Re: [OAUTH-WG] AD review of draft-ietf-oauth-proof-of-possession

John Bradley <ve7jtb@ve7jtb.com> Thu, 26 November 2015 12:45 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3EA11B2B4D for <oauth@ietfa.amsl.com>; Thu, 26 Nov 2015 04:45:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D5pRf-DxQXMX for <oauth@ietfa.amsl.com>; Thu, 26 Nov 2015 04:45:22 -0800 (PST)
Received: from mail-qg0-x22d.google.com (mail-qg0-x22d.google.com [IPv6:2607:f8b0:400d:c04::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 878951B2B44 for <oauth@ietf.org>; Thu, 26 Nov 2015 04:45:22 -0800 (PST)
Received: by qgea14 with SMTP id a14so53138346qge.0 for <oauth@ietf.org>; Thu, 26 Nov 2015 04:45:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=3XCL13nXUZDoNcmCnu43tkHviAzRgHRdlEeHRFwSxiw=; b=vZ9Wcmh1WB8/e7LUTC4QQdzEYB2OwnKc/Xy9BZE6BGvfXYPhx/3Pa668o76r48g/zR EIGSAzLuHnZeml9thSMZlQKTygwWX5qwPaDMkJegFsrkSzUAx7LM1CxmzRvyU2/v6Xyl OfDNIxlTzSC3HxdsHnOLrUQHNP1P4OWEH6mM0zwKm/T1ocOjoU29YMBttvrvXm7XQJs9 VKJ8nBNahi9F7lSaDxTXFn6RuO/LAHb0Mtytq6s6+4yRUgUsVn1XBSOqj9hIs4aWJ8LT KhEjh19Nj90hna8uHOzTP3EbbITk3+pqE+g+Gfhu/DS/50ZFYRbI+MhdXPIvIUikVlzk hZtg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=3XCL13nXUZDoNcmCnu43tkHviAzRgHRdlEeHRFwSxiw=; b=OkTX9pFjmY04DKy1Bh5h8QN+DBKVtgunglMitqU4EbID8o32i3ST2DSR+YTLf5D+ox vr3w93CEg8eUQ3ms/o69a+OviFajjxJV24pk7Zc/jZVuXDk6kWLmzxy0x6am2LzouboT B85Pv2i0qR65qG6MAVGVQv76D9oSIs8xCkcTVgMuXZt5WZJ7Oong7de0gEDrocZQUzZP i+iDW9rxiDRdHlu+biyjL30yzQkXq61Jg6XJrP6taupwGSy3eGZ4V1uLq0XHJ7mQsCpG O5l54JgmMRJ89r3Or4x7d5biSryhTRj72A/p3ymO6MErROMZxhdmhXu/wFGbSktjDtec tizw==
X-Gm-Message-State: ALoCoQn+e62ObETba01NSp/vnxZXHAScIfI8qZfeKipcpL2nFODxqd+AKJjjTcT8l2e3xuK83vDX
X-Received: by 10.140.19.177 with SMTP id 46mr45889049qgh.67.1448541921543; Thu, 26 Nov 2015 04:45:21 -0800 (PST)
Received: from [192.168.1.216] ([191.115.122.254]) by smtp.gmail.com with ESMTPSA id f7sm7096930qhf.7.2015.11.26.04.45.19 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 26 Nov 2015 04:45:20 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <BY2PR03MB442EDABC44098E453B8C313F5040@BY2PR03MB442.namprd03.prod.outlook.com>
Date: Thu, 26 Nov 2015 09:45:17 -0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <9C5F3F9A-3197-4080-B412-389318780D9A@ve7jtb.com>
References: <CAHbuEH4J5SYVuWe5+OHfCQARuZhOJ6hG=5RqUkh5Ebad_RneAg@mail.gmail.com> <BY2PR03MB442BD8E7C5AFA8D79C79AEAF5050@BY2PR03MB442.namprd03.prod.outlook.com> <CAHbuEH7pJFKH_gJE6aSHCBQZL5eZ9qxyHajzjwz=5v8+LD7ywQ@mail.gmail.com> <BY2PR03MB4422F5F3905D4118D9D540BF5050@BY2PR03MB442.namprd03.prod.outlook.com> <CAHbuEH6x4fxPmho8RbgFLngXGROcDfGhSWkDAAciVkYa7AOXTw@mail.gmail.com> <BY2PR03MB44297DA1D6A4C4F125EBCFCF5050@BY2PR03MB442.namprd03.prod.outlook.com> <4AF8FE9C-3484-410B-B52F-C1F9706B18A5@ve7jtb.com> <CAHbuEH4XEBJRDPnmPr_8V2wkFZwoF=w3S36UO2sKFh=SvwcRAA@mail.gmail.com> <BY2PR03MB442EDABC44098E453B8C313F5040@BY2PR03MB442.namprd03.prod.outlook.com>
To: Michael Jones <Michael.Jones@microsoft.com>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/21nqrko8DRcedpuPP_vRtXSWylY>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-proof-of-possession
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Nov 2015 12:45:26 -0000

