IETF Logo Mail Archive

Re: [OAUTH-WG] security considerations for draft-ietf-oauth-mtls-12

John-Mark Gurney <jmg+oauth@newcontext.com> Thu, 01 November 2018 21:02 UTC

Return-Path: <john-mark.gurney@newcontext.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D59912D4E8 for <oauth@ietfa.amsl.com>; Thu, 1 Nov 2018 14:02:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=newcontext.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KyUP8uv2Td_X for <oauth@ietfa.amsl.com>; Thu, 1 Nov 2018 14:02:22 -0700 (PDT)
Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01A5C127B92 for <oauth@ietf.org>; Thu, 1 Nov 2018 14:02:22 -0700 (PDT)
Received: by mail-pl1-x630.google.com with SMTP id b9-v6so9512521pls.7 for <oauth@ietf.org>; Thu, 01 Nov 2018 14:02:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=newcontext.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=bNr0ZW6Ysno3grMsPFYjLyZEGmZ8KxS0htjTXNajJBk=; b=Owl9SxxOtJgBSpYF4rQLNpYV6TkNPTaIfq0K+SdMv23TNODOKVagJCYrmVahh5H875 I02zj+/EUP0/Xvg3SHiEhobTecdKI65FdnlcF2HNbm8yQ4WRyky4WKRp8Oq7R9gjPSzv L65x37pdNV2gnm5Iw9OxkqLOQeRNxCS1SYd1/r4szMAYQyJCvKhaIGMk1op0AIAQhm8M O6xVfRKgicV8O3bNOVNE/ClyFEBMts9C5vMR03DV0Lml+M2Fk36gdkwjAgKr3jH92FeF VZ/EpKG0H441+qf6bay53ruW6rKRKlv8+7P23VVauQ/twywUgqmf7CkyK0sVWj7WpNHK 0C9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=bNr0ZW6Ysno3grMsPFYjLyZEGmZ8KxS0htjTXNajJBk=; b=Na4ZKiPUWNXEDCnf5UYl+0U8nnB0UfIi1FoVQYocTaX7vE3YLd9jssuRjYWSmCrlie Td69GsaYhLRauqtU3RfE7CByhmxVUmbOo1of+Ah3Q8+/a7/cVQrZbUUc1exVx9Udidq3 QCAlL6zJW58uoEVmEOqlJuPYadxdamssLHI0il8fcvvcTnMT/DppF0zl+EVbMUMEYsLm AX0Fm/v6bTT56jLyxrVzGXdPGaKVQo4sq1Pd0PBl9NHUhiZ/ZzW3rugfg1FI5Mk0Ah7c RHxoNlr9xIhGvR7i6eVUFWHtYg9vUJWOIddArRoWiafZXeTYkVCMiJ2hSRqTVhRYfaB/ h67g==
X-Gm-Message-State: AGRZ1gLgGPnAVqNUPRCXn7KzXp3Ryt6di/z6rA/Ymeq6nBdi0lEZi8Qj PrEOkGacQkq+JPqGCUJ+20hV2uCeTHLgVKPIUejgfw==
X-Google-Smtp-Source: AJdET5eT/wqZKojv+bhmVl0e8HwAFN7L9RGXq8D3IwxP5jCNmwm1MBdlinqxO9+AuRjYq0Fr/N5M28wSGSsZGn3rhzo=
X-Received: by 2002:a17:902:3041:: with SMTP id u59-v6mr8658878plb.279.1541106141466; Thu, 01 Nov 2018 14:02:21 -0700 (PDT)
MIME-Version: 1.0
References: <CALgdmdsoj9uaVyha5x7anxt4iU_0f8FqyfjNH00Syd-MKSQ_UQ@mail.gmail.com> <CA+k3eCT78Vszyh4Ue+yZ+5pK22yxrhHMwEGty=sXTDs5ttOvVg@mail.gmail.com> <E3A46223-AA0E-4364-9CD1-C5A7F2F37A9D@forgerock.com> <CABzCy2DLYneto8uK--px79E3qAkk97uGX_7+3c0501j85GU2Bw@mail.gmail.com>
In-Reply-To: <CABzCy2DLYneto8uK--px79E3qAkk97uGX_7+3c0501j85GU2Bw@mail.gmail.com>
From: John-Mark Gurney <jmg+oauth@newcontext.com>
Date: Thu, 01 Nov 2018 14:02:10 -0700
Message-ID: <CALgdmduwNUA0On_MRooUAry0ESXo84HvM3zh6BhoBH_v5OSGkQ@mail.gmail.com>
To: sakimura@gmail.com
Cc: neil.madden@forgerock.com, bcampbell=40pingidentity.com@dmarc.ietf.org, oauth@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-gbrq-wWil1iR0mFdFW0F2fITJ0>
Subject: Re: [OAUTH-WG] security considerations for draft-ietf-oauth-mtls-12
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2018 21:02:24 -0000

This sounds like a great thing to add.  That this draft should only be
used by clients that have many (in the hundreds, if not thousands)
"natural persons" associated with it, and if not, then you should use
X instead.

On Thu, Nov 1, 2018 at 8:21 AM Nat Sakimura <sakimura@gmail.com> wrote:
>
> Adding to it, in OAuth MTLS setting, the client cert is that of the OAuth client, which is typically a web server and not of a natural person. The content of the certs should be well publicized so that the natural person and the OAuth Authorization Server involved should become aware of what this client is, so I am not sure if there is much privacy impact in this setting. Yes, if the client is a dedicated client for the natural person, then there is going to be additional privacy impact, but for something like that, we were talking of token binding instead.
>
> On Thu, Nov 1, 2018 at 11:55 PM Neil Madden <neil.madden@forgerock.com> wrote:
>>
>> I believe the standard approach to this is to only prompt for a client certificate in a renegotiation handshake rather than in the initial handshake. Renegotiations are encrypted under the existing TLS session.
>>
>> — Neil
>>
>> > On 1 Nov 2018, at 14:37, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> wrote:
>> >
>> > To be honest, I thought that was a relatively well known aspect of TLS 1.2 (and prior) and a noted difference of the new features in TLS 1.3. Also, I'd note that we're well past WGCL for this document. But, with that said, I suppose adding some privacy considerations text on the subject is worthwhile. Would you propose some text for the WG to consider, John-Mark? Bearing in mind that the implications of a certificate presented by, and representing, an OAuth client are somewhat different than for an end-user doing client cert authentication.
>> >
>> >
>> >
>> >
>> > On Wed, Oct 31, 2018 at 4:12 PM John-Mark Gurney <jmg+oauth@newcontext.com> wrote:
>> > I would suggest that the security considerations section of
>> > draft-ietf-oauth-mtls-12 be expanded to include the privacy
>> > implications of using this on versions of TLS before 1.3.  On all
>> > versions of TLS before 1.3, the client cert is not encrypted and can
>> > be used by third parties to monitor and track users.  I recently
>> > posted a blog entry about this:
>> > https://blog.funkthat.com/2018/10/tls-client-authentication-leaks-user.html
>> >
>> > Thanks.
>> >
>> > John-Mark Gurney
>> >
>> > _______________________________________________
>> > OAuth mailing list
>> > OAuth@ietf.org
>> > https://www.ietf.org/mailman/listinfo/oauth
>> >
>> > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
>> > OAuth mailing list
>> > OAuth@ietf.org
>> > https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth



-- 
John-Mark Gurney
Principal Security Architect

v2.23.0 | Report a Bug | By Email