[Last-Call] Secdir last call review of draft-ietf-ace-revoked-token-notification-06

Kyle Rose via Datatracker <noreply@ietf.org> Mon, 01 April 2024 16:14 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Kyle Rose via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: ace@ietf.org, draft-ietf-ace-revoked-token-notification.all@ietf.org, last-call@ietf.org
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <171198804485.48386.4769073198215276191@ietfa.amsl.com>
Reply-To: Kyle Rose <krose@krose.org>
Date: Mon, 01 Apr 2024 09:14:04 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/HqMp4xjTqoN0VTrVO1QjIDHWCfM>
Subject: [Last-Call] Secdir last call review of draft-ietf-ace-revoked-token-notification-06

Reviewer: Kyle Rose
Review result: Has Issues

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
 Document editors and WG chairs should treat these comments just like any other
last call comments.

This document is Almost Ready.

* The security issue outlined in section 13.5 ("Dishonest clients") adequately
justifies maintaining confidentiality of the full list of revoked hashes, or at
least of recent additions to the list, without reference to privacy as
mentioned in section 13.1. The privacy issues posed by hashes of tokens that
are not widely distributed or visible to passive observers are not at all clear
to me.

* Furthermore, doesn't the security issue identified in 13.5 imply that only
RSes should be notified of revocations, and clients left to wonder until their
requests are denied, or at least until after the RSes to which the token is
relevant have been notified? Secrecy matters really only because we want to
prevent bad actors with access to the token from taking advantage of it during
the window between revocation and RSes being aware of that revocation: if you
notify the bad actor proactively, it doesn't really matter that you kept it
secret from other nefarious observers. (Note that changing this would require
the changes to the recommendation from 13.4.)

    For what it's worth, this is not a novel problem, and it is one that
    plagues revocation systems in general. Moreover, all the possible
    approaches are unsatisfying in some way, often relying on assumptions about
    the state of mind/intent or expected behavior of the adversarial actor.

* I do not understand the criteria specified for purging hashes of revoked
tokens in section 10.1. In particular, why is the first criteria required? If
an RS never sees a particular token, this implies the hash would be kept
forever, or at least until memory pressure is encountered. Should the RS not
also be allowed to expunge a hash if the TRL endpoint signals removal via
expiry? At that point the token would be invalid anyway, revoked or not.

Other comments:

* I did not review the properties of, or analyze the correctness of, the
database consistency algorithm and associated update protocol used to keep
registered devices up-to-date with relevant token hashes. I do not know if this
algorithm and protocol were based on something specific, so if that is not the
case then my main observation would be that the consistency requirements here
are not unique to the proposed revocation function, so it may be worth
reviewing literature relevant to the problem space associated with database
view consistency across distributed and intermittently-connected devices to see
if there is something more generic that can be leveraged in solving this
problem.

* I also did not review any of the appendices.

[Last-Call] Secdir last call review of draft-ietf… Kyle Rose via Datatracker