Re: [OAUTH-WG] Signatures don't solve that problem (was RE: Signatures...what are we trying to solve?)

George Fletcher <gffletch@aol.com> Mon, 04 October 2010 18:28 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4EE4B3A6E42 for <oauth@core3.amsl.com>; Mon, 4 Oct 2010 11:28:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.708
X-Spam-Level:
X-Spam-Status: No, score=-1.708 tagged_above=-999 required=5 tests=[AWL=0.890, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bSUJdwmU9GFO for <oauth@core3.amsl.com>; Mon, 4 Oct 2010 11:28:01 -0700 (PDT)
Received: from imr-db03.mx.aol.com (imr-db03.mx.aol.com [205.188.91.97]) by core3.amsl.com (Postfix) with ESMTP id A10F93A704E for <oauth@ietf.org>; Mon, 4 Oct 2010 11:28:00 -0700 (PDT)
Received: from mtaout-db04.r1000.mx.aol.com (mtaout-db04.r1000.mx.aol.com [172.29.51.196]) by imr-db03.mx.aol.com (8.14.1/8.14.1) with ESMTP id o94ISEkm000836; Mon, 4 Oct 2010 14:28:14 -0400
Received: from palantir.local (unknown [10.181.183.108]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-db04.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id EC463E00014D; Mon, 4 Oct 2010 14:28:13 -0400 (EDT)
Message-ID: <4CAA1CBB.80001@aol.com>
Date: Mon, 04 Oct 2010 14:28:11 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.9) Gecko/20100915 Thunderbird/3.1.4
MIME-Version: 1.0
To: "Freeman, Tim" <tim.freeman@hp.com>
References: <AANLkTimERshG-ndU8_uc0NJhx6ree6d8kxYj=EVeHpmA@mail.gmail.com> <4CA20BFC.90704@aol.com> <5710F82C0E73B04FA559560098BF95B124FB233412@USNAVSXCHMBSA3.ndc.alcatel-lucent.com> <4CA9FEAC.8090407@aol.com> <59DD1BA8FD3C0F4C90771C18F2B5B53A653964AD76@GVW0432EXB.americas.hpqcorp.net>
In-Reply-To: <59DD1BA8FD3C0F4C90771C18F2B5B53A653964AD76@GVW0432EXB.americas.hpqcorp.net>
Content-Type: multipart/alternative; boundary="------------030008040104020909070507"
x-aol-global-disposition: G
X-AOL-SCOLL-SCORE: 0:2:447038208:93952408
X-AOL-SCOLL-URL_COUNT: 0
x-aol-sid: 3039ac1d33c44caa1cbd3693
X-AOL-IP: 10.181.183.108
Cc: "Zeltsan, Zachary (Zachary)" <zachary.zeltsan@alcatel-lucent.com>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Signatures don't solve that problem (was RE: Signatures...what are we trying to solve?)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Oct 2010 18:28:04 -0000

  Hi Tim,

Thanks for the feedback. Some comments/questions inline...

