IETF Logo Mail Archive

Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens

William Denniss <wdenniss@google.com> Thu, 02 March 2017 02:06 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A718212964E for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 18:06:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CKLeGvjBG2vx for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 18:05:59 -0800 (PST)
Received: from mail-qk0-x230.google.com (mail-qk0-x230.google.com [IPv6:2607:f8b0:400d:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E540C12968B for <id-event@ietf.org>; Wed, 1 Mar 2017 18:05:58 -0800 (PST)
Received: by mail-qk0-x230.google.com with SMTP id n186so99202945qkb.3 for <id-event@ietf.org>; Wed, 01 Mar 2017 18:05:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=K0tuVSxXq4faUb6Qh8CVr0+o+Peq2Y4k9yqnB8RXvoE=; b=quyTMbbQHo6RL6iHh1ZKuwZBdBGEY/Fy4k6Jn2uxGbQIIuE/HtGuTg9/nIvN/NFuEe TZBVDTchnnbVgKi6YWEjNFcMMDTq4PhsPUTRSGWmbOGMnoJ0vvt98tOVVUR3KI4b7iet EzJj01nYSRrdM6ffXVu0lUfE2KzKabMdKaoLvbi80SGOj2nKiOQtLW/a2bhAUVntuDwa N9s4IV7v/9GShvynzAeTaU8g1FqALxNGFYO8oVezYLSKa65CIbs6GVSDS3wR3d4Mk1dx B5FJ4JNrEzYHgYWE66WdSpxtVcCs89QqtpC4qXm/UhqQM/bAjeqB5dXinsar7ES18Tlk xl+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=K0tuVSxXq4faUb6Qh8CVr0+o+Peq2Y4k9yqnB8RXvoE=; b=qxE4Ot8pu3sNI49XF8DZyIWLbrKfWc26KacJIi+VaIZJMo0Jh+avFa77WLQpXLNvOm uEpKSHF260BNE2wn9kxn3Mi7ffQcetJiu/Y8TqEG1BwsN4cqI26ub9a1HY0lpyGGMtSw WpPZpcTczOiYt+rbIe6qhZqWTF/i0MM6ZGS5gEp/mu368r4HPZtZF0oNFG3jdQE9oAvT NoYNwqoYPBCactufzVIxceE9C7ODup3yg3MI+gB9hdmqlFFhIpgNqhFlUrnO8wj53PXh EiuVrVHCn8ra3YW30RniDL9xLTmcHC2CSuHGicwqSOjquovpEdvfNA+Qvh7LDPuS/XgV zIvg==
X-Gm-Message-State: AMke39mpJzlyASHSILcJeRAYQn5HX6K+el6pRB1ZdvLeF6SbIMZhz6NMwzEvlVAHhHXpI6LT+LQEp6gOQ41HIPLr
X-Received: by 10.200.35.36 with SMTP id a33mr14365337qta.216.1488420357867; Wed, 01 Mar 2017 18:05:57 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.36.203 with HTTP; Wed, 1 Mar 2017 18:05:37 -0800 (PST)
In-Reply-To: <CAGdjJpLgtSOyNCjsJS7h7vnPBdjN8uHZZZpMuBQ0X4o12WJ_Jw@mail.gmail.com>
References: <4611E3C8-9772-44EA-940D-077E1EA6247F@oracle.com> <CAAP42hAPZOHn-37wYrOy7OcvNuqWdXtSSMHxb_AoW7kXeAy4wA@mail.gmail.com> <CY4PR21MB050423CEEA9AB0CC64F0973FF5290@CY4PR21MB0504.namprd21.prod.outlook.com> <CAAP42hD8FbZSKWiorKSZHqiidak4Gf071xKTD2d9EvZa13mt5g@mail.gmail.com> <CY4PR21MB05047835E14B3D375C0538F6F5290@CY4PR21MB0504.namprd21.prod.outlook.com> <CAAP42hB63GC9=7nqiayjnD9i5RG7Yu7CJVCtDZpNWTgLMrDJ8w@mail.gmail.com> <0D17E1B4-D8C1-4241-8D11-8C0C700DD1D5@oracle.com> <CAAP42hANJNA62Zkhpv96snpk7O8-cUfwMtooCuhyN242vEMkfA@mail.gmail.com> <CAGdjJpLEX06CsLFH4u4YicP1qbW1Q8yjFhZjSovFRJzQv7B1bQ@mail.gmail.com> <CAAP42hAQwK1qPAymbgLNa2bjgBFABHC2VwD5NmrF+iB+zZ__wA@mail.gmail.com> <CY4PR21MB050400C17BDCA9B45C2DB65CF5280@CY4PR21MB0504.namprd21.prod.outlook.com> <CAGdjJpK1UktDPOBT5AXSQS=MYOHz2mbAdiFt8m5AQbyc59ufKA@mail.gmail.com> <CY4PR21MB050423283AFC0A890DEC696EF5280@CY4PR21MB0504.namprd21.prod.outlook.com> <CAGdjJp+kwyw3T7MBKyWyXjewaGrOUVR5=WADu74hGudj_zYqAw@mail.gmail.com> <CAAP42hCUJ0xYZvjf=xVZVsUVEL_SX3k0WcY555SZBqbkAK+2xQ@mail.gmail.com> <CAGdjJp+pS+RLKm8fGpv9XO1gz4jYfCPUF+pqgE1KpWJ6dnbheg@mail.gmail.com> <CAAP42hDbdwQfYQ13ksYnO0N89uWo1F1Muu=Rih7n3w++8omfwg@mail.gmail.com> <CAGdjJpLgtSOyNCjsJS7h7vnPBdjN8uHZZZpMuBQ0X4o12WJ_Jw@mail.gmail.com>
From: William Denniss <wdenniss@google.com>
Date: Wed, 01 Mar 2017 18:05:37 -0800
Message-ID: <CAAP42hCAEPExj=F1ub4upRJwmNaWoKmJJxwgj6MTyPB0CCyNWA@mail.gmail.com>
To: Marius Scurtescu <mscurtescu@google.com>
Content-Type: multipart/alternative; boundary="001a113a7db8b56c670549b5debf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/CuFJqKz858WTKzR-rt72WVScGFw>
Cc: Mike Jones <Michael.Jones@microsoft.com>, ID Events Mailing List <id-event@ietf.org>, "Phil Hunt (IDM)" <phil.hunt@oracle.com>
Subject: Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2017 02:06:01 -0000

