM, Mark Mcgloin wrote: >>>> Hi Thomas >>>> >>>> Your additional text is already covered in a countermeasure for >>>> section 4.1.4. In addition, section 4.1.4.4 states the assumption >>>> that the auth server can't protect against a user installing a >>>> malicious client >>>> >>> >>> The more I read this draft, the more borked I think its base >>> assumptions are. The client *is* one of the main threats. Full stop. A >>> threat document should not be asking the adversary to play nice. Yet, >>> 4.1.4 bullets 1 and >>> 3 are doing exactly that again. If those are countermeasures, then so >>> is visualizing world peace. >>> >>> As for bullet two, it doesn't mention revocation, and I prefer Barry's >>> section generally. I can't find a section 4.1.4.4 >>> >>> Mike >>> _______________________________________________ >>> OAuth mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/oauth >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
