Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens
William Denniss <wdenniss@google.com> Thu, 02 March 2017 00:50 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7D9212959F for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 16:50:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o9FL_9jlIdQy for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 16:50:24 -0800 (PST)
Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5767B12944B for <id-event@ietf.org>; Wed, 1 Mar 2017 16:50:24 -0800 (PST)
Received: by mail-qk0-x22f.google.com with SMTP id u188so100045006qkc.2 for <id-event@ietf.org>; Wed, 01 Mar 2017 16:50:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Q85N5zkTqyBYwXXnVZ8Rq+Iw+SU0JvBDnaypjZptzXc=; b=JGhCsIb5Rmt8XoIWpE8s7yNhReTLpI/BU/M8d7TWkQKstFenL8NUuIqxjIIKXK8Qvo BO/OGE9T2j8c170B1l/Th3buV2GPt92NM21H0heAdfg8lEHY2LSQHDbh2tP6wWA6sL8r wld4GlrmMQyt9QGLlcaXGXoMMNgBnQM5h/dFU7eJkvOxFRFs9nWzz4Gdrd5VWrJBhXXy d1UROkZYDSRjUHnStb1L5qfcDH5qvMrIKFNeN08QefxPzR/kZKAVimfGOBSBVok+dKk4 PvaqPQUBtEc4sinLgGFFxK01y4mghjtCDPRQuqOPFm02ENbpCnEr0dO6jQezLfP8F4gl WtTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Q85N5zkTqyBYwXXnVZ8Rq+Iw+SU0JvBDnaypjZptzXc=; b=rqQzVJQ08QdVpyuF15MhdVhfWZWPpTRnQ/iNJ5TioHTZEa/9fAlsxLvKMJHkUjDIWJ y4tHjN5/gNXn7EsyIjdlOvKqN/1n90NfIIqTegpDUzM93mKjVSb60FkNfoChMwFDKX5c l4/tUdZp19GIoweBnl1GexTu5JgB6QOIeRqfcnJ0jCrrnDpu2MHC2n2F2Q5e/YUc2EZP 34zSBrgShCsSgXW5VFSjMwg1y5Yqy7ZsM+NeGhx8X02wbfk47WtLxx7IOAxs9kQJLy5H QLv3tzESf28UgSlhHmH54B79IzBO49f9mC5SGHgeMUqdBIQTBt/IzC2pHe5lH9lijwjC 63mA==
X-Gm-Message-State: AMke39ky66hQcB17arhmEjIC7MPZ3p6xNqqPl6ClqsOu7xE6N199tyCz6rnLNjgOk+KSxjsG07aRVUTT4FI9qBvD
X-Received: by 10.237.36.44 with SMTP id r41mr14009894qtc.258.1488415823014; Wed, 01 Mar 2017 16:50:23 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.36.203 with HTTP; Wed, 1 Mar 2017 16:50:02 -0800 (PST)
In-Reply-To: <CAGdjJp+kwyw3T7MBKyWyXjewaGrOUVR5=WADu74hGudj_zYqAw@mail.gmail.com>
References: <4611E3C8-9772-44EA-940D-077E1EA6247F@oracle.com> <CAAP42hAPZOHn-37wYrOy7OcvNuqWdXtSSMHxb_AoW7kXeAy4wA@mail.gmail.com> <CY4PR21MB050423CEEA9AB0CC64F0973FF5290@CY4PR21MB0504.namprd21.prod.outlook.com> <CAAP42hD8FbZSKWiorKSZHqiidak4Gf071xKTD2d9EvZa13mt5g@mail.gmail.com> <CY4PR21MB05047835E14B3D375C0538F6F5290@CY4PR21MB0504.namprd21.prod.outlook.com> <CAAP42hB63GC9=7nqiayjnD9i5RG7Yu7CJVCtDZpNWTgLMrDJ8w@mail.gmail.com> <0D17E1B4-D8C1-4241-8D11-8C0C700DD1D5@oracle.com> <CAAP42hANJNA62Zkhpv96snpk7O8-cUfwMtooCuhyN242vEMkfA@mail.gmail.com> <CAGdjJpLEX06CsLFH4u4YicP1qbW1Q8yjFhZjSovFRJzQv7B1bQ@mail.gmail.com> <CAAP42hAQwK1qPAymbgLNa2bjgBFABHC2VwD5NmrF+iB+zZ__wA@mail.gmail.com> <CY4PR21MB050400C17BDCA9B45C2DB65CF5280@CY4PR21MB0504.namprd21.prod.outlook.com> <CAGdjJpK1UktDPOBT5AXSQS=MYOHz2mbAdiFt8m5AQbyc59ufKA@mail.gmail.com> <CY4PR21MB050423283AFC0A890DEC696EF5280@CY4PR21MB0504.namprd21.prod.outlook.com> <CAGdjJp+kwyw3T7MBKyWyXjewaGrOUVR5=WADu74hGudj_zYqAw@mail.gmail.com>
From: William Denniss <wdenniss@google.com>
Date: Wed, 01 Mar 2017 16:50:02 -0800
Message-ID: <CAAP42hCUJ0xYZvjf=xVZVsUVEL_SX3k0WcY555SZBqbkAK+2xQ@mail.gmail.com>
To: Marius Scurtescu <mscurtescu@google.com>
Content-Type: multipart/alternative; boundary="001a113b9f6e69283f0549b4d077"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/xc4XHj-8k8V2MdP5IbFAMH8btbw>
Cc: Mike Jones <Michael.Jones@microsoft.com>, ID Events Mailing List <id-event@ietf.org>, "Phil Hunt (IDM)" <phil.hunt@oracle.com>
Subject: Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2017 00:50:26 -0000