On 10/4/10 1:59 PM, Freeman, Tim wrote:
>
> Putting the use cases on the table is good because it makes things 
> much clearer.  Unfortunately, it's clear that this use case does not work.
>
> I'd like to number the steps under "Requirements" so I can refer to 
> them unambiguously:
>
> 1. The application at www.sleepwell.example.com 
> <http://www.sleepwell.example.com> accesses www.myhealth.example.com 
> <http://www.myhealth.example.com> to discover the location of the PCP 
> system (XRD discovery)
> 2. The application at www.sleepwell.example.com 
> <http://www.sleepwell.example.com> requests Alice to authorize access 
> to the application at www.pcp.example.com <http://www.pcp.example.com> 
> for the purpose of retrieving basic health data (e.g. date-of-birth, 
> weight, height, etc). The mechanism Alice uses to authorize this 
> access is out of scope for this use case.
> 3. The application at www.myhealth.example.com 
> <http://www.myhealth.example.com> issues a token bound to 
> www.sleepwell.example.com <http://www.sleepwell.example.com> for 
> access to the application at www.pcp.example.com 
> <http://www.pcp.example.com>. Note that a signed token (JWT) can be 
> used to prove who issued the token.
> 4. The application at www.sleepwell.example.com 
> <http://www.sleepwell.example.com> constructs a request (includes the 
> token issued by www.myhealth.example.com 
> <http://www.myhealth.example.com>) to the application at 
> www.pcp.example.com <http://www.pcp.example.com>
> 5. The application at www.sleepwell.example.com 
> <http://www.sleepwell.example.com> signs the request before sending it 
> to www.pcp.example.com <http://www.pcp.example.com>
> 6. The application at www.pcp.example.com <http://www.pcp.example.com> 
> receives the request and verifies the signature
> 7. The application at www.pcp.example.com <http://www.pcp.example.com> 
> parses the message and finds the authorization token
> 8. The application at www.pcp.example.com <http://www.pcp.example.com> 
> verifies the signature of the authorization token
> 9. The application at www.pcp.example.com <http://www.pcp.example.com> 
> parses the authorization token and verifies that this token was issued 
> to the application at www.sleepwell.com <http://www.sleepwell.com>
> 10. The application at www.pcp.example.com 
> <http://www.pcp.example.com> retrieves the requested data and returns 
> it to the application at www.sleepwell.example.com 
> <http://www.sleepwell.example.com>
>
> The stated purpose of signatures is:
>
> >The application at www.pcp.example.com <http://www.pcp.example.com> 
> verifies that Alice has authorized
>
> >www.sleepwell.example.com <http://www.sleepwell.example.com> to access 
> her health data as well as enforces
>
> >that www.sleepwell.example.com <http://www.sleepwell.example.com> is 
> the only application that can retrieve that
>
> >data with that specific authorization.
>
> I'll abbreviate domain names like "www.sleepwell.example.com" to 
> "sleepwell".
>
> Bearer tokens work fine when verifying that Alice has authorized 
> sleepwell <http://www.sleepwell.example.com> to access her health 
> data, so the claim is apparently that signatures give the added 
> benefit of enforcing that sleepwell <http://www.sleepwell.example.com> 
> is the only application that can retrieve that data with that specific 
> authorization.
>
I suppose this depends on how you define "work fine". While the 
authorization token issued by myhealthdata and given to sleepwell to 
present to pcp can be passed as a bearer token (so in that sense it 
works fine) there is no security around the token. In the case of health 
data, just possession of an autorization token is NOT good enough to 
grant access.

Instead the PCP site needs to ensure that the presenting entity is 
specifically authorized by the Authorization Server. I contend that to 
establish this "chain of trust" signatures are needed.

Given that in most cases pcp will want to decode the token itself, it 
will need some form of signed structured token because pcp is the 
recipient of the token and not the issuer.

> Unfortunately, signatures do not do that.  Suppose sleepwell wanted to 
> give Alice's data to apneacheck.  Sleepwell could follow the protocol 
> up to step 4.  Then, instead of signing the request and sending the 
> signed request to pcp, sleepwell could transmit the signed request to 
> apneacheck.  apneacheck could then complete the protocol and get 
> Alice's data from www.pcp.example.com.
>
Maybe I wasn't clear in the use case. The point of signatures is not to 
enable authorization but to ensure that release of data only happens 
within the context that was authorized by the user. Let's take the flip 
side where signatures are not used. Any site with access to the bearer 
token issued to sleepwell has access to the Alice's data at the PCP. 
This is not acceptable with sensitive data.

So the point of signatures in this use case is to create a binding 
between the issuer of the token (myhealthdata), the presenter of the 
token (sleepwell) and the receiver of the token (pcp).

If sleepwell signs the message sent to pcp, then pcp can verify that 
sleepwell is the sender of the message. Next, if the message contains a 
token signed by myhealth data, and that token includes a claim that the 
token is issued to sleepwell. PCP can "connect the dots" and know that 
this is a valid request.

