Thanks Eve;

I'm not aware of anything other than a PKI infrastructure that could provide reasonable technical guarantees. Even then the display of those assurances could be spoofable, I'm thinking. There's a limit to transaction based security on a non-secure platform, after all.



John Wunderlich, BA, MBA

IAPP Fellow of Information Privacy
CISA, CIPM, CIPP/C, PbD Ambassador
@PrivacyCDN & Privacist

On 7 May 2017 at 16:34, Eve Maler <eve@xmlgrrl.com> wrote:
It looks like there's two problems at the OAuth level. First, Google issued client credentials to a bad actor, and second, the client app is allowed to show "display" information that can spoof real information without any checking. There may be some whizzy technical solutions around the second problem, maybe with software statements and digital signatures over what can be displayed.

UMA is susceptible to this at stages where it relies on OAuth for (typically one-time/long-term) trust establishment, such as PAT issuance among the RO, AS, and RS, and also wherever the AS does interactive claims gathering using OAuth-based flows. Non-OAuth-based flows, such as SAML, presumably could be susceptible to the same problem. (Years ago I had thought InfoCard had some built-in way to secure "display names" from spoofing, but subsequently couldn't find it...)


Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl


On Thu, May 4, 2017 at 9:57 PM, Thomas Hardjono <hardjono@mit.edu> wrote:

Bearer tokens (?)

/thomas/



________________________________________
From: wg-uma-bounces@kantarainitiative.org [wg-uma-bounces@kantarainitiative.org] on behalf of John Wunderlich [john@wunderlich.ca]
Sent: Thursday, May 04, 2017 1:18 PM
To: wg-uma
Subject: [WG-UMA] Don't trust OAUTH?

See https://arstechnica.com/security/2017/05/dont-trust-oauth-why-the-google-docs-worm-was-so-convincing/

Does UMA get caught in this blast?


John Wunderlich, BA, MBA

IAPP Fellow of Information Privacy
CISA, CIPM, CIPP/C, PbD Ambassador
@PrivacyCDN<https://twitter.com/PrivacyCDN> & Privacist


This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma




This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.