IETF Logo Mail Archive

[OAUTH-WG] Review of draft-ietf-oauth-signed-http-request-03

Mike Jones <Michael.Jones@microsoft.com> Tue, 26 March 2019 14:35 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14FA812034B for <oauth@ietfa.amsl.com>; Tue, 26 Mar 2019 07:35:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Guc3hBnmHWIC for <oauth@ietfa.amsl.com>; Tue, 26 Mar 2019 07:35:51 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650102.outbound.protection.outlook.com [40.107.65.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93CAC1202CC for <oauth@ietf.org>; Tue, 26 Mar 2019 07:35:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qffKmoRv95APwlvvbgR2JjdCX+gYgcJxVK0Wpz1oNJQ=; b=kZzYVoJoSrTmvQRS0mluGPZeTR5Na/JrVAIMasvUsE5M0bd2VJlcPS3oNVFYWosFh5RzkqS0sdhGmgHRbUnmcHwFwQb1NfT65oSpB4rrY/JrruE8bH8RNLMX/5Ecu9926dmAtWWOETvLNCbLLfM7FV7cy+BCg2KkR07izviwXpQ=
ARC-Seal: i=1; a=rsa-sha256; s=testarcselector01; d=microsoft.com; cv=none; b=alJ6abdr6k4HtJdiJXqkpaAWo7A0Vd1boF2KhSzg7C21ge+ux7WSUZxTVWmF9+wj34I0o3ZFjAwaTKIvQ0AP++SK/FbQ6PHP8j5WjJPiEcw1e6qs+xDzfqgoBruFEB/cr2VHHGxhTVGQlni8JurTNBmorKb6+59U3S6jlHyrq1A=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=testarcselector01; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qffKmoRv95APwlvvbgR2JjdCX+gYgcJxVK0Wpz1oNJQ=; b=MwsJXNNwxHBnt63fHaO8prPOWxHi+Fdko6ifwHNK1KqrFKiKFA6CKb9fK5BYWrcJ6f8TwpprexnzwkcxtfX9tHPNp3/PQEaJB9LjN+UMAo+aebxvy3wdiqs/qLUjWL3QfjcFdc2tDClUuBhKpexDSNYOvZ00C+nlOJpc+IWqFp4=
ARC-Authentication-Results: i=1; test.office365.com 1;dmarc=none action=none header.from=microsoft.com;arc=none
Received: from BL0PR00MB0292.namprd00.prod.outlook.com (52.132.19.158) by BL0PR00MB0307.namprd00.prod.outlook.com (52.132.19.161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1784.0; Tue, 26 Mar 2019 14:35:47 +0000
Received: from BL0PR00MB0292.namprd00.prod.outlook.com ([fe80::7487:5435:65d8:f2a8]) by BL0PR00MB0292.namprd00.prod.outlook.com ([fe80::7487:5435:65d8:f2a8%4]) with mapi id 15.20.1786.000; Tue, 26 Mar 2019 14:35:47 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
CC: Pamela Dingle <Pamela.Dingle@microsoft.com>
Thread-Topic: Review of draft-ietf-oauth-signed-http-request-03
Thread-Index: AdTj4F/QzsPC6xfER+SScmX5Gzzt4g==
Date: Tue, 26 Mar 2019 14:35:47 +0000
Message-ID: <BL0PR00MB0292AD1AE85165772A28E8FDF55F0@BL0PR00MB0292.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [62.168.35.69]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: dc91cac3-5a11-46fd-fbaf-08d6b1f85665
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7193020); SRVR:BL0PR00MB0307;
x-ms-traffictypediagnostic: BL0PR00MB0307:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <BL0PR00MB0307D69CF182E99281B364EFF55F0@BL0PR00MB0307.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 09888BC01D
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(136003)(346002)(366004)(376002)(39860400002)(199004)(189003)(14454004)(2906002)(10090500001)(26005)(6116002)(102836004)(6346003)(2351001)(86362001)(478600001)(86612001)(72206003)(6506007)(186003)(790700001)(316002)(3846002)(105586002)(22452003)(10290500003)(966005)(106356001)(2501003)(97736004)(606006)(8990500004)(5640700003)(7736002)(71190400001)(236005)(55016002)(74316002)(9686003)(54896002)(8936002)(81156014)(1730700003)(8676002)(6916009)(256004)(25786009)(107886003)(4326008)(33656002)(53936002)(6436002)(66066001)(52536014)(486006)(7696005)(5660300002)(68736007)(81166006)(476003)(71200400001)(99286004)(14444005)(6306002); DIR:OUT; SFP:1102; SCL:1; SRVR:BL0PR00MB0307; H:BL0PR00MB0292.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 87g/ll/tnBbrdouSi7DQMdsRrVZoaB9ciXJuAhHAGasDx/XZVI4yBdhkYmnnIU/wu5iDLJ2T9ImKTCOy7M3ziHKH1MUlc9J6jx71rPupGuZ46KunOXA8JsGkX/rTdZCOKVTaFy3yPVARqhXbjL+4V+s6H/m4+OV19wqdg6T1wjS1o/PfFPjXI+93MpthV5P8qmy/jPRTUsShTpVKSvrany+JVlH/RbNd0K2oXPqHAVUBK70SDxbyJHcns7RcLLfFEdJuNsAIQpHln7iRdN/giNuwJvp9mEfEKQzhPZxe0SbHUrDohKlKHnMtot2/wHWRDu22lXNGxeBh3+6vkdczheAM/e97GFZQsh4TcsYXvxyxcVdIjTNYqL3/BCkHEEHumUTChWrlWQEvCww8y6KGYzU0VBwPfZnNgPfi3O48ukc=
Content-Type: multipart/alternative; boundary="_000_BL0PR00MB0292AD1AE85165772A28E8FDF55F0BL0PR00MB0292namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: dc91cac3-5a11-46fd-fbaf-08d6b1f85665
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Mar 2019 14:35:47.6595 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR00MB0307
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/w3O06Wb6CDAbnRY5AZdOiBp04R8>
Subject: [OAUTH-WG] Review of draft-ietf-oauth-signed-http-request-03
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 14:35:57 -0000

