On 7/11/23 4:26 AM, Rob Wilton (rwilton) wrote:
Ah, so I stand corrected. It looks like there was no discussion of draft-ietf-oauth-native-apps in the telechat meeting (2017-05-25), as per the narrative minutes.
So I looked back at the working group archives to see if there were any responses to Adam or Ben and it seems the only one who chimed in was the lead author of the draft. He claims that there was a dire need to show how it should be done properly because there were so many native apps that I assume he was saying were using webviews (I certainly did as well). But that completely misses the point: who cares if good or neutral guys use webviews? They aren't trying to phish users' credentials. The bad guys certainly don't care what the BCP says, and end users don't know the difference between a good and bad way to do the authentication from a native app. All the BCP is doing is making it a pain in the ass for developers, which I guess isn't such a bad thing because maybe they'd give up instead. But that doesn't change that asking bad guys to be good is security through hilarity.
Maybe I missed it, but what is really needed is to advise users that OAUTH can lead to stolen credentials on native apps so only use it if you *specifically* trust the app in question. That makes it more like the Kerberos model where services are trusted by whoever is running the KDC (or at least is the norm). Not that that would change anything on the ground, but at least IETF could disavow dangerous uses of the protocol.
Mike
