The closed-door discussions were not about a new specification. They were about helping each other with live OAuth services. We had to decide how many people to expose this threat to, once it was official that there was a threat (which was a new recognition on Friday). We did have some talks about potential solutions but no one even suggested a vote or trying to make decisions. The discussion has been shut down last night when it became fully public.

So the secret club is closed. You can quote me on this! The list is only there in case we discovery actual attacks or another related threat and need to coordinate a response to the threat. But no specification plans are going on on that list. No one posted anything there since we went public.

I was only made aware of your discovery today, here. I have learned about this threat on Friday from someone else who came to a similar conclusion independently. Note that we didn’t take or give credit.

If you want to participate, join the public mailing list and, well, participate. I will probably distill all the ideas posted to the list into a proposal over the weekend and post it as a draft for review. That’s what I do, I edit.

At that point it will be open for review and discussion and we will make decision using rough consensus and a bit of benevolent dictatorship if consensus doesn’t happen (which is very rare). This is how we got to where we are today and the full history is public for anyone to read through.

I hope this addresses all your concerns. If not, you know where to find me.

I know there’s no big conspiracy going on here, and I would expect that another security-minded person who takes a closer look at OAuth 1.0 like I did is likely to find the same issues. It’s just the synchronicity of the events that really leaves me feeling sore.

I’m a big supporter of open specifications – I tried to encourage AOL to become an OpenID provider and consumer during my short tenure there – and with my position as a developer of third-party Twitter applications, expect to continue to deal with OAuth as it evolves.

So, who needs to teach me the OAuth club’s secret handshake before I can be included in these closed-doors security discussions regarding the specification? Clearly, discussing them on public lists just doesn’t happen – so, what’s the protocol?

I can guarantee to you that, as the person who has been coordinating this effort from the beginning, it was not your post that triggered this. I am not trying to take anything away from your discovery, but it was not what got us working on this threat.

The Twitter use case brought increased attention to this area of the protocol, and the threat was identified by multiple people. In fact most aspects of this have been written about as early as last November (I was only made aware of that this week), but only last week did people start putting a complete attack together.

I truly hope that you will become part of the OAuth community, working with us on future version of the spec. You obviously have a lot to contribute.

When you click “Allow”, the account foo (with email address foo@bar.com) on Twitter Karma will be able to read and write to your Twitter account…

This is not foolproof because the attacker may be able to create a username that’s similar to the user’s existing account on the consumer site. But it might increase the probability that the user is aware of an attack.