IETF Logo Mail Archive

Re: [OAUTH-WG] Notes from 2nd "OAuth & Authentication" Conference Call

John Bradley <ve7jtb@ve7jtb.com> Sun, 02 November 2014 23:14 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AECEF1A1AFE for <oauth@ietfa.amsl.com>; Sun, 2 Nov 2014 15:14:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iV73zuDug6i8 for <oauth@ietfa.amsl.com>; Sun, 2 Nov 2014 15:14:31 -0800 (PST)
Received: from mail-qg0-f52.google.com (mail-qg0-f52.google.com [209.85.192.52]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A39B01A1ACC for <oauth@ietf.org>; Sun, 2 Nov 2014 15:14:30 -0800 (PST)
Received: by mail-qg0-f52.google.com with SMTP id a108so8106151qge.11 for <oauth@ietf.org>; Sun, 02 Nov 2014 15:14:28 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=OlyGO/ETM2mkIRbpcvajgtziCcU0y06a5OgKSl5ALPk=; b=H0BmZ7JxGnTkqY1zJ5yENsqGt5mYARsWVJm/Iwl7H1GFVxgqOLT2UcFJTgXHqyz4nG 4GYaD3qcz6hz8eUkl88F0dRLactriZSETAzqOz1rQXkRal7yZz8KzUBADLJBWG6tGhwk W3j+DNtEEo/a6Gxu5qKZXIg5FZ9H9e6aViwX0eaJEuVoF2whJik6r6iUuGcIMOSngVIW xVMwu2zuh53qaC4T1RJ7dS2g6Bm7iOIrgsgIHfb+5eZiEORkDKmA9IMY4027ikrcYpCF t3qlxQtkNN7oE42nP0skYBwSPOEwIs8svtd1iUlP0C685UpiNvQAloquTQVK4Zs7mV12 hqPw==
X-Gm-Message-State: ALoCoQkKHAEOQTEKJ7wf5dOQ6EqvpcPGMQGf7tEiCENHrdFxUH+BKlSPlc0l1/GC25yYButomp3e
X-Received: by 10.140.16.46 with SMTP id 43mr56038880qga.53.1414970068223; Sun, 02 Nov 2014 15:14:28 -0800 (PST)
Received: from [192.168.1.216] (181-163-28-104.baf.movistar.cl. [181.163.28.104]) by mx.google.com with ESMTPSA id v4sm4151311qay.3.2014.11.02.15.14.26 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 02 Nov 2014 15:14:27 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <77982418-A40A-4D51-A41B-BA8CB24AE000@oracle.com>
Date: Sun, 02 Nov 2014 20:14:22 -0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <769C8C61-127A-44CD-90EE-972468146474@ve7jtb.com>
References: <543FF850.6070409@gmx.net> <B18173FA-7AD9-40A7-98AF-8D2A4AED744D@mitre.org> <5456640C.9090404@lodderstedt.net> <DF8EF8BB-75B1-49A4-92D6-81D72D3DA807@oracle.com> <FFB09F34-19C5-4616-87DE-EE6D10305724@ve7jtb.com> <65FB0488-88D1-4C55-B64F-071284AC6730@oracle.com> <22619A13-BF63-4C5D-8833-2C55CA8FAF44@ve7jtb.com> <77982418-A40A-4D51-A41B-BA8CB24AE000@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/0j2bdE83w7OmPHHo5K_9tk5ZRww
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Notes from 2nd "OAuth & Authentication" Conference Call
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Nov 2014 23:14:33 -0000

Many of the threats can only be mitigated by the AS/IDP .   This document should cover that.   

I didn't say the IdP must use connect only that it needs to understand and mitigate the treats from the document,  implementing Connect is one way to do it.

Sorry I was trying to interpret "Sigh"

John B.



On Nov 2, 2014, at 6:47 PM, Phil Hunt <phil.hunt@oracle.com> wrote:

