We can and will bring more of the threat descriptions into the full document.
For what it's worth, in the initial versions we referenced the German
researcher's threat descriptions but intentionally didn't try to repeat them in
detail in the spec, so that people would read their research publications if
they wanted to know more. The researchers did the hard work to discover the
problems and deserved credit for them.
Have you read both of their publications? If not, do yourself a favor and do.
They're actually both very readable and quite informative.
Cheers,
-- Mike
-----Original Message-----
From: OAuth [mailto:[email protected]] On Behalf Of Hannes Tschofenig
Sent: Saturday, February 20, 2016 1:47 AM
To: William Denniss <[email protected]>; Phil Hunt (IDM)
<[email protected]>
Cc: [email protected]
Subject: Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for
Adoption
Just a quick reply to two of your remarks:
On 02/20/2016 09:49 AM, William Denniss wrote:
> The security researcher documents are only informative references
I think they should be informative references since the motivate the reason for
doing the work but there is nothing in these publications that raises
interoperability concerns.
I believe the solution documents need to be descriptive enough that they
explain the threats so that a reader who does not read through the informative
reference section still understands what's going on.
> For my own knowledge: what are some of the use-cases that are subject
> to these attacks? I'm not convinced every RP that talks to more than
> 1 AS is at risk today. What are some risky situations that exist which
> are mitigated by this draft?
This is something I criticized in my review as well. IMHO the documents could
do a better job in describing the threats and particularly the assumptions that
need to hold in order for the attacks to work. Without those it will be
difficult to inform readers when this is a concern and what level of risk this
represents.
Ciao
Hannes
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
