Re: [OAUTH-WG] Operations Directorate Review of draft-ietf-oauth-v2-threatmodel-06

Sun, 08 Jul 2012 08:45:41 -0700 



> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On Behalf Of
> Barry Leiba
> Sent: Sunday, July 08, 2012 6:37 PM
> To: Romascanu, Dan (Dan)
> Cc: [email protected]; [email protected];
> [email protected]; [email protected]; [email protected]
> Subject: Re: Operations Directorate Review of draft-ietf-oauth-v2-
> threatmodel-06
> 
> > 1. The relation between this document, OAuth 1.0 (RFC 5849) and
OAuth
> > 2.0 is not clear. In the Introduction we find:
> >
> >    This document gives additional security considerations for OAuth,
> >    beyond those in the OAuth specification, based on a comprehensive
> >    threat model for the OAuth 2.0 Protocol [I-D.ietf-oauth-v2].
> >
> > (would be good to provide a referent for the 'OAuth specification' -
> > probably RFC 5489)
> 
> It does have a citation, right there: [I-D.ietf-oauth-v2].  That is
> the OAuth specification.  I suppose we could move the citation to be
> after the word "specification", though no one else has been confused
> by this.
> 
> > but then says the document
> >
> >       - Gives a comprehensive threat model for OAuth and describes
the
> >       respective counter measures to thwart those threats.
> >
> > So is the scope of the document the threats beyond what is described
> in
> > OAuth 1.0, or all the threats?
> 
> It has nothing to do with OAuth 1.0, and I don't think it says that
> anywhere.  It's OAuth 2.0, as noted in the citation.  It expands on
> what's in the Security Considerations of the OAuth spec, and covers
> threats that are not described there as well.  The OAuth spec has an
> informative reference to this document.

Barry,

I believe that the words 'additional' and 'beyond' create in the first
quoted paragraph create the confusion. Saying ' This document gives
additional security considerations for OAuth, beyond those in the OAuth
specification ' is not the same as saying ' This document gives security
considerations for OAuth based on the OAuth specification (and by the
way, when we say this we mean OAuth 2.0 and nothing else)'.

Regards,

Dan

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth






















					Reply via email to