There are some deployments that I'm aware of that are considering using draft-ietf-oauth-signed-http-request.  Because of that, I've done a detailed review of https://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-03, which follows.  Only substantive issues are discussed.  If the draft is checked into GitHub, I'd be glad to create a pull request for a set of accompanying editorial suggestions.  If it isn't, I can send the editorial suggestions in a subsequent message.

SUBSTANTIVE ISSUES

1. Introduction - The draft says "it is desirable to bind the signature to the HTTP request".  It would be great to say why this is desirable and what attributes one might want to have bound.  (The "what attributes" discussion could go in the Security Considerations section, as requested below.)

3.  Generating a JSON Object from an HTTP Request - Why is "at" required?  The spec would be far more general if this field was OPTIONAL like the others.  Is there any reason not to do this, while still staying that it's required in the PoP-protected access token use case?

3.  "ts" parameter - State that this value is a NumericDate as defined in RFC 7519.  (That way you'll inherit the POSIX.1 language about leap seconds, etc.)

3.  "Note to WG" - I suspect that this wouldn't get past the IESG without crypto agility.  A parameter probably needs to be introduced to specify the hash algorithm used - with the default being SHA-256 if omitted.

3.1.  Calculating the query parameter list and hash - The draft says that "The client iterates through all query parameters in whatever order it chooses...".  I suspect this would be a lot less error prone if instead, it was specified that the query parameters are to be processed in the order that they will appear in the query string.

3.2.  Bullet 3:  At a minimum, this clause needs to describe what the canonical encoding is if an input value is preceded by or followed by space or tab characters.  Are those stripped before being used in the "name: value" construct?

3.2.  Bullet 3:  Is a newline terminator present for all "name: value" lines or is it only used between lines, with there being none at the end of the value to be encoded?  This should be explicitly stated.

4.2.  HTTP Form Body - The draft defines the name "pop_access_token", which seems like a misnomer, because the PoP access token is actually passed in the "at" parameter as part of this value.  I would suggest renaming this to either "pop_http_message" or "signed_http_message".

4.3.  HTTP Query Parameter - Ditto to my naming comment in 4.2.

6.2.  "typ":"pop" registration - The draft doesn't say when this type can or must be used.  For instance, is this intended to be used in the access token representation the case where the PoP access token is represented as a JWT?  Or is it intended to be used for the signed HTTP message JWT header?  Or both?  And is its use optional or required in which cases?

7.  Security Considerations, Guidance to Applications - The draft provides almost no guidance to application designers about which parameters should be signed and when.  For instance, I'd think that many applications would want to sign URL components (the "u", "p", and "q" parameters).  If so, please provide guidance on when these should be included.  Likewise, if there's a set of headers that one would normally expect to include in the signature, please name them and provide justification for their inclusion.  Finally, if there are headers that one should normally *not* include, please also list those and say why.  Left to their own devices, application designers are almost certain to choose many distinct and sub-optional sets of choices.

7.5.  Validating the integrity of the HTTP message - The third paragraph says that "If a header or query parameter is repeated on either the outgoing request from the client or the incoming request to the protected resource, that query parameter or header name MUST NOT be covered by the hash and signature."  This doesn't seem to be consistent with the creation and validation procedures described earlier in the draft, which essentially said that parameters are processed in the chosen order and appended to the arrays.  It's perfectly meaningful to have multiple instances of some parameters and so it's counterproductive to prohibit them being signed.  Please remove this prohibition (and if you like, replace it with a warning that order must be preserved for the signature to validate - which is true of all parameters - not just parameters that occur multiple times).

                                                          Thanks,
                                                          -- Mike

P.S.  Yes, I realize that some other PoP options are also in the works based on discussions at the OAuth Security Workshop.  But I wanted to get these issues on record for those who are considering using the existing signed-http-request draft.

v2.23.0 | Report a Bug | By Email