> > As a concrete example, let's say an RP that supports OIDC decides to also > implement RISC/SET. When they read the spec and decide on implementation > they realize that they also have to modify the existing OIDC implementation > so it does not accept Id Token looking JWTs that have an "events" claim. It > is very easy to miss this requirement. But more important, when the next > JWT application is implemented they might have to yet again update the > existing OIDC implementation, and so forth. Why would the RISC implementation reuse the same iss/aud pair as the OIDC implementation? If it didn't, there's no issue! Isn't this the simplest approach? Given that "typ" isn't mandated by JWT, I think that this is therefore the implied method for segregating JWTs by the usage intent. On Wed, Mar 1, 2017 at 4:36 PM, Marius Scurtescu <mscurtescu@google.com> wrote: > Mike, me providing a bulletproof example is irrelevant I think. I am > trying to convey a general idea. My point is that having to continuously > update existing implementations with new validation rules is error prone > and less likely to happen that having to do one generic update. > > Marius > > On Wed, Mar 1, 2017 at 4:31 PM, Mike Jones <Michael.Jones@microsoft.com> > wrote: > >> Except that your example isn’t one in which there’s an actual problem. >> For all response_types except for “code”, the ID Token must have a “nonce” >> claim matching the request in order to be validated. SETs won’t have this >> claim. For response_type=code, the ID Token must be retrieved from the >> Token Endpoint to be valid. But SETs aren’t returned as the id_token value >> from the Token Endpoint. There isn’t a channel in which an attacker can >> successfully substitute a SET for an ID Token and have it validate as an ID >> Token. >> >> >> >> Following the advice to also verify that there isn’t an “events” claim in >> an ID Token provides redundancy and is good hygiene but isn’t actually even >> necessary to prevent substitution attacks. >> >> >> >> -- Mike >> >> >> >> *From:* Marius Scurtescu [mailto:mscurtescu@google.com] >> *Sent:* Wednesday, March 1, 2017 4:22 PM >> *To:* Mike Jones <Michael.Jones@microsoft.com> >> *Cc:* William Denniss <wdenniss@google.com>; Phil Hunt (IDM) < >> phil.hunt@oracle.com>; ID Events Mailing List <id-event@ietf.org> >> >> *Subject:* Re: [Id-event] Thread: Clarifying use of sub and iss in SET >> tokens >> >> >> >> As a concrete example, let's say an RP that supports OIDC decides to also >> implement RISC/SET. When they read the spec and decide on implementation >> they realize that they also have to modify the existing OIDC implementation >> so it does not accept Id Token looking JWTs that have an "events" claim. It >> is very easy to miss this requirement. But more important, when the next >> JWT application is implemented they might have to yet again update the >> existing OIDC implementation, and so forth. >> >> >> >> One simpler fix would be to modify the OIDC implementation once to look >> for the correct "typ" claim (assuming one is defined). The security >> considerations in the SET spec could specify that due to iss/aud overlap it >> is crucial that typ is validated in all related implementations. >> >> >> >> I understand that typ cannot be standardized by the SET spec for other >> specs (but it could definitely clearly define it for SET), but I think the >> sooner we do that for all relevant specs the better. >> >> >> >> >> >> >> Marius >> >> >> >> On Wed, Mar 1, 2017 at 4:07 PM, Mike Jones <Michael.Jones@microsoft.com> >> wrote: >> >> Of course, there is already a “typ” claim. Its use is optional, since >> whether it’s needed is application-specific. >> >> >> >> Your suggestion that we issue general-purpose JWT guidance about iss/aud >> namespaces is exactly the kind of thing that’s beyond the scope of this >> working group, per my just-sent reply to Marius. Suggesting that >> applications use the “events” claim to distinguish between SETs and other >> kinds of JWTs is within the scope of this working group, because it is >> advice about using SETs. >> >> >> >> -- Mike >> >> >> >> *From:* William Denniss [mailto:wdenniss@google.com] >> *Sent:* Wednesday, March 1, 2017 4:00 PM >> *To:* Marius Scurtescu <mscurtescu@google.com> >> *Cc:* Phil Hunt (IDM) <phil.hunt@oracle.com>; Mike Jones < >> Michael.Jones@microsoft.com>; ID Events Mailing List <id-event@ietf.org> >> *Subject:* Re: [Id-event] Thread: Clarifying use of sub and iss in SET >> tokens >> >> >> >> If JWT had a "typ" field all along, this