On Wed, Mar 1, 2017 at 5:52 PM, Marius Scurtescu <mscurtescu@google.com>
wrote:

> On Wed, Mar 1, 2017 at 5:30 PM, William Denniss <wdenniss@google.com>
> wrote:
>
>>
>> On Wed, Mar 1, 2017 at 5:05 PM, Marius Scurtescu <mscurtescu@google.com>
>> wrote:
>>
>>> On Wed, Mar 1, 2017 at 4:50 PM, William Denniss <wdenniss@google.com>
>>> wrote:
>>>
>>>> As a concrete example, let's say an RP that supports OIDC decides to
>>>>> also implement RISC/SET. When they read the spec and decide on
>>>>> implementation they realize that they also have to modify the existing OIDC
>>>>> implementation so it does not accept Id Token looking JWTs that have an
>>>>> "events" claim. It is very easy to miss this requirement. But more
>>>>> important, when the next JWT application is implemented they might have to
>>>>> yet again update the existing OIDC implementation, and so forth.
>>>>
>>>>
>>>> Why would the RISC implementation reuse the same iss/aud pair as the
>>>> OIDC implementation?
>>>>
>>>
>>> iss naturally would be the same in most cases. I would argue that aud
>>> would also naturally be the same, the client id, since that is the intended
>>> recipient. Having aud be the URL of the target endpoint for example (the
>>> only suggestion I am aware of), is hackish at best. The same endpoint could
>>> be shared by multiple clients in some cases. Also, this couples creating
>>> the SET with delivery details
>>>
>>
>> Why not change iss for RISC?  https://issuer.google.com/risc for example.
>>
>
> Because iss/sub basically forces the iss to be the exact same as in the Id
> Token. And separate iss requires separate signing keys.
>

We'd have to host the keys multiple times, but they *could* still be the
same keys, right?


