IETF Logo Mail Archive

Re: [OAUTH-WG] Refresh token security considerations

Brian Eaton <beaton@google.com> Tue, 12 July 2011 16:32 UTC

Return-Path: <beaton@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99BD321F8D4F for <oauth@ietfa.amsl.com>; Tue, 12 Jul 2011 09:32:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.977
X-Spam-Level:
X-Spam-Status: No, score=-105.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sDuYUTdVy3Ev for <oauth@ietfa.amsl.com>; Tue, 12 Jul 2011 09:32:45 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by ietfa.amsl.com (Postfix) with ESMTP id 7964221F8CF9 for <oauth@ietf.org>; Tue, 12 Jul 2011 09:32:45 -0700 (PDT)
Received: from hpaq14.eem.corp.google.com (hpaq14.eem.corp.google.com [172.25.149.14]) by smtp-out.google.com with ESMTP id p6CGWiP5010828 for <oauth@ietf.org>; Tue, 12 Jul 2011 09:32:44 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1310488364; bh=rmFZWsSwZ/G046lV+juZEODzYs0=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type:Content-Transfer-Encoding; b=r7ucWxtPiuxJq35n6DHnyO1cXFnsuXP2A8oN1yn1CqqKfzcDsL5X3VO7BMt7YgMEz kl+L9qll6v4CR6LJpk9Xg==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=dkim-signature:mime-version:in-reply-to:references:date: message-id:subject:from:to:cc:content-type: content-transfer-encoding:x-system-of-record; b=Da7wGC67aVhXP3E3XY1uaznwUoG7aC3TpHmdwUQVkXfw29mauTMc1PSWTxVifCFNM rL/JzBekpHeA9U3uMyntA==
Received: from pzk30 (pzk30.prod.google.com [10.243.19.158]) by hpaq14.eem.corp.google.com with ESMTP id p6CGWJIq000683 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <oauth@ietf.org>; Tue, 12 Jul 2011 09:32:43 -0700
Received: by pzk30 with SMTP id 30so4320167pzk.32 for <oauth@ietf.org>; Tue, 12 Jul 2011 09:32:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=zSftHls15HlneIyobzBJejqVLjBwQh9ZSPIfSC0m+3s=; b=lwWyfsJEZ2xSKNYjvOVuHDmlaGBE3GRMc6FW9bN95SBFOep8i2hnV6s+V4JThLJ4d6 Ux2ndY+O3Wd2VPVHiecQ==
MIME-Version: 1.0
Received: by 10.68.68.235 with SMTP id z11mr103727pbt.446.1310488360920; Tue, 12 Jul 2011 09:32:40 -0700 (PDT)
Received: by 10.142.14.2 with HTTP; Tue, 12 Jul 2011 09:32:40 -0700 (PDT)
In-Reply-To: <1310484568.80888.YahooMailNeo@web31808.mail.mud.yahoo.com>
References: <90C41DD21FB7C64BB94121FBBC2E7234501D4A005B@P3PW5EX1MB01.EX1.SECURESERVER.NET> <152fee05-9248-45e5-a9b5-86e880e5b1f9@email.android.com> <1310315898.93782.YahooMailNeo@web31802.mail.mud.yahoo.com> <6bb0fea2-48e6-4c70-93a4-ba4528a0f9b8@email.android.com> <1310484568.80888.YahooMailNeo@web31808.mail.mud.yahoo.com>
Date: Tue, 12 Jul 2011 09:32:40 -0700
Message-ID: <CALT9B_Qm1aeswry9tB759OoxpjM2xN_dbRJmmFKsQCX3oEMm5g@mail.gmail.com>
From: Brian Eaton <beaton@google.com>
To: "William J. Mills" <wmills@yahoo-inc.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Refresh token security considerations
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2011 16:32:46 -0000

On Tue, Jul 12, 2011 at 8:29 AM, William J. Mills <wmills@yahoo-inc.com> wrote:
> Why would you re-issue a refresh token every usage?  What's the use case
> where this makes sense?

It's key rotation built into the protocol.  Even if a refresh token is
stolen, it's going to become useless to the attacker very quickly.

My main concern with rotating refresh tokens with every use is that it
can cause problems with distributed client apps; they have to keep the
refresh token in sync, and it adds complexity.  But for desktop and
mobile apps it's quite a good idea.

(You can see a similar design in how Active Directory manages kerberos
machine keys.  They took a slightly different approach, in that the
client machines phone home to change their keys, but it provides
similar benefits.)

v2.35.0 | Report a Bug | By Email | System Status