Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation Draft
Thomas Broyer <t.broyer@gmail.com> Fri, 22 January 2016 16:33 UTC
Return-Path: <t.broyer@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 395661B137B for <oauth@ietfa.amsl.com>; Fri, 22 Jan 2016 08:33:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yBoueh2Mz_9F for <oauth@ietfa.amsl.com>; Fri, 22 Jan 2016 08:32:55 -0800 (PST)
Received: from mail-lb0-x230.google.com (mail-lb0-x230.google.com [IPv6:2a00:1450:4010:c04::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7834C1AD49F for <oauth@ietf.org>; Fri, 22 Jan 2016 08:32:54 -0800 (PST)
Received: by mail-lb0-x230.google.com with SMTP id oh2so44070795lbb.3 for <oauth@ietf.org>; Fri, 22 Jan 2016 08:32:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=Ooe4RaLDgmpuC2tjOiMlUHQ98A50Dg7KityRipeuVhk=; b=vashjhdUDgyR2IT5aBUr0ViAtMc99UXfaOGtDJbH30tZG9BFZHJ9U4bngwvF3ZIYPO hZ+xaOCgKZHASdlcrCUq+4RIoORyLnGoZ4IK5KN0v87guhAi/fXgMghs68+fPVFEjvjh 9XZID4K4h0DiG5KXbRT/3YmoMeFxotdgkcMrJAE0c/O+0WYNgEK7BnYn5jrOEABvpCma aKr1/ZoEfhcW3ZP7d5gznu+PIGZtCkT9JPMN2nZI1/K0Sg8jMKmwba+dyJ2CxGZEpnCg gLMB7X3ulKUZ5pLgZ1As1QEMMtksrTRA3yTDxtE0kcmaI1OJbtGzcO16khrzCghaT+lj +TAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-type; bh=Ooe4RaLDgmpuC2tjOiMlUHQ98A50Dg7KityRipeuVhk=; b=bPmJS8jz1wsyTon1i1UsHr7Fel8QQYFyrcRPNUcTYcdQ0/rk9R2jLejaFXjBZk2gUG 5Cm+kT/In7TO3HdH4rRrSlVU2jHRdVdKVZWxnDFXlysqqyKsqrXY0P4QwDo1akAjSikP isU5VRMINhXuNeYscASB3lm3B/kzoQ/li5liGMRuBlP2fxPpsxgHLQmuHwVRFFWhTCIG iZSTzPGQ0zH6ECV2mD22vLOzrkTRTCts0PpjYN0LRctMvoSzxxHI5rWfv9gcCHSquow4 sRP4EaPgd5Zg2TEZhDMI9W4RUSaYmA0VJZ+Hj+IlNG3Ilh6YC7GuLp7NwK8DQc2TjXEp 610A==
X-Gm-Message-State: AG10YOTr/24Aydm2L8fMio6MYTfnpcO+korZuSaSKjLpVvagnPc52G4sUDTAswgy458UzIfTAJfWpP2+baRQQA==
X-Received: by 10.112.156.164 with SMTP id wf4mr1641909lbb.15.1453480372722; Fri, 22 Jan 2016 08:32:52 -0800 (PST)
MIME-Version: 1.0
References: <BY2PR03MB442662C73E3904E73D9B9EFF5C30@BY2PR03MB442.namprd03.prod.outlook.com> <FD34E5B7-2884-4789-9DF3-217F027F6556@ve7jtb.com>
In-Reply-To: <FD34E5B7-2884-4789-9DF3-217F027F6556@ve7jtb.com>
From: Thomas Broyer <t.broyer@gmail.com>
Date: Fri, 22 Jan 2016 16:32:43 +0000
Message-ID: <CAEayHEP4DmWjngvWFdHH2h1edpksot=DJWJasddh6K3FCTAkaA@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Michael Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="001a11c34b7a4de4120529eec537"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/2FHtV-lnJRFTO2V1iKF2NL78zLs>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation Draft
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2016 16:33:01 -0000
Hi John, Le jeu. 21 janv. 2016 15:42, John Bradley <ve7jtb@ve7jtb.com> a écrit : > We merged the state verification in with this rather than forcing people > to also look at the JWT encoded State draft. > https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state. > > While JWT encoded state is how I would do state in a client and at-least > one client I know of uses it, it is not the only way to manage state, > And not how I'd do it (unless you convince me that jwt is really better and the advantages outweigh the network bloat) and I am hesitant that developers might be scared away by thinking they > need to encode state as a JWT. > > I decided that cross referencing them is better. This made sending much > simpler to describe. > Wouldn't linking to RFC 6819 be enough? I also removed the hashing from state. That cut the text by about 2/3 by > not having to describe character set normalization so that both the client > and the AS could calculate the same hash. > That also achieved the goal of not requiring a simple OAuth client doing > the code flow to add a crypto library to support SHA256. > > Once we make a algorithm mandatory, we need to defend why we don’t have > crypto agility eg support for SHA3 etc. We would be forced by the IESG to > add another parameter to the request to specify the hash alg if we went > that direction. > > Given that we assume state to be public info in the request that an > attacker can see, hashing state provides not much value for a lot of > complexity that people may get wrong or not implement. > > I appreciate why from a theory point of view hashing it would have been > better. > > If people really want it I can add it back. > > John B. > > On Jan 21, 2016, at 3:28 AM, Mike Jones <Michael.Jones@microsoft.com> > wrote: > > John Bradley and I collaborated to create the second OAuth 2.0 Mix-Up > Mitigation draft. Changes were: > · Simplified by no longer specifying the signed JWT method for > returning the mitigation information. > · Simplified by no longer depending upon publication of a discovery > metadata document. > · Added the “state” token request parameter. > · Added examples. > · Added John Bradley as an editor. > > The specification is available at: > · http://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-01 > > An HTML-formatted version is also available at: > · > http://self-issued.info/docs/draft-jones-oauth-mix-up-mitigation-01.html > > -- Mike > > P.S. This note was also posted at http://self-issued.info/?p=1526 and as > @selfissued <https://twitter.com/selfissued>. > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation Dra… Mike Jones
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… John Bradley
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… Justin Richer
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… John Bradley
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… Justin Richer
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… Hans Zandbelt
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… Justin Richer
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… David Waite
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… John Bradley
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… David Waite
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… John Bradley
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… William Denniss
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… Thomas Broyer
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… John Bradley
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… George Fletcher
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… David Waite
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… John Bradley
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… Paul Madsen
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… George Fletcher
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… Roland Hedberg
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… George Fletcher
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… Torsten Lodderstedt
- Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation… Phil Hunt (IDM)