> That is not what I said. 
> 
> I said establish the criteria for mitigation of the threats. 
> 
> Phil
> 
>> On Nov 2, 2014, at 12:53, John Bradley <ve7jtb@ve7jtb.com> wrote:
>> 
>> Your proposal required changes and extensions to the AS.
>> 
>> Without some cooperation from the AS /API provider, they shouldn't be using OAuth for identity.
>> 
>> The client can't make it secure all on it's own.   The API semantics might change,  the client would largely be relying on luck.
>> 
>> Sorry,
>> 
>> What sort of advice are you looking for that the client can implement without the cooperation of the IdP around some of the security considerations.
>> About the only thing would be to never use implicit.  However that alone in my opinion is not sufficient for real security.
>> 
>> John B.
>> 
>> 
>> 
>> 
>>> On Nov 2, 2014, at 4:55 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>> 
>>> Sigh.
>>> 
>>> Phil
>>> 
>>> @independentid
>>> www.independentid.com
>>> phil.hunt@oracle.com
>>> 
>>> 
>>> 
>>>> On Nov 2, 2014, at 10:33 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>>> 
>>>> If a client developer doesn't have Connect available then they need to point the API developer at this doc, so that they do provide Connect or some other API that takes into account all of the security considerations.
>>>> 
>>>> A client developer should never make up there own identity protocol out of someone else's API that is not designed for it.
>>>> 
>>>> A vanilla OAuth API with no additional security considerations on the API developers part is pretty much guaranteed to go horribly wrong.
>>>> 
>>>> John B.
>>>> 
>>>>> On Nov 2, 2014, at 2:15 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>>>> 
>>>>> We may have a problem with audience here. 
>>>>> 
>>>>> Justin mentioned he wrote it for service providers but the threats are against the client that wants to authenticate users. 
>>>>> 
>>>>> Would be better to have recommendations for each group. 
>>>>> 
>>>>> Since oidc is the only recommendation, what does a client implementer do when openid connect is not available?  Suggest we give a list of qualities developers should look for (eg is fb connect good)?
>>>>> 
>>>>> Phil
>>>>> 
>>>>>> On Nov 2, 2014, at 09:04, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
>>>>>> 
>>>>>> Hi all,
>>>>>> 
>>>>>> I just read the document. It explains the situation, challenges/threats, and options very clear and readable.
>>>>>> 
>>>>>> So +1 for publishing it soon.
>>>>>> 
>>>>>> kind regards,
>>>>>> Torsten.
>>>>>> 
>>>>>> Am 28.10.2014 00:21, schrieb Richer, Justin P.:
>>>>>>> I've been incorporating peoples' feedback into the proposed oauth.net page, and the current state is here:
>>>>>>> 
>>>>>>> https://github.com/jricher/oauth.net/blob/authentication/articles/authentication.php
>>>>>>> 
>>>>>>> Commentary has slowed down and I think the document's in reasonable. I would like to publish this as a draft version on oauth.net in the very near future (like, this week), so get comments and feedback to me on this soon. I'm going to be at IIW all week if anyone wants to back me into a corner and talk about this.
>>>>>>> 
>>>>>>> -- Justin
>>>>>>> 
>>>>>>>> On Oct 16, 2014, at 12:54 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>>>>>>>> 
>>>>>>>> Participants:
>>>>>>>> 
>>>>>>>> * Brian Campbell
>>>>>>>> * John Bradley
>>>>>>>> * Derek Atkins
>>>>>>>> * Phil Hunt
>>>>>>>> * William Kim
>>>>>>>> * Josh Mandel
>>>>>>>> * Hannes Tschofenig
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Notes:
>>>>>>>> 
>>>>>>>> Justin distributed a draft writeup and explained the reasoning behind
>>>>>>>> it. The intended purpose is to put the write-up (after enough review) on
>>>>>>>> oauth.net. See attachments. Justin solicited feedback from the
>>>>>>>> conference call participants and from the working group.
>>>>>>>> 
>>>>>>>> One discussion item was specifically related to the concept of audience
>>>>>>>> restrictions, which comes in two flavours: (a) restriction of the access
>>>>>>>> token regarding the resource server and (b) restriction of the id token
>>>>>>>> regarding the client. Obviously, it is necessary to have both of these
>>>>>>>> audience restrictions in place and to actually check them.
>>>>>>>> 
>>>>>>>> The group then went into a discussion about the use of pseudonyms in
>>>>>>>> authentication and the problems deployments ran into when they used
>>>>>>>> pseudonyms together with a wide range of attributes that identified
>>>>>>>> users nevertheless. Phil suggested to produce a write-up about this topic.
>>>>>>>> 
>>>>>>>> Finally, the group started a discussion about potential actions for the
>>>>>>>> OAuth working groups. Two activities were mentioned, namely to produce
>>>>>>>> an IETF draft of the write-up Justin has prepared as a "formal" response
>>>>>>>> to the problems with authentication using OAuth and, as a second topic,
>>>>>>>> potential re-chartering of the OAuth working group to work on some
>>>>>>>> solutions in this area. Hannes suggested to postpone these discussions
>>>>>>>> and to first finish the write-up Justin had distributed.
>>>>>>>> 
>>>>>>>> Ciao
>>>>>>>> Hannes & Derek
>>>>>>>> <Authentication with OAuth 2.doc><Authentication with OAuth 2.html><Authentication with OAuth 2.pdf>_______________________________________________
>>>>>>>> OAuth mailing list
>>>>>>>> OAuth@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>> 
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> 
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>

v2.23.0 | Report a Bug | By Email