Re: [OAUTH-WG] Review comments to PoP Architecture
"Kepeng Li" <kepeng.lkp@alibaba-inc.com> Tue, 22 September 2015 03:52 UTC
Return-Path: <kepeng.lkp@alibaba-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38C311A887C for <oauth@ietfa.amsl.com>; Mon, 21 Sep 2015 20:52:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.406
X-Spam-Level:
X-Spam-Status: No, score=-0.406 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_03_06=1.592, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2joKcvjvPems for <oauth@ietfa.amsl.com>; Mon, 21 Sep 2015 20:51:58 -0700 (PDT)
Received: from out4133-98.mail.aliyun.com (out4133-98.mail.aliyun.com [42.120.133.98]) by ietfa.amsl.com (Postfix) with ESMTP id 0172D1A8869 for <oauth@ietf.org>; Mon, 21 Sep 2015 20:51:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alibaba-inc.com; s=default; t=1442893916; h=Date:Subject:From:To:Message-ID:Mime-version:Content-type; bh=I2/i7mmcBxm7PUt3IS7tRhshW6FaqJf1J7YZUwb+BSY=; b=O272m8evLW4241HkbOsX0Ll7E7trrDBYU3Uv8iD7jSEpKNGhf+hzaIOpcGyAaoHkreGzVuc2LHhNl2saj7Jh1eUlTGOdExsaHF/j9CTrp8NZ9Rikk01CZs7FvIxvwFor58WfTlTpNIbFfHnMlkH57HutD8B5yLT05GKbEqVWQsI=
X-Alimail-AntiSpam: AC=PASS; BC=-1|-1; BR=01201311R281e4; FP=0|-1|-1|-1|0|-1|-1|-1; HT=e02c03310; MF=kepeng.lkp@alibaba-inc.com; NM=1; PH=DS; RN=2; SR=0;
Received: from 10.62.52.242(mailfrom:kepeng.lkp@alibaba-inc.com ip:182.92.253.23) by smtp.aliyun-inc.com(127.0.0.1); Tue, 22 Sep 2015 11:51:51 +0800
User-Agent: Microsoft-MacOutlook/14.4.8.150116
Date: Tue, 22 Sep 2015 07:55:54 +0800
From: Kepeng Li <kepeng.lkp@alibaba-inc.com>
To: Phil Hunt <phil.hunt@oracle.com>
Message-ID: <D226B918.1D2E1%kepeng.lkp@alibaba-inc.com>
Thread-Topic: [OAUTH-WG] Review comments to PoP Architecture
References: <D223A7DD.1D140%kepeng.lkp@alibaba-inc.com> <683071E1-4663-4C97-A4A8-E4982F6B2301@oracle.com>
In-Reply-To: <683071E1-4663-4C97-A4A8-E4982F6B2301@oracle.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3525767511_41261650"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/2WYLFhql01WBCh9h-BX2nDrIVMc>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Review comments to PoP Architecture
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2015 03:52:05 -0000
Phil, thanks for the response. A typo, about comment 3, „than" should be „then“. Others are fine with me. PROPOSED TEXT: In a scenario where a resource server receives a valid access token, the resource server than then re-uses it with other resource server. Kind Regards Kepeng 发件人: Phil Hunt <phil.hunt@oracle.com> 日期: Tuesday, 22 September, 2015 1:41 am 至: Li Kepeng <kepeng.lkp@alibaba-inc.com> 抄送: <oauth@ietf.org> 主题: Re: [OAUTH-WG] Review comments to PoP Architecture Kepeng, Kepeng, thanks for the review! My responses (to both emails) to are contained in this message prefixed with [ph] below. Pending further comments from the WG over the next day or so, I will post a revision early Wednesday (pacific time). I would like to draw the WG’s attention to my recommendation for Section 7, comment 2. I’m not sure if I have the definition correct yet. It still seems awkward to me. Thanks, Phil @independentid www.independentid.com <http://www.independentid.com> phil.hunt@oracle.com > On Sep 19, 2015, at 9:02 AM, Kepeng Li <kepeng.lkp@alibaba-inc.com> wrote: > > Additional comments: > > 6. Section 4: > 1) An attacker may generate a bogus tokens … > [Kepeng] Change “tokens” to “token”. [ph] Agreed. > > 2) A client may also re-use access tokens for some other resource servers. > [Kepeng] Change “re-use” to “reuse”. The pragraph title says “reuse”. Also in > other places. [ph] Agreed > > 3) To illustrate key confirmation the first examples borrow from Kerberos and > use symmetric key cryptography. > [Kepeng] Change “the first examples borrow” to “the first example is > borrowed”. [PH] Agreed. > > 7. Section 5.4 > 1) As a high level message, there are various ways how the threats can be > mitigated and while the details of each solution is somewhat different they > all ultimately accomplish the goal. > [Kepeng] Change the last sentence to: the details of each solution are > somewhat different even they all can ultimately accomplish the goal. [ph] PROPOSED TEXT: As a high level message, there are various ways the threats can be mitigated. While the details of each solution are somewhat different, they all accomplish the goal of mitigating the threats. > > 2) Depending on the chosen layer for providing client-side authentication > there may be additional challenges due Web server load balancing, lack of API > access to identity information, etc. > [Kepeng] Change “due” to “due to”. [ph] Sec 5.4 Sender Constraints. Agreed. > > 8. Section 6: > [Kepeng] It will be better if we can divide this section into several > sub-sections, e.g. each sub-section can be related to each figure. broke into the following sub-sections: * Client and Authorization Server Interaction ** Symmetric Keys ** Asymmetric Keys * Client and Resource Server Interaction * Resource and Authorization Server Interaction (Token Introspection) > > 9. Section 7: > 1) [Kepeng] Usually the order for a specification is: use cases, requirements, > then