Re: [OAUTH-WG] Signed JWK Sets
Joseph Salowey <joe@salowey.net> Fri, 12 April 2024 03:46 UTC
Return-Path: <joe@salowey.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43E4AC14F600 for <oauth@ietfa.amsl.com>; Thu, 11 Apr 2024 20:46:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tAy7akbngMuQ for <oauth@ietfa.amsl.com>; Thu, 11 Apr 2024 20:46:10 -0700 (PDT)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F605C14F614 for <oauth@ietf.org>; Thu, 11 Apr 2024 20:46:06 -0700 (PDT)
Received: by mail-lj1-x234.google.com with SMTP id 38308e7fff4ca-2d29aad15a5so3930931fa.3 for <oauth@ietf.org>; Thu, 11 Apr 2024 20:46:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20230601.gappssmtp.com; s=20230601; t=1712893563; x=1713498363; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=/d2pBW/hF/e6yKcp6lEzjIqy0LloyjkpuAn7Teu8xzo=; b=azb81P5ai8R+jx6UH6D2KzxbNgWnlC06lKgq5Imasyqd/8YIMuMGyVstfpe41s1ONj AfcpBPBqaz2hb+zTyA0Y2/xOweBc7GTYeWki+ddz21P7m76OxbWRDWBJfXrZJ662mJo7 udZ1fABf7P1m2/D1O4af4bNUuAlL/uKXhipbCHxshzuVCH/6XHrezC5hOju2leXDNPbI DgVijHFjayHDMGb+KJF+wBdsg/uP8XDFGo2zPFJfTdNYtH2w2BNcuaoDp22XpkdgPpV5 1Fu+HTbQJQPLARchK8hHhFirrjpyZP7ZZ5t0yfWLqYB1/XyG0W/1j92rrlPPykfw5JS0 lrLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712893563; x=1713498363; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/d2pBW/hF/e6yKcp6lEzjIqy0LloyjkpuAn7Teu8xzo=; b=vwNa8nvsxwUoW8dxhFsk7ImXoy+iXuaGDn98G58Bn3c1k7BtARHEqWq7gXLC4Wbyv9 Dx95NLchi0ZsxymrOk4Jc9w/HqSBUdyVmuqtpFp8oK7tR6kuQ94yQYb+0FBOGfP7tJVu QlGsWskj2+JnqJWglvnqWnSk6SPG+SY/Uvo+iBjkarx5DVpzIxD38zJ1rNka752IcnjY GOiLavwCOusZgAxU6vYFgXzFIqmphttZxMPS1NqxbXqGEqIQ/4cmWW8OmsUPjFb85VLy MfXN4IgoR9D16G/hJCk6JYB9AgWAem+sw9uMfqCHSH/5Uz+MUDw+/FsDatdqBsa1E2Od bSLw==
X-Forwarded-Encrypted: i=1; AJvYcCX72TPlL/XTAST+jYxLWbMAYTSmKquKn8zCcnI538onA94eH1i71q8UlaNAfykhtHKR8TJnNKY69pTlhIloXw==
X-Gm-Message-State: AOJu0Yyx086MIwLX7pPGpuWUq7RJ81Zs2YP5PIfEDUdZdwGQhi5+Gg36 yIDHLMjPfJqS0NCvpsuXyJV1/8RQ8GlSUavDb8WWgXrpYO401mnV5mqb/7l52muNgK7VH83g1Cz /Fp2SMEzCHcCMY+CrkCR6cJ9kuZuSi+4a2jBonw==
X-Google-Smtp-Source: AGHT+IFUTOp+0uUxmuGhfo5qjVxiw0g9FsAv4d6t0hQjDp8CLsCLzImZA/uq5qgX0Poa5s10jQVINKhdb948ouB1dc0=
X-Received: by 2002:a2e:9350:0:b0:2d6:dba5:a3ad with SMTP id m16-20020a2e9350000000b002d6dba5a3admr821695ljh.1.1712893563394; Thu, 11 Apr 2024 20:46:03 -0700 (PDT)
MIME-Version: 1.0
References: <CAL02cgSANrR=nys3RXDOYJPibLkv25X8Okq4dhL0Dpfi_ZSS_A@mail.gmail.com> <CAL02cgQG4Fhn2zCmq0EFLJReB_jf257msdM9OEgYr03n6D1qRg@mail.gmail.com> <CAEM=y+WEgqLa7+0jreqHTK2UjueEWU+hJ05peuO6wSzyQ4WN=Q@mail.gmail.com> <7D922D5F-5277-4884-820E-35DC3E02FCB3@gmail.com> <CAEM=y+VkFksRsH9WYBq2yZu7HR5GCFEgT98tLmrs_PgF_+tHow@mail.gmail.com>
In-Reply-To: <CAEM=y+VkFksRsH9WYBq2yZu7HR5GCFEgT98tLmrs_PgF_+tHow@mail.gmail.com>
From: Joseph Salowey <joe@salowey.net>
Date: Thu, 11 Apr 2024 20:45:51 -0700
Message-ID: <CAOgPGoAA00VK9aNZK226CtPSFnxeXOS8Lr4sHTt9sj2J0aKpNQ@mail.gmail.com>
To: Ethan Heilman <eth3rs@gmail.com>
Cc: Neil Madden <neil.e.madden@gmail.com>, OAuth WG <oauth@ietf.org>, Sharon Goldberg <goldbe@bastionzero.com>
Content-Type: multipart/alternative; boundary="000000000000627e690615de1cb7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1u87xDVFLDWZ4Y_E9pJBoM05-F4>
Subject: Re: [OAUTH-WG] Signed JWK Sets
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2024 03:46:14 -0000
The mechanism in the draft provides some separation between the trust establishment and distribution which is useful. This is definitely applicable to the use cases described in the draft and I agree with Ethan that it can help in other areas as well depending upon how things are deployed. I support this draft. Joe On Thu, Apr 11, 2024 at 7:16 PM Ethan Heilman <eth3rs@gmail.com> wrote: > Hi Neil, > > I agree that PIKA would not protect against an attacker compromising a > JWKS URI via a mis-issued TLS cert. > > I was thinking of a simpler attack where the attacker compromises the > server where a JWKS URI is hosted or the JWKS is stored. For instance > consider an JWKS which is read from a database. An attacker could use a SQL > injection