Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation Draft

Thomas Broyer <t.broyer@gmail.com> Fri, 22 January 2016 16:33 UTC

Return-Path: <t.broyer@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 395661B137B for <oauth@ietfa.amsl.com>; Fri, 22 Jan 2016 08:33:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yBoueh2Mz_9F for <oauth@ietfa.amsl.com>; Fri, 22 Jan 2016 08:32:55 -0800 (PST)
Received: from mail-lb0-x230.google.com (mail-lb0-x230.google.com [IPv6:2a00:1450:4010:c04::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7834C1AD49F for <oauth@ietf.org>; Fri, 22 Jan 2016 08:32:54 -0800 (PST)
Received: by mail-lb0-x230.google.com with SMTP id oh2so44070795lbb.3 for <oauth@ietf.org>; Fri, 22 Jan 2016 08:32:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=Ooe4RaLDgmpuC2tjOiMlUHQ98A50Dg7KityRipeuVhk=; b=vashjhdUDgyR2IT5aBUr0ViAtMc99UXfaOGtDJbH30tZG9BFZHJ9U4bngwvF3ZIYPO hZ+xaOCgKZHASdlcrCUq+4RIoORyLnGoZ4IK5KN0v87guhAi/fXgMghs68+fPVFEjvjh 9XZID4K4h0DiG5KXbRT/3YmoMeFxotdgkcMrJAE0c/O+0WYNgEK7BnYn5jrOEABvpCma aKr1/ZoEfhcW3ZP7d5gznu+PIGZtCkT9JPMN2nZI1/K0Sg8jMKmwba+dyJ2CxGZEpnCg gLMB7X3ulKUZ5pLgZ1As1QEMMtksrTRA3yTDxtE0kcmaI1OJbtGzcO16khrzCghaT+lj +TAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-type; bh=Ooe4RaLDgmpuC2tjOiMlUHQ98A50Dg7KityRipeuVhk=; b=bPmJS8jz1wsyTon1i1UsHr7Fel8QQYFyrcRPNUcTYcdQ0/rk9R2jLejaFXjBZk2gUG 5Cm+kT/In7TO3HdH4rRrSlVU2jHRdVdKVZWxnDFXlysqqyKsqrXY0P4QwDo1akAjSikP isU5VRMINhXuNeYscASB3lm3B/kzoQ/li5liGMRuBlP2fxPpsxgHLQmuHwVRFFWhTCIG iZSTzPGQ0zH6ECV2mD22vLOzrkTRTCts0PpjYN0LRctMvoSzxxHI5rWfv9gcCHSquow4 sRP4EaPgd5Zg2TEZhDMI9W4RUSaYmA0VJZ+Hj+IlNG3Ilh6YC7GuLp7NwK8DQc2TjXEp 610A==
X-Gm-Message-State: AG10YOTr/24Aydm2L8fMio6MYTfnpcO+korZuSaSKjLpVvagnPc52G4sUDTAswgy458UzIfTAJfWpP2+baRQQA==
X-Received: by 10.112.156.164 with SMTP id wf4mr1641909lbb.15.1453480372722; Fri, 22 Jan 2016 08:32:52 -0800 (PST)
MIME-Version: 1.0
References: <BY2PR03MB442662C73E3904E73D9B9EFF5C30@BY2PR03MB442.namprd03.prod.outlook.com> <FD34E5B7-2884-4789-9DF3-217F027F6556@ve7jtb.com>
In-Reply-To: <FD34E5B7-2884-4789-9DF3-217F027F6556@ve7jtb.com>
From: Thomas Broyer <t.broyer@gmail.com>
Date: Fri, 22 Jan 2016 16:32:43 +0000
Message-ID: <CAEayHEP4DmWjngvWFdHH2h1edpksot=DJWJasddh6K3FCTAkaA@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Michael Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary=001a11c34b7a4de4120529eec537
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/2FHtV-lnJRFTO2V1iKF2NL78zLs>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation Draft
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2016 16:33:01 -0000

Hi John,


Le jeu. 21 janv. 2016 15:42, John Bradley <ve7jtb@ve7jtb.com> a écrit :

> We merged the state verification in with this rather than forcing people
> to also look at the JWT encoded State draft.
> https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state.
>
> While JWT encoded state is how I would do state in a client and at-least
> one client I know of uses it, it is not the only way to manage state,
>

And not how I'd do it (unless you convince me that jwt is really better and
the advantages outweigh the network bloat)

and I am hesitant that developers might be scared away by thinking they
> need to encode state as a JWT.
>
> I decided that cross referencing them is better.   This made sending much
> simpler to describe.
>

Wouldn't linking to RFC 6819 be enough?

I also removed the hashing from state.   That cut the text by about 2/3 by
> not having to describe character set normalization so that both the client
> and the AS could calculate the same hash.
> That also achieved the goal of not requiring a simple OAuth client doing
> the code flow to add a crypto library to support SHA256.
>
> Once we make a algorithm mandatory, we need to defend why we don’t have
> crypto agility eg support for SHA3 etc.  We would be forced by the IESG to
> add another parameter to the request to specify the hash alg if we went
> that direction.
>
> Given that we assume state to be public info in the request that an
> attacker can see, hashing state provides not much value for a lot of
> complexity that people may get wrong or not implement.
>
> I appreciate why from a theory point of view hashing it would have been
> better.
>
> If people really want it I can add it back.
>
> John B.
>
> On Jan 21, 2016, at 3:28 AM, Mike Jones <Michael.Jones@microsoft.com>
> wrote:
>
> John Bradley and I collaborated to create the second OAuth 2.0 Mix-Up
> Mitigation draft.  Changes were:
> ·       Simplified by no longer specifying the signed JWT method for
> returning the mitigation information.
> ·       Simplified by no longer depending upon publication of a discovery
> metadata document.
> ·       Added the “state” token request parameter.
> ·       Added examples.
> ·       Added John Bradley as an editor.
>
> The specification is available at:
> ·       http://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-01
>
> An HTML-formatted version is also available at:
> ·
> http://self-issued.info/docs/draft-jones-oauth-mix-up-mitigation-01.html
>
>                                                           -- Mike
>
> P.S.  This note was also posted at http://self-issued.info/?p=1526 and as
> @selfissued <https://twitter.com/selfissued>.
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>