If the token is sent by another server, the "issued to" claim will not 
match the entity that signed the message and the PCP application will 
reject the request.
>
> If sleepwell has can retrive to Alice's data, and the protocol doesn't 
> mandate an invasive control of sleepwell's computation and outputs, 
> it's hopeless to prevent sleepwell from allowing apneacheck to 
> retrieve Alice's data.  If all else fails, sleepwell could access 
> Alice's data itself and then allow apneacheck to access the data from 
> sleepwell.
>
So I'll concede that once sleepwell has the data, if sleepwell is not 
trustworthy, there is little Alice can do to protect her data. Maybe 
laws and other such mechanisms will be developed to deal with this 
scenario. This is one reason why it's so important for the PCP to only 
release data to the specific entity that was authorized. This is not 
possible with bearer tokens in a delegated use case like this one.
>
> For all I know, signatures might be a solution to some problem, but 
> they aren't a solution to this problem.
>
> Tim Freeman
> Email: tim.freeman@hp.com <mailto:tim.freeman@hp.com>
> Desk in Palo Alto: (650) 857-2581
> Home: (408) 774-1298
> Cell: (408) 348-7536
>
> *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On 
> Behalf Of *George Fletcher
> *Sent:* Monday, October 04, 2010 9:20 AM
> *To:* Zeltsan, Zachary (Zachary)
> *Cc:* OAuth WG
> *Subject:* Re: [OAUTH-WG] Signatures...what are we trying to solve?
>
> Hi Zachary,
>
> Here is a use case for signed messages. I've tried to keep this in the 
> format of the other OAuth use cases. Please contact me off-list if 
> there are editorial changes required. I've include the list to see if 
> others have feed back on this use case.
>
> Thanks,
> George
>
> Use case: Signed Messages
>
> Description:
>
> Alice manages all her personal health records in her personal health 
> data store (www.myhealth.example.com 
> <http://www.myhealth.example.com>). Alice's Primary Care Physician 
> (www.pcp.example.com <http://www.pcp.example.com>) recommends that 
> Alice see a sleep specialist (www.sleepwell.example.com 
> <http://www.sleepwell.example.com>). Alice arrives at the sleep 
> specialist's office and authorizes it to access her basic health data 
> from her PCP. The application at www.pcp.example.com 
> <http://www.pcp.example.com> verifies that Alice has authorized 
> www.sleepwell.example.com <http://www.sleepwell.example.com> to access 
> her health data as well as enforces that www.sleepwell.example.com 
> <http://www.sleepwell.example.com> is the only application that can 
> retrieve that data with that specific authorization.
>
> Pre-conditions:
>
> * Alice has a personal health data store that allows for discovery of 
> her participating health systems (e.g. psychiatrist, sleep specialist, 
> pcp, orthodontist, ophthalmologist, etc).
> * The application at www.myhealth.example.com 
> <http://www.myhealth.example.com> manages authorization of access to 
> Alice's participating health systems
> * The application at www.myhealth.example.com 
> <http://www.myhealth.example.com> can issues authorization tokens 
> understood by Alice's participating health systems
> * The application at www.pcp.example.com <http://www.pcp.example.com> 
> stores Alice's basic health and prescription records
> * The application at www.sleepwell.com <http://www.sleepwell.com> 
> stores results of Alice's sleep tests
>
>
> Post-conditions:
> * A successful procedure results in just the information that Alice 
> authorized being transferred from the Primary Care Physician 
> (www.pcp.example.com <http://www.pcp.example.com>) to the sleep 
> specialist (www.sleepwell.example.com <http://www.sleepwell.example.com>).
> * The transfer of health data only occurs if the application at 
> www.pcp.example.com <http://www.pcp.example.com> can verify that 
> www.sleepwell.example.com <http://www.sleepwell.example.com> is the 
> party requesting access and that the authorization token presented by 
> www.sleepwell.example.com <http://www.sleepwell.example.com> is issued 
> by the application at www.myhealth.example.com 
> <http://www.myhealth.example.com> with a restricted audience of 
> www.sleepwell.example.com <http://www.sleepwell.example.com>
>
> Requirements:
> 1. The application at www.sleepwell.example.com 
> <http://www.sleepwell.example.com> accesses www.myhealth.example.com 
> <http://www.myhealth.example.com> to discover the location of the PCP 
> system (XRD discovery)
> 2. The application at www.sleepwell.example.com 
> <http://www.sleepwell.example.com> requests Alice to authorize access 
> to the application at www.pcp.example.com <http://www.pcp.example.com> 
> for the purpose of retrieving basic health data (e.g. date-of-birth, 
> weight, height, etc). The mechanism Alice uses to authorize this 
> access is out of scope for this use case.
> 3. The application at www.myhealth.example.com 
> <http://www.myhealth.example.com> issues a token bound to 
> www.sleepwell.example.com <http://www.sleepwell.example.com> for 
> access to the application at www.pcp.example.com 
> <http://www.pcp.example.com>. Note that a signed token (JWT) can be 
> used to prove who issued the token.
> 4. The application at www.sleepwell.example.com 
> <http://www.sleepwell.example.com> constructs a request (includes the 
> token issued by www.myhealth.example.com 
> <http://www.myhealth.example.com>) to the application at 
> www.pcp.example.com <http://www.pcp.example.com>