May should perhaps be might.   This spec can’t confer or deny the ability for implementations that don’t support this extension to process JWT containing it.

I think the concern is that some people may misunderstand what cnf is doing, and think that a recipient not supporting cnf would automatically reject it.

cnf allows recipients that support confirmation methods to reject tokens not sent by entities that possess the correct confirmation material.

It is aud that restricts what  recipients can process the assertion.

So use aud to restrict the recipients, and cnf to restrict the presenters.  

A producer SHOULD restrict the valid recipients in aud to recipients that support the cnf mechanism otherwise they will not get the get the benefit of presenter restriction at the recipients that don’t support it.

The danger is that someone using cnf will assume that the token can only be used by the entity possessing the cnf material, and that is not necessarily true.
If the token is otherwise valid (correct iss, aud and sig) , and the recipient doesn’t understand cnf then a attacker who has the token might be able to use it as a bearer token at the endpoint.

This is probably too self evident to us, as we are close to the subject.

So I think that the last paragraph of 4 is mostly OK.
I think however we need to say that the way to stop endpoints that don’t support cnf from processing tokens as bearer is to not include them in the aud.  

On another point that Kathleen raised in 3.1

I think Kathleen's reading may have led her to the conclusion that if there are no members of the cnf claim that the recipient understands then the cnf claim itself MUST be ignored.
That wouldn’t be my interpretation but looking at it again, I can see how someone might read it that way.

Do we want to say that if there are no members that the recipient understands then it SHOULD be an error, or leave it up to the protocols using cnf to determine if it should be processed as a bearer token.   

In any event we don’t want people ignoring the resulting empty cnf claim.

In most cases bearer and POP tokens will be presented differently because PoP tokens need a way to present the proof, so a missing cnf element would be a clear error.

In other cases the proof might be passive.  Token Binding or source IP.  In that case a recipient might leave it up to the producer of the token to determine if it should be bound to the presenter.    

I can see an argument for saying at the token level that a JWT containing a cnf member with no understood members is malformed.

These are two separate issues.

John B.



