IETF Logo Mail Archive

Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens

Marius Scurtescu <mscurtescu@google.com> Thu, 02 March 2017 00:22 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E5AF1295E3 for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 16:22:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q1B5g2UVSfq3 for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 16:22:00 -0800 (PST)
Received: from mail-it0-x234.google.com (mail-it0-x234.google.com [IPv6:2607:f8b0:4001:c0b::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9498D129655 for <id-event@ietf.org>; Wed, 1 Mar 2017 16:22:00 -0800 (PST)
Received: by mail-it0-x234.google.com with SMTP id h10so108055100ith.1 for <id-event@ietf.org>; Wed, 01 Mar 2017 16:22:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=4gm4imy7H77XqPGqHKpkWArotqERrWF0YMXh5h7G4rk=; b=FDOGfnaUuPAFuaoCld8SpS8O2X6D8FPPPAc8OQcSSGEnT8zItQTCN/WmWyopDUS6p7 xrJvVcue6oYeVkMr9VK+5GE0bbt1E1LPTU9QlAdB5TnK+dm6zGmRPeYTAa1f3LqJKqd1 QOBSfV++8usjoUopWmzhVDGmFGx7ixwDMFYepYymik25hetn6eayOjqt4aEWpOVcNFOv QDZ4c1Vl1gFWPoXTqCAMYwiHqpyMTisHVhXswjmxQ5tgGjTOHedRL/m4tKB6Z0/EE6RL VKbZLg/3XN55vPCnypWPdAGjOkcmNwcUQ5GArnLkPfV0WpF5xIKfKWLVOgqx/ZueHTDW vK7g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=4gm4imy7H77XqPGqHKpkWArotqERrWF0YMXh5h7G4rk=; b=VzIrwph8HOXoYjGPiSr6QI8UeRDIzd/XiX3d/zbDAdCGxzYIUpcjOoqwIwLYS70UCn zRuEk9P6KIY4NlTSXDZWH3DeMHPAk4bwkYNtCkxQIOkLUj1DQPCLIOqeE/A3Scftu/1a krhBduFGlCDKoZd0q2jYJJa3quujrlfoUF+I+YoVLvShiGvCvQO7asUmJabBURn0PfW0 LoK66BW1bquee0sLaXWr7srvoBw4EDgIhWc38AK/C8YKNQW1dApXQS5pTAdLa9Wdnb/7 K6pwmLEfH/KzlW0qiM5d5eSUh/P/A2uvH8FcnRaC5F1NMX+XtbfAptZRsEcwO3OxceCW SDwg==
X-Gm-Message-State: AMke39mLdDBj4zL28GF71DYxNFQTOveXwTW+djmqrHqzm3odHsGqXBlNzBhT+ViC3WLV4dNsN8IdujoHDd+Wxqg/
X-Received: by 10.36.196.8 with SMTP id v8mr7259158itf.115.1488414119696; Wed, 01 Mar 2017 16:21:59 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.166.141 with HTTP; Wed, 1 Mar 2017 16:21:39 -0800 (PST)
In-Reply-To: <CY4PR21MB050400C17BDCA9B45C2DB65CF5280@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <4611E3C8-9772-44EA-940D-077E1EA6247F@oracle.com> <CAAP42hAPZOHn-37wYrOy7OcvNuqWdXtSSMHxb_AoW7kXeAy4wA@mail.gmail.com> <CY4PR21MB050423CEEA9AB0CC64F0973FF5290@CY4PR21MB0504.namprd21.prod.outlook.com> <CAAP42hD8FbZSKWiorKSZHqiidak4Gf071xKTD2d9EvZa13mt5g@mail.gmail.com> <CY4PR21MB05047835E14B3D375C0538F6F5290@CY4PR21MB0504.namprd21.prod.outlook.com> <CAAP42hB63GC9=7nqiayjnD9i5RG7Yu7CJVCtDZpNWTgLMrDJ8w@mail.gmail.com> <0D17E1B4-D8C1-4241-8D11-8C0C700DD1D5@oracle.com> <CAAP42hANJNA62Zkhpv96snpk7O8-cUfwMtooCuhyN242vEMkfA@mail.gmail.com> <CAGdjJpLEX06CsLFH4u4YicP1qbW1Q8yjFhZjSovFRJzQv7B1bQ@mail.gmail.com> <CAAP42hAQwK1qPAymbgLNa2bjgBFABHC2VwD5NmrF+iB+zZ__wA@mail.gmail.com> <CY4PR21MB050400C17BDCA9B45C2DB65CF5280@CY4PR21MB0504.namprd21.prod.outlook.com>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Wed, 01 Mar 2017 16:21:39 -0800
Message-ID: <CAGdjJpK1UktDPOBT5AXSQS=MYOHz2mbAdiFt8m5AQbyc59ufKA@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="94eb2c05d0d4e2aa9a0549b46a99"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/O64SMz2djgbFBQQwo1TPg1nb2qk>
Cc: William Denniss <wdenniss@google.com>, ID Events Mailing List <id-event@ietf.org>, "Phil Hunt (IDM)" <phil.hunt@oracle.com>
Subject: Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2017 00:22:02 -0000

