IETF Logo Mail Archive

Re: [OAUTH-WG] Rate limiting in Dyn-Reg-Management

Benjamin Kaduk <kaduk@MIT.EDU> Sat, 04 April 2015 01:15 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E26241A1A06 for <oauth@ietfa.amsl.com>; Fri, 3 Apr 2015 18:15:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VVPxEx21M-BN for <oauth@ietfa.amsl.com>; Fri, 3 Apr 2015 18:15:42 -0700 (PDT)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F33F41A19FA for <oauth@ietf.org>; Fri, 3 Apr 2015 18:15:40 -0700 (PDT)
X-AuditID: 12074425-f79ca6d000000e5e-28-551f3b3bfa36
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 07.5C.03678.B3B3F155; Fri, 3 Apr 2015 21:15:39 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id t341FcAj003812; Fri, 3 Apr 2015 21:15:39 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t341FbFj030479 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 3 Apr 2015 21:15:38 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id t341FaQP009659; Fri, 3 Apr 2015 21:15:36 -0400 (EDT)
Date: Fri, 03 Apr 2015 21:15:36 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Justin Richer <jricher@MIT.EDU>
In-Reply-To: <D26B0844-431B-4A14-8B9F-BAF1A2D55444@mit.edu>
Message-ID: <alpine.GSO.1.10.1504032112300.22210@multics.mit.edu>
References: <D26B0844-431B-4A14-8B9F-BAF1A2D55444@mit.edu>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-610231429-1428110136=:22210"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrJIsWRmVeSWpSXmKPExsUixG6nomttLR9qsOOQlsXJt6/YHBg9liz5 yRTAGMVlk5Kak1mWWqRvl8CV8XPvPqaCTqGKWy9sGxg/8HUxcnJICJhIHPh5jRXCFpO4cG89 WxcjF4eQwGImia0vu5hAEkICGxglWpZKQCQOMkl8ubGGFSJRL7Fg3Xl2EJtFQEti55yHYA1s AioSM99sZAOxRQSUJa4vOcMIYjMLqEu07N3GAmILC1hL7NzyD8zmBLL3LvwDNpNXwFHi7cV2 Zoj5VhKdXa1gcVEBHYnV+6ewQNQISpyc+YQFYmaAxPnO86wTGAVnIUnNQpKaBbW68cFZNghb W+L+zTa2BYwsqxhlU3KrdHMTM3OKU5N1i5MT8/JSi3Qt9HIzS/RSU0o3MYJD2EV1B+OEQ0qH GAU4GJV4eB8EyoUKsSaWFVfmHmKU5GBSEuXdZCofKsSXlJ9SmZFYnBFfVJqTWnyIUYKDWUmE d50FUI43JbGyKrUoHyYlzcGiJM676QdfiJBAemJJanZqakFqEUxWhoNDSYJ3kiVQo2BRanpq RVpmTglCmomDE2Q4D9BwaSuQ4cUFibnFmekQ+VOMilLivAdAmgVAEhmleXC9sBTzilEc6BVh 3gCQdh5geoLrfgU0mAlosMM8aZDBJYkIKakGRoZty6WOO6nET+T29P0Tq36nMID5A5dnSVnX y9Jf8cqf+EKOG+9rn1TZZXq7T7RpecGS51PLtW2Wrrhw5mwFi5ntE8YDHdb3M57nvDo4Y7Gp 1KE/0u1bxcp1Nlp/26MoI7ta7zj7t0b7y0YrEr9eqLk4Z55Rz9HY81qztaMPyzycUqO6u9Sq S4mlOCPRUIu5qDgRAFKbtiIMAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/-4LnUunnt7edX86f1kF2H8YHYWk>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Rate limiting in Dyn-Reg-Management
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Apr 2015 01:15:44 -0000

On Fri, 3 Apr 2015, Justin Richer wrote:

> In the current draft of Dyn-Reg-Management (https://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-management-12 <https://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-management-12>) there’s a clause that’s causing some consternation in the general review:
>
>    Since the client configuration endpoint is an OAuth 2.0 protected
>    resource, it SHOULD have some rate limiting on failures to prevent
>    the registration access token from being disclosed though repeated
>    access attempts.
>
> A comment has been raised arguing that this text isn’t helpful to
> implementors as it doesn’t tell them what kind of rate limiting to do or
> how to accomplish it. It has also been pointed out that there’s not an
> obvious need for this recommendation if there’s enough entropy in the
> registration access token to begin with.
>
> The suggestion has been made to drop the above text, and potentially to
> add a reference to the sections on token complexity in 6750 §5.2 and
> 6819 §5.1.4.2.2. My suggested text in that regard is:
>
> Since possession of the registration access token authorizes the holder
> to potentially read, modify, or delete a client’s registration
> (including its credentials such as a client_secret), the registration
> access token MUST contain sufficient entropy such as described in
> [RFC6750] Section 5.2 and [RFC6819] Section 5.1.4.2.2.
>
> I would add this as the last sentence to the first paragraph in the
> security considerations section.
>
> What does the WG think of this suggested change?

I think it's a fine change, in general.  But I also saw the discussion on
the other list, so maybe I'm biased.

In specific, RFC 6750 does not include the word "entropy", and we might
want to explicitly mention that "sufficient" means "sufficient to prevent
a random guessing attack".

-Ben

v2.23.0 | Report a Bug | By Email