> On Nov 26, 2015, at 3:59 AM, Mike Jones <Michael.Jones@microsoft.com> wrote:
> 
> I hadn't seen this part of the thread until now.  (I thought it was part of the voluminous thread on the PoP architecture document.)
> 
> The "may accept JWT containing “cnf” elements" language sounds like it's giving applications permission to do this.  Is that the intent of the language you proposed, or were you intending something different, John?
> 
> Also, can you expand on the "pseudo audience" idea?  In what way might a proof-of-possession be confused with an audience?
> 
> 				Thanks,
> 				-- Mike
> 
> -----Original Message-----
> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com] 
> Sent: Wednesday, November 25, 2015 2:13 PM
> To: John Bradley <ve7jtb@ve7jtb.com>
> Cc: Mike Jones <Michael.Jones@microsoft.com>om>; oauth@ietf.org
> Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-proof-of-possession
> 
> Thanks, John!
> 
> On Wed, Nov 25, 2015 at 4:41 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>> I prefer the new wording.
>> 
>> However the last part could be clearer.
>>> use be implemented by recipients.
>> 
>> Or perhaps the blunter “Recipients only understanding bearer tokens may accept JWT containing “cnf” elements if all the other required claims are valid.  It is important for security to audience restrict tokens using the JWT “aud claim.  The “cnf” claim MUST NOT be used as a pseudo audience restriction.”
> 
> More explicit text like this is is more helpful in my opinion.
> 
> Kathleen
>> 
>> Looking at the comments, I get the feeling that some people might think that cnf may restrict what endpoints can receive the token (because of the key distribution)  it only allows endpoints that should receive the token to reject ones that come from entities who don’t possess the correct confirmation.
>> 
>> John B.
>> 
>>> On Nov 25, 2015, at 12:25 AM, Mike Jones <Michael.Jones@microsoft.com> wrote:
>>> 
>>> Rather than elaborating, having looked at the text we're discussing again, I'm going to counter-propose that we instead simplify - sticking only to the point that the paragraph is intending to get across.  Would it work for you to simplify the current text:
>>> 
>>>   "A recipient might not understand the cnf claim, in which case it will typically be ignored. Unless this is acceptable behavior, applications that need the proof-of-possession keys communicated with it to be understood and processed must require that the parts of this specification that they use be implemented."
>>> 
>>> to this simpler text?
>>> 
>>>   "A recipient might not understand the cnf claim.  Applications that need the proof-of-possession keys communicated with it to be understood and processed must require that the parts of this specification that they use be implemented."
>>> 
>>> The "must ignore" topic is already addressed in the second paragraph of 3.1 (and with exactly the semantics as the rest of JWT), and so doesn't have to be re-raised here, as it currently is.  Re-raising it is clearly a point of distraction.
>>> 
>>> For what it's worth, I don't remember any DISCUSSes on this topic (although it's possible that your memory is better than mine on this point).
>>> 
>>>                              Best wishes,
>>>                              -- Mike
>>> 
>>> -----Original Message-----
>>> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com]
>>> Sent: Tuesday, November 24, 2015 7:14 PM
>>> To: Mike Jones <Michael.Jones@microsoft.com>
>>> Cc: oauth@ietf.org
>>> Subject: Re: [OAUTH-WG] AD review of 
>>> draft-ietf-oauth-proof-of-possession
>>> 
>>> On Tue, Nov 24, 2015 at 10:10 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:
>>>> Fair question about the use of "typically".  The reason it's there is that this language in JWT [RFC 7519] Section 4 does permit applications to require that JWTs with not-understood claims be rejected, rather than ignored, even though that's not the default behavior:
>>>> 
>>>>  The set of claims that a JWT must contain to be considered valid is
>>>>  context dependent and is outside the scope of this specification.
>>>>  Specific applications of JWTs will require implementations to
>>>>  understand and process some claims in particular ways.  However, in
>>>>  the absence of such requirements, all claims that are not understood
>>>>  by implementations MUST be ignored.
>>>> 
>>>> So when not understood, "cnf" would typically be ignored, but might not be.
>>> 
>>> I find that confusing and am now thinking this came up in a discuss as well during the review for 7519, didn't it?  Can you elaborate int eh security considerations section a bit more, otherwise this text appears to be conflicting and even with what you intend, it's confusing for implementers and will lead to issues with interoperability.