entire discussion could be >> avoided, but it's too late for that now. I believe that this was actually >> the founding reason behind standardizing SET, introducing the "events" >> claim. At least, to avoid the 3+ versions of event-on-JWT that were in >> discussion at the time. >> >> >> >> As with all security considerations people can not follow them and have >> bad things happen. >> >> >> >> Doesn't suggesting that unrelated systems not issue tokens sharing the >> same iss/aud namespace make sense here as a mitigation though? To me >> that's better and more scalable than every spec removing some required >> claim from the other specs (e.g. mandating that people can't use "sub"). >> >> >> >> >> >> On Wed, Mar 1, 2017 at 3:54 PM, Marius Scurtescu <mscurtescu@google.com> >> wrote: >> >> We also talked about adding another claim that defines the type or >> purpose of the JWT ("access token", "SET", etc). In a way it is the only >> sane option, but it is not addressing existing implementations. Asking >> implementors to "be careful" is asking for trouble IMO, especially because >> systems evolve by incrementally adding functionality. >> >> >> Marius >> >> >> >> On Wed, Mar 1, 2017 at 12:44 PM, William Denniss <wdenniss@google.com> >> wrote: >> >> OK so perhaps the "URI" thing is overly restrictive. >> >> >> >> I guess the security consideration I'm recommending here is that you >> shouldn't have multiple systems that issue JWTs with the same iss/aud >> tuple, except when those systems are tightly coupled (as is the case with >> Connect & Logout). >> >> >> >> If a shared issuer is used, then URI-based namespacing is *one* way to >> avoid this, but there are others. >> >> >> >> I'm trying to avoid the need for SET to "break" possible use in access >> tokens (one of the stated goals in the original post) – I think having >> advice like this can avoid normative language that changes, and overly >> complicates SET. >> >> >> >> _______________________________________________ >> Id-event mailing list >> Id-event@ietf.org >> https://www.ietf.org/mailman/listinfo/id-event >> >> >> >> >> >> >> > >
- [Id-event] Thread: Clarifying use of sub and iss … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Marius Scurtescu
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Marius Scurtescu
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Marius Scurtescu
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Marius Scurtescu
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Marius Scurtescu
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Brian Campbell
- [Id-event] Making SETs distinct as JWTs (was: Re:… Phil Hunt
- Re: [Id-event] Making SETs distinct as JWTs (was:… Phil Hunt
- Re: [Id-event] Making SETs distinct as JWTs (was:… Marius Scurtescu
- Re: [Id-event] Making SETs distinct as JWTs (was:… Mike Jones
- Re: [Id-event] Making SETs distinct as JWTs (was:… Marius Scurtescu
- Re: [Id-event] Making SETs distinct as JWTs (was:… Brian Campbell
- Re: [Id-event] Making SETs distinct as JWTs Benjamin Kaduk
- Re: [Id-event] Making SETs distinct as JWTs (was:… Vivek Biswas
- Re: [Id-event] Making SETs distinct as JWTs (was:… Brian Campbell
- Re: [Id-event] Making SETs distinct as JWTs (was:… Phil Hunt (IDM)
- Re: [Id-event] Making SETs distinct as JWTs (was:… Mike Jones
- Re: [Id-event] Making SETs distinct as JWTs (was:… Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Justin Richer
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Justin Richer
- Re: [Id-event] Making SETs distinct as JWTs Yaron Sheffer
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Benjamin Kaduk
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Benjamin Kaduk
- Re: [Id-event] Thread: Clarifying use of sub and … Justin Richer
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Marius Scurtescu
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … Benjamin Kaduk
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … Benjamin Kaduk
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones