IETF Logo Mail Archive

Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens

Marius Scurtescu <mscurtescu@google.com> Thu, 02 March 2017 01:53 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78400129479 for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 17:53:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k8fBH67p3Yut for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 17:53:11 -0800 (PST)
Received: from mail-io0-x232.google.com (mail-io0-x232.google.com [IPv6:2607:f8b0:4001:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A5EB1293F5 for <id-event@ietf.org>; Wed, 1 Mar 2017 17:53:11 -0800 (PST)
Received: by mail-io0-x232.google.com with SMTP id j18so44133504ioe.2 for <id-event@ietf.org>; Wed, 01 Mar 2017 17:53:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=+ap0T1mACx0c1PLRR0/6vi2svCPdGTVIhfXpCDl2WQU=; b=om64oZCPp2UHRF0RZ2bNjyMJggpHKsD9atg47WwiYcjq0RWVELpsIT57IU1DyVkYDf uW0sloKUb02QIsFrA58hL9R/5aQ3zqCl6RGbWqGpN2OiUtdT7QTnJmf9YiA/eS7bbEgd uLY6keB2VlegC1jYRwAbPfUO56C+hCQduKXGn1xfgcB1zpdE+D1iWG8C+789ymExjfYG sGpLxqE1q0/Pvu6xcyOOjuM2CWdTVNuQb87icmcJuKsG7SxlcGg+cYRqwvRJq8u+Y/9l uDj54/c8Gv1f3P37ZP+TjGxAMVLsxZ1tMlPqM2/LYlp+hybQ4dR40kvi3CVYDtJRlz4A KRwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=+ap0T1mACx0c1PLRR0/6vi2svCPdGTVIhfXpCDl2WQU=; b=GQDn0Zs34z/frO9jwt/9kGNjsJJxHJfQxTmAJB/5uN8MrqDsIMl0+r0D5SeDXL5AFg H4BzgazpI/SgS4ed3hrXhY7HAvXU3/A+vkB33xXz1VVrn84LpdWHhJlq9q7c8ytO5B4x DlyJIMzQiJi3UVizGQefRkES2DJnTX00YHwwO5rMY05mvsH0RAh3mhUc6vpKf3gBFmZq Jx4MxIU4jhUamab5/K84IBytgB+yoOucue2GEoleh0Z0NE3AcKVZy3TLOatoBZdT0o4k GYMTDE+onRRk9Zkm/lyqYdNWNEcoZfdxlYE+cbfDvGz/HayFe/EahVGnfQvHDcMfIugi iBHQ==
X-Gm-Message-State: AMke39nLQEMYJH8/DzTGE7sLvfyiu+OEhSPv4CHo0+eQLeYZuQhoU3OQ1bdU7mRZ2zgbjksp703+dhDKo5MR9Cis
X-Received: by 10.107.50.206 with SMTP id y197mr2718030ioy.214.1488419589986; Wed, 01 Mar 2017 17:53:09 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.166.141 with HTTP; Wed, 1 Mar 2017 17:52:49 -0800 (PST)
In-Reply-To: <CAAP42hDbdwQfYQ13ksYnO0N89uWo1F1Muu=Rih7n3w++8omfwg@mail.gmail.com>
References: <4611E3C8-9772-44EA-940D-077E1EA6247F@oracle.com> <CAAP42hAPZOHn-37wYrOy7OcvNuqWdXtSSMHxb_AoW7kXeAy4wA@mail.gmail.com> <CY4PR21MB050423CEEA9AB0CC64F0973FF5290@CY4PR21MB0504.namprd21.prod.outlook.com> <CAAP42hD8FbZSKWiorKSZHqiidak4Gf071xKTD2d9EvZa13mt5g@mail.gmail.com> <CY4PR21MB05047835E14B3D375C0538F6F5290@CY4PR21MB0504.namprd21.prod.outlook.com> <CAAP42hB63GC9=7nqiayjnD9i5RG7Yu7CJVCtDZpNWTgLMrDJ8w@mail.gmail.com> <0D17E1B4-D8C1-4241-8D11-8C0C700DD1D5@oracle.com> <CAAP42hANJNA62Zkhpv96snpk7O8-cUfwMtooCuhyN242vEMkfA@mail.gmail.com> <CAGdjJpLEX06CsLFH4u4YicP1qbW1Q8yjFhZjSovFRJzQv7B1bQ@mail.gmail.com> <CAAP42hAQwK1qPAymbgLNa2bjgBFABHC2VwD5NmrF+iB+zZ__wA@mail.gmail.com> <CY4PR21MB050400C17BDCA9B45C2DB65CF5280@CY4PR21MB0504.namprd21.prod.outlook.com> <CAGdjJpK1UktDPOBT5AXSQS=MYOHz2mbAdiFt8m5AQbyc59ufKA@mail.gmail.com> <CY4PR21MB050423283AFC0A890DEC696EF5280@CY4PR21MB0504.namprd21.prod.outlook.com> <CAGdjJp+kwyw3T7MBKyWyXjewaGrOUVR5=WADu74hGudj_zYqAw@mail.gmail.com> <CAAP42hCUJ0xYZvjf=xVZVsUVEL_SX3k0WcY555SZBqbkAK+2xQ@mail.gmail.com> <CAGdjJp+pS+RLKm8fGpv9XO1gz4jYfCPUF+pqgE1KpWJ6dnbheg@mail.gmail.com> <CAAP42hDbdwQfYQ13ksYnO0N89uWo1F1Muu=Rih7n3w++8omfwg@mail.gmail.com>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Wed, 01 Mar 2017 17:52:49 -0800
Message-ID: <CAGdjJpLgtSOyNCjsJS7h7vnPBdjN8uHZZZpMuBQ0X4o12WJ_Jw@mail.gmail.com>
To: William Denniss <wdenniss@google.com>
Content-Type: multipart/alternative; boundary="001a11447954f08bb00549b5b0e5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/HAN21rsx1mz2Jej1Rc7GMNOiMdI>
Cc: Mike Jones <Michael.Jones@microsoft.com>, ID Events Mailing List <id-event@ietf.org>, "Phil Hunt (IDM)" <phil.hunt@oracle.com>
Subject: Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2017 01:53:15 -0000

On Wed, Mar 1, 2017 at 5:30 PM, William Denniss <wdenniss@google.com> wrote:

>
> On Wed, Mar 1, 2017 at 5:05 PM, Marius Scurtescu <mscurtescu@google.com>
> wrote:
>
>> On Wed, Mar 1, 2017 at 4:50 PM, William Denniss <wdenniss@google.com>
>> wrote:
>>
>>> As a concrete example, let's say an RP that supports OIDC decides to
>>>> also implement RISC/SET. When they read the spec and decide on
>>>> implementation they realize that they also have to modify the existing OIDC
>>>> implementation so it does not accept Id Token looking JWTs that have an
>>>> "events" claim. It is very easy to miss this requirement. But more
>>>> important, when the next JWT application is implemented they might have to
>>>> yet again update the existing OIDC implementation, and so forth.
>>>
>>>
>>> Why would the RISC implementation reuse the same iss/aud pair as the
>>> OIDC implementation?
>>>
>>
>> iss naturally would be the same in most cases. I would argue that aud
>> would also naturally be the same, the client id, since that is the intended
>> recipient. Having aud be the URL of the target endpoint for example (the
>> only suggestion I am aware of), is hackish at best. The same endpoint could
>> be shared by multiple clients in some cases. Also, this couples creating
>> the SET with delivery details
>>
>
> Why not change iss for RISC?  https://issuer.google.com/risc for example.
>

Because iss/sub basically forces the iss to be the exact same as in the Id
Token. And separate iss requires separate signing keys.


>
>
>>
>>> If it didn't, there's no issue!
>>>
>>
>> There might be no issue for SET, but we are going to run into this
>> problem over and over again.
>>
>>
>>
>>> Isn't this the simplest approach? Given that "typ" isn't mandated by
>>> JWT, I think that this is therefore the implied method for segregating JWTs
>>> by the usage intent.
>>>
>>
>> Not sure what you mean by "this". Replacing typ with unique iss/aud
>> combinations?
>>
>
> Our issue is that we have a common token format JWT, that multiple systems
> will consume which have different concerns.  Reading RFC7519, I don't see
> any way to separate those concerns, other than with iss/aud.  RFC7519
> doesn't say "each spec that uses JWT should use a unique combination of
> claims such at no other spec could accidently interpret it as meant for
> them" (and I'm not convinced this is scalable, or desirable).  Nor does it
> require the use of a type claim to achieve the usage segregation, and it's
> too late to add one now.
>

I totally agree that we have no ideal solution here. Having each
application define its own URN (or some schema) for aud might work, even if
ugly. This is similar to merging typ into aud. Do we have any concrete
proposals here?

Why is it too late to use typ?

>
>
>>
>>>
>>> On Wed, Mar 1, 2017 at 4:36 PM, Marius Scurtescu <mscurtescu@google.com>
>>> wrote:
>>>
>>>> Mike, me providing a bulletproof example is irrelevant I think. I am
>>>> trying to convey a general idea. My point is that having to continuously
>>>> update existing implementations with new validation rules is error prone
>>>> and less likely to happen that having to do one generic update.
>>>>
>>>> Marius
>>>>
>>>> On Wed, Mar 1, 2017 at 4:31 PM, Mike Jones <Michael.Jones@microsoft.com
>>>> > wrote:
>>>>
>>>>> Except that your example isn’t one in which there’s an actual
>>>>> problem.  For all response_types except for “code”, the ID Token must have
>>>>> a “nonce” claim matching the request in order to be validated.  SETs won’t
>>>>> have this claim.  For response_type=code, the ID Token must be retrieved
>>>>> from the Token Endpoint to be valid.  But SETs aren’t returned as the
>>>>> id_token value from the Token Endpoint.  There isn’t a channel in which an
>>>>> attacker can successfully substitute a SET for an ID Token and have it
>>>>> validate as an ID Token.
>>>>>
>>>>>
>>>>>
>>>>> Following the advice to also verify that there isn’t an “events” claim
>>>>> in an ID Token provides redundancy and is good hygiene but isn’t actually
>>>>> even necessary to prevent substitution attacks.
>>>>>
>>>>>
>>>>>
>>>>>                                                        -- Mike
>>>>>
>>>>>
>>>>>
>>>>> *From:* Marius Scurtescu [mailto:mscurtescu@google.com]
>>>>> *Sent:* Wednesday, March 1, 2017 4:22 PM
>>>>> *To:* Mike Jones <Michael.Jones@microsoft.com>
>>>>> *Cc:* William Denniss <wdenniss@google.com>; Phil Hunt (IDM) <
>>>>> phil.hunt@oracle.com>; ID Events Mailing List <id-event@ietf.org>
>>>>>
>>>>> *Subject:* Re: [Id-event] Thread: Clarifying use of sub and iss in
>>>>> SET tokens
>>>>>
>>>>>
>>>>>
>>>>> As a concrete example, let's say an RP that supports OIDC decides to
>>>>> also implement RISC/SET. When they read the spec and decide on
>>>>> implementation they realize that they also have to modify the existing OIDC
>>>>> implementation so it does not accept Id Token looking JWTs that have an
>>>>> "events" claim. It is very easy to miss this requirement. But more
>>>>> important, when the next JWT application is implemented they might have to
>>>>> yet again update the existing OIDC implementation, and so forth.
>>>>>
>>>>>
>>>>>
>>>>> One simpler fix would be to modify the OIDC implementation once to
>>>>> look for the correct "typ" claim (assuming one is defined). The security
>>>>> considerations in the SET spec could specify that due to iss/aud overlap it
>>>>> is crucial that typ is validated in all related implementations.
>>>>>
>>>>>
>>>>>
>>>>> I understand that typ cannot be standardized by the SET spec for other
>>>>> specs (but it could definitely clearly define it for SET), but I think the
>>>>> sooner we do that for all relevant specs the better.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Marius
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Mar 1, 2017 at 4:07 PM, Mike Jones <
>>>>> Michael.Jones@microsoft.com> wrote:
>>>>>
>>>>> Of course, there is already a “typ” claim.  Its use is optional, since
>>>>> whether it’s needed is application-specific.
>>>>>
>>>>>
>>>>>
>>>>> Your suggestion that we issue general-purpose JWT guidance about
>>>>> iss/aud namespaces is exactly the kind of thing that’s beyond the scope of
>>>>> this working group, per my just-sent reply to Marius.  Suggesting that
>>>>> applications use the “events” claim to distinguish between SETs and other
>>>>> kinds of JWTs is within the scope of this working group, because it is
>>>>> advice about using SETs.
>>>>>
>>>>>
>>>>>
>>>>>                                                        -- Mike
>>>>>
>>>>>
>>>>>
>>>>> *From:* William Denniss [mailto:wdenniss@google.com]
>>>>> *Sent:* Wednesday, March 1, 2017 4:00 PM
>>>>> *To:* Marius Scurtescu <mscurtescu@google.com>
>>>>> *Cc:* Phil Hunt (IDM) <phil.hunt@oracle.com>; Mike Jones <
>>>>> Michael.Jones@microsoft.com>; ID Events Mailing List <
>>>>> id-event@ietf.org>
>>>>> *Subject:* Re: [Id-event] Thread: Clarifying use of sub and iss in
>>>>> SET tokens
>>>>>
>>>>>
>>>>>
>>>>> If JWT had a "typ" field all along, this entire discussion could be
>>>>> avoided, but it's too late for that now. I believe that this was actually
>>>>> the founding reason behind standardizing SET, introducing the "events"
>>>>> claim. At least, to avoid the 3+ versions of event-on-JWT that were in
>>>>> discussion at the time.
>>>>>
>>>>>
>>>>>
>>>>> As with all security considerations people can not follow them and
>>>>> have bad things happen.
>>>>>
>>>>>
>>>>>
>>>>> Doesn't suggesting that unrelated systems not issue tokens sharing the
>>>>> same iss/aud namespace make sense here as a mitigation though?  To me
>>>>> that's better and more scalable than every spec removing some required
>>>>> claim from the other specs (e.g. mandating that people can't use "sub").
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Mar 1, 2017 at 3:54 PM, Marius Scurtescu <
>>>>> mscurtescu@google.com> wrote:
>>>>>
>>>>> We also talked about adding another claim that defines the type or
>>>>> purpose of the JWT ("access token", "SET", etc). In a way it is the only
>>>>> sane option, but it is not addressing existing implementations. Asking
>>>>> implementors to "be careful" is asking for trouble IMO, especially because
>>>>> systems evolve by incrementally adding functionality.
>>>>>
>>>>>
>>>>> Marius
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Mar 1, 2017 at 12:44 PM, William Denniss <wdenniss@google.com>
>>>>> wrote:
>>>>>
>>>>> OK so perhaps the "URI" thing is overly restrictive.
>>>>>
>>>>>
>>>>>
>>>>> I guess the security consideration I'm recommending here is that you
>>>>> shouldn't have multiple systems that issue JWTs with the same iss/aud
>>>>> tuple, except when those systems are tightly coupled (as is the case with
>>>>> Connect & Logout).
>>>>>
>>>>>
>>>>>
>>>>> If a shared issuer is used, then URI-based namespacing is *one* way to
>>>>> avoid this, but there are others.
>>>>>
>>>>>
>>>>>
>>>>> I'm trying to avoid the need for SET to "break" possible use in access
>>>>> tokens (one of the stated goals in the original post) – I think having
>>>>> advice like this can avoid normative language that changes, and overly
>>>>> complicates SET.
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Id-event mailing list
>>>>> Id-event@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/id-event
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>

v2.23.0 | Report a Bug | By Email