to add their own key to the JWKS. Because such an attacker does > not compromise any TLS certificates PIKA would defeat this attack (assuming > the verifier required PIKA for that JWT issuer). > > Today, write access to a JWKS is sufficient to comprise the signing > authority of a JWT issuer. With PIKA write access to a JWKS may not be > sufficient to compromise the signing authority of a JWT issuer. > > Thanks, > Ethan > > > On Thu, Apr 11, 2024 at 5:15 PM Neil Madden <neil.e.madden@gmail.com> > wrote: > >> On 11 Apr 2024, at 01:12, Ethan Heilman <eth3rs@gmail.com> wrote: >> >> >> I want to voice my support for this draft: Proof of Issuer Key Authority >> (PIKA). The ability to reason about the past validity of JWKS is extremely >> useful for using OIDC in signing CI artifacts and e2e encrypted >> messaging.This includes what we are building at OpenPubkey ( >> github.com/openpubkey/openpubkey) and also proposed security >> improvements to software supply chain systems like SigStore ( >> https://arxiv.org/pdf/2307.08201.pdf). >> >> I want to underscore the value of PIKA to increase the security of JWKS >> URIs and OpenID Connect. Currently if an attacker compromises an OpenID >> Provider's JWKS URI the attackers can substitute their own public keys and >> impersonate any user to any relying parties who depend that OpenID >> Provider. The effects of Google, Microsoft or Okta's JWKS URI being >> controlled by a malicious party for even a few minutes could be >> devastating. The widespread deployment of PIKA would remove this risk and >> require that attackers compromise not only the JWKS URI but also the PIKA >> signing keys. >> >> >> I'm still digesting this draft, and generally supportive of it. However, >> I don't think it stops the attack you mention here, which sounds similar to >> threats that Ryan Sleevi discussed for FastFed in [1]. Essentially, in the >> current OIDC model, an attacker that briefly compromises the jwks_uri of an >> OP (e.g. through a mis-issued TLS cert) can serve a JWK Set containing >> public keys under their own control with a long Cache-Control header. >> Clients then might blindly cache that key set even beyond the time when the >> certificate is revoked and the rightful owner restored. >> >> But I think this attack is basically the same even with PIKA. The >> attacker in this case just uses their mis-issued cert to sign the PIKA and >> serve that instead, perhaps putting a really long "exp" claim in it so that >> clients cache it for a really long time. The only thing that would stop >> that is if the draft insisted that clients regularly perform an OCSP or CRL >> lookup on the cert in the x5c chain to make sure it hasn't been revoked. >> But that would completely negate the benefits of avoiding clients all >> hitting the OP jwks_uri: we've just shifted the burden from the OP to the >> CA. >> >> Perhaps I'm missing something? >> >> [1]: >> https://docs.google.com/document/u/1/d/e/2PACX-1vQQ-FhNjW0ZhZVTnK1VG_87IBNZKBaJmweYZb1VBRdQCMAWXekqKfxdNl8wL6FWFDJ9pxXxpr66-GZp/pub?utm_source=illuminatedsecurity&utm_medium=email >> >> >> -- Neil >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- Re: [OAUTH-WG] Signed JWK Sets John Zila
- [OAUTH-WG] Signed JWK Sets Richard Barnes
- Re: [OAUTH-WG] Signed JWK Sets Michael Jones
- Re: [OAUTH-WG] Signed JWK Sets Michael Jones
- Re: [OAUTH-WG] Signed JWK Sets Watson Ladd
- Re: [OAUTH-WG] Signed JWK Sets Richard Barnes
- Re: [OAUTH-WG] Signed JWK Sets Richard Barnes
- Re: [OAUTH-WG] Signed JWK Sets Watson Ladd
- Re: [OAUTH-WG] Signed JWK Sets Joseph Salowey
- Re: [OAUTH-WG] Signed JWK Sets Orie Steele
- Re: [OAUTH-WG] Signed JWK Sets Richard Barnes
- Re: [OAUTH-WG] Signed JWK Sets Ethan Heilman
- Re: [OAUTH-WG] Signed JWK Sets Neil Madden
- Re: [OAUTH-WG] Signed JWK Sets Ethan Heilman
- Re: [OAUTH-WG] Signed JWK Sets Joseph Salowey
- Re: [OAUTH-WG] Signed JWK Sets Neil Madden
- Re: [OAUTH-WG] Signed JWK Sets Neil Madden
- Re: [OAUTH-WG] Signed JWK Sets Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Signed JWK Sets James Carnegie