>
>>>> If it didn't, there's no issue!
>>>>
>>>
>>> There might be no issue for SET, but we are going to run into this
>>> problem over and over again.
>>>
>>>
>>>
>>>> Isn't this the simplest approach? Given that "typ" isn't mandated by
>>>> JWT, I think that this is therefore the implied method for segregating JWTs
>>>> by the usage intent.
>>>>
>>>
>>> Not sure what you mean by "this". Replacing typ with unique iss/aud
>>> combinations?
>>>
>>
>> Our issue is that we have a common token format JWT, that multiple
>> systems will consume which have different concerns.  Reading RFC7519, I
>> don't see any way to separate those concerns, other than with iss/aud.
>> RFC7519 doesn't say "each spec that uses JWT should use a unique
>> combination of claims such at no other spec could accidently interpret it
>> as meant for them" (and I'm not convinced this is scalable, or desirable).
>> Nor does it require the use of a type claim to achieve the usage
>> segregation, and it's too late to add one now.
>>
>
> I totally agree that we have no ideal solution here. Having each
> application define its own URN (or some schema) for aud might work, even if
> ugly. This is similar to merging typ into aud. Do we have any concrete
> proposals here?
>

Defining a structured aud format could solve this, I agree – like you say,
it's merging type into aud in a way that's backwards compatible.
Personally I don't mind that approach, but I recall some resistance to it.

Some kind of separation based on iss or aud I think is going to be the
safest and most scalable solution.

Why is it too late to use typ?
>

Because of all the clients already written that don't check for it.