>>> 
>>> Thanks,
>>> Kathleen
>>> 
>>> 
>>>> 
>>>>                               -- Mike
>>>> 
>>>> -----Original Message-----
>>>> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com]
>>>> Sent: Tuesday, November 24, 2015 6:41 PM
>>>> To: Mike Jones <Michael.Jones@microsoft.com>
>>>> Cc: oauth@ietf.org
>>>> Subject: Re: [OAUTH-WG] AD review of 
>>>> draft-ietf-oauth-proof-of-possession
>>>> 
>>>> Hi Mike,
>>>> 
>>>> Thanks for the quick turn-around.  Just one more comment on my comments.
>>>> 
>>>> On Tue, Nov 24, 2015 at 9:10 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:
>>>>> Thanks for your review comments, Kathleen.  Responses are inline below...
>>>>> 
>>>>>> -----Original Message-----
>>>>>> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Kathleen 
>>>>>> Moriarty
>>>>>> Sent: Tuesday, November 24, 2015 9:44 AM
>>>>>> To: oauth@ietf.org
>>>>>> Subject: [OAUTH-WG] AD review of
>>>>>> draft-ietf-oauth-proof-of-possession
>>>>>> 
>>>>>> Hi,
>>>>>> 
>>>>>> Thank you all for your work on this draft!  I just have a few questions:
>>>>>> 
>>>>>> 1. Security considerations section says:
>>>>>> 
>>>>>> "All of the normal security issues, especially in relationship to
>>>>>>  comparing URIs and dealing with unrecognized values, that are
>>>>>>  discussed in JWT [JWT] also apply here."
>>>>>> 
>>>>>> I find that to be odd phrasing that would likely be picked up in 
>>>>>> subsequent reviews.  Please remove the word "normal" so that all 
>>>>>> of the security issues discusses in JWT are included.  Are there 
>>>>>> other 'normal considerations in addition to those in JWT that need 
>>>>>> to be listed?  The phrasing reads as if that may the case and 
>>>>>> would be better to include them all or pointers or change the phrasing.
>>>>> 
>>>>> You're right.  I removed this awkward wording.
>>>>> 
>>>>>> 2. Also in the security considerations section,
>>>>>> 
>>>>>>  "A recipient may not understand the newly introduced "cnf" claim and
>>>>>>  may consequently treat it as a bearer token."
>>>>>> 
>>>>>> What is the proper handling requirement when an unknown claim is 
>>>>>> present?  Section 3.1 says:
>>>>>> "When a recipient receives a "cnf" claim with a
>>>>>>  member that it does not understand, it MUST ignore that member."
>>>>>> 
>>>>>> Is this why it is treated as a bearer token rather than being 
>>>>>> rejected?  Is this really the action you want to see with cnf?  
>>>>>> Why isn't there an error and a resend as a bearer token so that 
>>>>>> parties understand (or have an opportunity to understand) that there were issues?
>>>>>> 
>>>>>> Then the following text in the security section says:
>>>>>> "While this is a
>>>>>>  legitimate concern, it is outside the scope of this specification,
>>>>>>  since demonstration the possession of the key associated with the
>>>>>>  "cnf" claim is not covered by this specification. For more 
>>>>>> details,
>>>>>> 
>>>>>> How is this outside of the scope of this draft?  cnf is defined in 
>>>>>> this draft, so handling should be covered in this draft.  A 
>>>>>> pointer to the POP architecture draft is not helpful as it is not 
>>>>>> defined there, it's covered int his draft.  Should this text just 
>>>>>> be removed and replaced with more explicit handling information int he body of this draft?
>>>>> 
>>>>> Good catch.  JWT [RFC 7519] Section 4 says that claims that are not understood must be ignored unless otherwise specified by the application.  This allows new claims to be dynamically added without breaking existing applications.  For the same reason, I have incorporated this language about understanding claims from 7519, but having it be about understanding confirmation members.  Ultimately, what features must be implemented are always up to the application, just as with JWT claims.
>>>> 
>>>> The new text in Section 3.1 looks good.  I'm not sure why the word "typically" appears int he new text of the security considerations section though after reading the new text in 3.1.  Wouldn't it just be ignored since 3.1 now says:
>>>> 
>>>>  "However, in the absence of such requirements,
>>>>   all confirmation members that are not understood by implementations
>>>>   MUST be ignored."
>>>> 
>>>> Thanks,
>>>> Kathleen
>>>> 
>>>> 
>>>>> 
>>>>>> Thanks!
>>>>>> 
>>>>>> --
>>>>>> 
>>>>>> Best regards,
>>>>>> Kathleen
>>>>>> 
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> 
>>>>>                               Thanks again,
>>>>>                               -- Mike
>>>>> 
>>>> 
>>>> 
>>>> 
>>>> --
>>>> 
>>>> Best regards,
>>>> Kathleen
>>> 
>>> 
>>> 
>>> --
>>> 
>>> Best regards,
>>> Kathleen
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
> 
> 
> 
> -- 
> 
> Best regards,
> Kathleen