architecture. Why do we have requirements after architecture? Should we > move this section ahead? [ph] Agreed. Will move ahead of “Threat Mitigation” and after “Security and Privacy Threats” section. > > 2) The authorization checking prevents an elevation of privilege attack, and > it ensures that an unauthorized authorized is detected. > [Kepeng] What is “an unauthorized authorized”? Should it be “an unauthorized > access”? [ph] I’m not sure I captured the WG’s intent here. Can someone suggest a better explanation for Authorization? ORIGINAL: Client and resource server authorization MUST be performed. These entities MUST demonstrate possession of the appropriate keying material, without disclosing it. Authorization is REQUIRED whenever a client interacts with an authorization server. The authorization checking prevents an elevation of privilege attack, and it ensures that an unauthorized authorized is detected. PROPOSED: Client and resource server authorization MUST be performed. These entities MUST demonstrate possession of the appropriate keying material, without disclosing it. Authorization is REQUIRED whenever a client interacts with an authorization server. Authorization checking prevents an elevation of privilege attack. > > Kind Regards > Kepeng > > ·¢¼þÈË: Li Kepeng <kepeng.lkp@alibaba-inc.com> > ÈÕÆÚ: Saturday, 19 September, 2015 12:55 am > ÖÁ: <oauth@ietf.org> > Ö÷Ìâ: [OAUTH-WG] Review comments to PoP Architecture > > Hello authors, > > > > Please find my review comments to PoP Architecture document: > > https://tools.ietf.org/html/draft-ietf-oauth-pop-architecture-02 > > > > 1. Introduction: > > At the time of writing the OAuth 2.0 protocol family ([RFC6749], [RFC6750], > and [RFC6819]) offer a single standardized security mechanism to access > protected resources, namely the bearer token. > [Kepeng] This sentences seem to be incomplete. What offers a security > mechanism? Also why do we mention “at the time of writing”? Is the situation > changed now? [PH] Agreed. PROPOSED TEXT: The OAuth 2.0 protocol family ([RFC6749], [RFC6750], and [RFC6819 ]) offer a single token type known as the “bearer” token to access protected resources. > > 2. Section 3: > The main use case that motivates better-than-bearer token security is the > desire of resource servers to obtain additional assurance that the client is > indeed authorized to present an access token. > [Kepeng] About “better-than-bear”, is it a word? Maybe reword the sentence a > little bit. [PH] PROPOSED TEXT: The main use case that motivates improvement upon “bearer” tokens is… > > 3.Section 3.1 > 1) In a legitimate use case consider chaining of computations whereby a > resource server needs to consult other third party resource servers to > complete the requested operation. > [Kepeng] This sentence seems to be incomplete. Maybe reword it a little bit? [PH] ORIGINAL: Imagine a scenario where a resource server that receives a valid access token re-uses it with other resource server. The reason for re-use may be malicious or may well be legitimate. In a legitimate use case consider chaining of computations whereby a resource server needs to consult other third party resource servers to complete the requested operation. PROPOSED TEXT: In a scenario where a resource server receives a valid access token, the resource server than re-uses it with other resource server. The reason for re-use may be malicious or may well be legitimate. In a legitimate case, the intent is to support chaining of computations whereby a resource server needs to consult other third party resource servers to complete a requested operation. > > 2) In this use case additional information is conveyed to the resource server > to ensure that no entity entity has tampered with the TLS connection. > [Kepeng] Change “is conveyed” to “should be conveyed”? [ph] Agreed (last para of Sec 3.2) > > 4. Section 3.3: > First, an eavesdropper may steal an access token and represent it at a > different resource server. > [Kepeng] Change “represent it at” to “present it to”? [ph] Agreed. > > 5. Section 3.4: > These load balancers may terminate the TLS connection setup and HTTP traffic > is transmitted in the clear from the load balancer to the resource server. > [Kepeng] Don’t understand “in the clear”. Should it be “in the wire”? [ph] ORIGINAL: These load balancers may terminate the TLS connection setup and HTTP traffic is transmitted in the clear from the load balancer to the resource server. PROPOSED TEXT: These load balancers may terminate the TLS connection setup and HTTP traffic is transmitted without TLS protection from the load balancer to the resource server. > > Kind Regards > Kepeng > _______________________________________________ OAuth mailing list > OAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Review comments to PoP Architecture Kepeng Li
- Re: [OAUTH-WG] Review comments to PoP Architecture Kepeng Li
- Re: [OAUTH-WG] Review comments to PoP Architecture Phil Hunt
- Re: [OAUTH-WG] Review comments to PoP Architecture Phil Hunt
- Re: [OAUTH-WG] Review comments to PoP Architecture Kepeng Li
- Re: [OAUTH-WG] Review comments to PoP Architecture Phil Hunt