As a concrete example, let's say an RP that supports OIDC decides to also
implement RISC/SET. When they read the spec and decide on implementation
they realize that they also have to modify the existing OIDC implementation
so it does not accept Id Token looking JWTs that have an "events" claim. It
is very easy to miss this requirement. But more important, when the next
JWT application is implemented they might have to yet again update the
existing OIDC implementation, and so forth.

One simpler fix would be to modify the OIDC implementation once to look for
the correct "typ" claim (assuming one is defined). The security
considerations in the SET spec could specify that due to iss/aud overlap it
is crucial that typ is validated in all related implementations.

I understand that typ cannot be standardized by the SET spec for other
specs (but it could definitely clearly define it for SET), but I think the
sooner we do that for all relevant specs the better.



Marius

On Wed, Mar 1, 2017 at 4:07 PM, Mike Jones <Michael.Jones@microsoft.com>
wrote:

> Of course, there is already a “typ” claim.  Its use is optional, since
> whether it’s needed is application-specific.
>
>
>
> Your suggestion that we issue general-purpose JWT guidance about iss/aud
> namespaces is exactly the kind of thing that’s beyond the scope of this
> working group, per my just-sent reply to Marius.  Suggesting that
> applications use the “events” claim to distinguish between SETs and other
> kinds of JWTs is within the scope of this working group, because it is
> advice about using SETs.
>
>
>
>                                                        -- Mike
>
>
>
> *From:* William Denniss [mailto:wdenniss@google.com]
> *Sent:* Wednesday, March 1, 2017 4:00 PM
> *To:* Marius Scurtescu <mscurtescu@google.com>
> *Cc:* Phil Hunt (IDM) <phil.hunt@oracle.com>; Mike Jones <
> Michael.Jones@microsoft.com>; ID Events Mailing List <id-event@ietf.org>
> *Subject:* Re: [Id-event] Thread: Clarifying use of sub and iss in SET
> tokens
>
>
>
> If JWT had a "typ" field all along, this entire discussion could be
> avoided, but it's too late for that now. I believe that this was actually
> the founding reason behind standardizing SET, introducing the "events"
> claim. At least, to avoid the 3+ versions of event-on-JWT that were in
> discussion at the time.
>
>
>
> As with all security considerations people can not follow them and have
> bad things happen.
>
>
>
> Doesn't suggesting that unrelated systems not issue tokens sharing the
> same iss/aud namespace make sense here as a mitigation though?  To me
> that's better and more scalable than every spec removing some required
> claim from the other specs (e.g. mandating that people can't use "sub").
>
>
>
>
>
> On Wed, Mar 1, 2017 at 3:54 PM, Marius Scurtescu <mscurtescu@google.com>
> wrote:
>
> We also talked about adding another claim that defines the type or purpose
> of the JWT ("access token", "SET", etc). In a way it is the only sane
> option, but it is not addressing existing implementations. Asking
> implementors to "be careful" is asking for trouble IMO, especially because
> systems evolve by incrementally adding functionality.
>
>
> Marius
>
>
>
> On Wed, Mar 1, 2017 at 12:44 PM, William Denniss <wdenniss@google.com>
> wrote:
>
> OK so perhaps the "URI" thing is overly restrictive.
>
>
>
> I guess the security consideration I'm recommending here is that you
> shouldn't have multiple systems that issue JWTs with the same iss/aud
> tuple, except when those systems are tightly coupled (as is the case with
> Connect & Logout).
>
>
>
> If a shared issuer is used, then URI-based namespacing is *one* way to
> avoid this, but there are others.
>
>
>
> I'm trying to avoid the need for SET to "break" possible use in access
> tokens (one of the stated goals in the original post) – I think having
> advice like this can avoid normative language that changes, and overly
> complicates SET.
>
>
>
> _______________________________________________
> Id-event mailing list
> Id-event@ietf.org
> https://www.ietf.org/mailman/listinfo/id-event
>
>
>
>
>

v2.23.0 | Report a Bug | By Email