>
>>
>>>
>>>>
>>>> On Wed, Mar 1, 2017 at 4:36 PM, Marius Scurtescu <mscurtescu@google.com
>>>> > wrote:
>>>>
>>>>> Mike, me providing a bulletproof example is irrelevant I think. I am
>>>>> trying to convey a general idea. My point is that having to continuously
>>>>> update existing implementations with new validation rules is error prone
>>>>> and less likely to happen that having to do one generic update.
>>>>>
>>>>> Marius
>>>>>
>>>>> On Wed, Mar 1, 2017 at 4:31 PM, Mike Jones <
>>>>> Michael.Jones@microsoft.com> wrote:
>>>>>
>>>>>> Except that your example isn’t one in which there’s an actual
>>>>>> problem.  For all response_types except for “code”, the ID Token must have
>>>>>> a “nonce” claim matching the request in order to be validated.  SETs won’t
>>>>>> have this claim.  For response_type=code, the ID Token must be retrieved
>>>>>> from the Token Endpoint to be valid.  But SETs aren’t returned as the
>>>>>> id_token value from the Token Endpoint.  There isn’t a channel in which an
>>>>>> attacker can successfully substitute a SET for an ID Token and have it
>>>>>> validate as an ID Token.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Following the advice to also verify that there isn’t an “events”
>>>>>> claim in an ID Token provides redundancy and is good hygiene but isn’t
>>>>>> actually even necessary to prevent substitution attacks.
>>>>>>
>>>>>>
>>>>>>
>>>>>>                                                        -- Mike
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:* Marius Scurtescu [mailto:mscurtescu@google.com]
>>>>>> *Sent:* Wednesday, March 1, 2017 4:22 PM
>>>>>> *To:* Mike Jones <Michael.Jones@microsoft.com>
>>>>>> *Cc:* William Denniss <wdenniss@google.com>; Phil Hunt (IDM) <
>>>>>> phil.hunt@oracle.com>; ID Events Mailing List <id-event@ietf.org>
>>>>>>
>>>>>> *Subject:* Re: [Id-event] Thread: Clarifying use of sub and iss in
>>>>>> SET tokens
>>>>>>
>>>>>>
>>>>>>
>>>>>> As a concrete example, let's say an RP that supports OIDC decides to
>>>>>> also implement RISC/SET. When they read the spec and decide on
>>>>>> implementation they realize that they also have to modify the existing OIDC
>>>>>> implementation so it does not accept Id Token looking JWTs that have an
>>>>>> "events" claim. It is very easy to miss this requirement. But more
>>>>>> important, when the next JWT application is implemented they might have to
>>>>>> yet again update the existing OIDC implementation, and so forth.
>>>>>>
>>>>>>
>>>>>>
>>>>>> One simpler fix would be to modify the OIDC implementation once to
>>>>>> look for the correct "typ" claim (assuming one is defined). The security
>>>>>> considerations in the SET spec could specify that due to iss/aud overlap it
>>>>>> is crucial that typ is validated in all related implementations.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I understand that typ cannot be standardized by the SET spec for
>>>>>> other specs (but it could definitely clearly define it for SET), but I
>>>>>> think the sooner we do that for all relevant specs the better.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Marius
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, Mar 1, 2017 at 4:07 PM, Mike Jones <
>>>>>> Michael.Jones@microsoft.com> wrote:
>>>>>>
>>>>>> Of course, there is already a “typ” claim.  Its use is optional,
>>>>>> since whether it’s needed is application-specific.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Your suggestion that we issue general-purpose JWT guidance about
>>>>>> iss/aud namespaces is exactly the kind of thing that’s beyond the scope of
>>>>>> this working group, per my just-sent reply to Marius.  Suggesting that
>>>>>> applications use the “events” claim to distinguish between SETs and other
>>>>>> kinds of JWTs is within the scope of this working group, because it is
>>>>>> advice about using SETs.
>>>>>>
>>>>>>
>>>>>>
>>>>>>                                                        -- Mike
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:* William Denniss [mailto:wdenniss@google.com]
>>>>>> *Sent:* Wednesday, March 1, 2017 4:00 PM
>>>>>> *To:* Marius Scurtescu <mscurtescu@google.com>
>>>>>> *Cc:* Phil Hunt (IDM) <phil.hunt@oracle.com>; Mike Jones <
>>>>>> Michael.Jones@microsoft.com>; ID Events Mailing List <
>>>>>> id-event@ietf.org>
>>>>>> *Subject:* Re: [Id-event] Thread: Clarifying use of sub and iss in
>>>>>> SET tokens
>>>>>>
>>>>>>
>>>>>>
>>>>>> If JWT had a "typ" field all along, this entire discussion could be
>>>>>> avoided, but it's too late for that now. I believe that this was actually
>>>>>> the founding reason behind standardizing SET, introducing the "events"
>>>>>> claim. At least, to avoid the 3+ versions of event-on-JWT that were in
>>>>>> discussion at the time.
>>>>>>
>>>>>>
>>>>>>
>>>>>> As with all security considerations people can not follow them and
>>>>>> have bad things happen.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Doesn't suggesting that unrelated systems not issue tokens sharing
>>>>>> the same iss/aud namespace make sense here as a mitigation though?  To me
>>>>>> that's better and more scalable than every spec removing some required
>>>>>> claim from the other specs (e.g. mandating that people can't use "sub").
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, Mar 1, 2017 at 3:54 PM, Marius Scurtescu <
>>>>>> mscurtescu@google.com> wrote:
>>>>>>
>>>>>> We also talked about adding another claim that defines the type or
>>>>>> purpose of the JWT ("access token", "SET", etc). In a way it is the only
>>>>>> sane option, but it is not addressing existing implementations. Asking
>>>>>> implementors to "be careful" is asking for trouble IMO, especially because
>>>>>> systems evolve by incrementally adding functionality.
>>>>>>
>>>>>>
>>>>>> Marius
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, Mar 1, 2017 at 12:44 PM, William Denniss <wdenniss@google.com>
>>>>>> wrote:
>>>>>>
>>>>>> OK so perhaps the "URI" thing is overly restrictive.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I guess the security consideration I'm recommending here is that you
>>>>>> shouldn't have multiple systems that issue JWTs with the same iss/aud
>>>>>> tuple, except when those systems are tightly coupled (as is the case with
>>>>>> Connect & Logout).
>>>>>>
>>>>>>
>>>>>>
>>>>>> If a shared issuer is used, then URI-based namespacing is *one* way
>>>>>> to avoid this, but there are others.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I'm trying to avoid the need for SET to "break" possible use in
>>>>>> access tokens (one of the stated goals in the original post) – I think
>>>>>> having advice like this can avoid normative language that changes, and
>>>>>> overly complicates SET.
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Id-event mailing list
>>>>>> Id-event@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/id-event
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>

v2.23.0 | Report a Bug | By Email