> 5. The application at www.sleepwell.example.com 
> <http://www.sleepwell.example.com> signs the request before sending it 
> to www.pcp.example.com <http://www.pcp.example.com>
> 6. The application at www.pcp.example.com <http://www.pcp.example.com> 
> receives the request and verifies the signature
> 7. The application at www.pcp.example.com <http://www.pcp.example.com> 
> parses the message and finds the authorization token
> 8. The application at www.pcp.example.com <http://www.pcp.example.com> 
> verifies the signature of the authorization token
> 9. The application at www.pcp.example.com <http://www.pcp.example.com> 
> parses the authorization token and verifies that this token was issued 
> to the application at www.sleepwell.com <http://www.sleepwell.com>
> 10. The application at www.pcp.example.com 
> <http://www.pcp.example.com> retrieves the requested data and returns 
> it to the application at www.sleepwell.example.com 
> <http://www.sleepwell.example.com>
>
>
>
> On 9/28/10 12:27 PM, Zeltsan, Zachary (Zachary) wrote:
>
> These use cases are not in the draft 
> https://datatracker.ietf.org/doc/draft-zeltsan-use-cases-oauth.
>
> Could you write them up?
>
> Thanks,
>
> Zachary
>
> ------------------------------------------------------------------------
>
> *From:* oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org> 
> [mailto:oauth-bounces@ietf.org] *On Behalf Of *George Fletcher
> *Sent:* Tuesday, September 28, 2010 11:39 AM
> *To:* OAuth WG
> *Subject:* Re: [OAUTH-WG] Signatures...what are we trying to solve?
>
> I think of the signature issues as falling into two classes... I think 
> they map to your classification as well...
>
>     * *Signing tokens* is important for interoperability especially
>       looking forward to a time when tokens issued by multiple
>       Authorization Servers are accepted at a given host.
>     * *Signing messages* is important because it provides a mechanism
>       to ensure that the entity making the API call (and presenting an
>       access token) is really the entity that is allowed to make the
>       API call.
>
> Signing messages applies to the re-delegation use cases. I've heard 
> the need for this class of use cases from both the hData (health data) 
> community as well as the user managed access (UMA) community.
>
> Signing tokens covers both your second class of tokens as well as 
> another use case that Eran has mentioned as well. Namely, a protected 
> resource server honoring tokens from multiple Authorization Servers.
>
> These are the two classes of use cases that I'd like to see solved.
>
> Thanks,
> George
>
>
> On 9/28/10 12:58 AM, David Recordon wrote:
>
> If you know me then you'll know that I'm generally one of the last 
> people to talk about Alice and Bob. That said, there are a lot of 
> technical proposals flying across the list with very little shared 
> understanding of the problem(s) we're trying to solve.
>
> From what I've seen there are two distinct classes of signature use cases.
>
> 1) The first is where the HTTP request parameters must be part of the 
> signature. An example is any OAuth 1.0a style API where you want to 
> make sure that the HTTP POST your server just received isn't 
> masquerading itself as a GET.
>
> 2) The second is where the HTTP request is orthogonal. An example 
> is OpenSocial where the server is sending state information to the 
> client such as what user is currently logged in.
>
> The main practical example I have of the first use case is what 
> Twitter wants to do with redelegation. In this case TweetDeck can't 
> given TwitPic it's own bearer token, but needs to sign the POST 
> request and pass that signature to TwitPic for it to include in the 
> final API request to Twitter.
>
> In terms of signing protected resource requests, I haven't heard 
> anyone bring up specific and detailed needs for this recently.
>
> JSON tokens pretty clearly make sense for the second class of 
> signature use cases and it's actually a bit hard to argue why they 
> would be a part of OAuth. Facebook shipped this a bit over a month ago 
> for canvas applications. We include a `signed_request` parameter which 
> is signature.base64url(JSON). Parsing it is 18 lines of PHP. 
> http://developers.facebook.com/docs/authentication/canvas
>
> This second class of use case will also be required by OpenID Connect 
> where the server is signing identity information and sending it to the 
> client. I imagine that OpenSocial will also still have it and wish to 
> continue relying on public key algorithms.
>
> So a few questions:
>
>  * Do we want to tackle both of these classes of signatures in OAuth?
>
>  * Why do you consider the second class part of OAuth versus something 
> completely separate that might happen to include an OAuth access token?
>
>  * Is the Twitter redelegation use case the right focus for the first 
> class?
>
>  * Is there an example of an OAuth 2.0 server that can't use bearer 
> tokens for protected resource requests and thus requires signatures?
>
> Thanks,
>
> --David
>
>   
>   
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org  <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
Chief Architect                   AIM:  gffletch
Identity Services Engineering     Work: george.fletcher@teamaol.com
AOL Inc.                          Home: gffletch@aol.com
Mobile: +1-703-462-3494           Blog: http://practicalid.blogspot.com
Office: +1-703-265-2544           Twitter: http://twitter.com/gffletch