IETF Logo Mail Archive

Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13

George Fletcher <gffletch@aol.com> Tue, 14 April 2020 15:35 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D8963A09AF for <oauth@ietfa.amsl.com>; Tue, 14 Apr 2020 08:35:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bc_-27yqaS3a for <oauth@ietfa.amsl.com>; Tue, 14 Apr 2020 08:35:01 -0700 (PDT)
Received: from sonic306-48.consmr.mail.ne1.yahoo.com (sonic306-48.consmr.mail.ne1.yahoo.com [66.163.189.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9F9E3A09AB for <oauth@ietf.org>; Tue, 14 Apr 2020 08:35:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1586878500; bh=VsB/AuEOCpxZGaGfC3FQ4ufsPiAg2UHGWriypjsNyPQ=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=lNqApaod/e87nCsOx1hapDAeggATAmozy2ixO00gjchGcJoIc31uS4tPOskaDcMIEqWNMnrJpW6YNUAuSXdqoHlVvE7J6hq03mFq5Y5ZT+rtd8n01qFqo3lPogOFv9AF4hQouVwuWjqXMM4rLbrYX3eKPtdwpYA8XWX/WQhkSTOXtgJnj+cmQwJiKAKQ92BWevU8MAItXo/+77hPBw/SxuaUb2YQq+yHgh2yWfKz2aMk2tc60Oyy+glKJceP8Ev0AqdoRNAJOsj75PlAQN+jSkIh7KDSyffm39QaakTaw8XdvVUZ7Vfe5+eYVTCHR8k8/Qpe/lkcQCx12JGZeSY87Q==
X-YMail-OSG: lsuUq6IVM1mxbyzMXeke05J6YDaxIjAFP5rUxRNNwfXRSC7ki0b0iBKP9rskxe8 pMyhPdCJ.S2SSdhQtyVjjNJm8yPcnMHcR_naq44KHJcV9oSNF6HfJwHDi2s8X5J28zZ71.C38m.j zziEsPgigj6Yq9W1bXJFio8WQejtnmh_C6K1sKE6eaqp.ige2HrEcmsG7vxhiYiIx_kaZQmn.AEi X355b5x1KjzgLaF1bNFz98aj9Kp45N9L07.qC6UT.N65eaA_UwWekcFp3gsTBXCHow8aHvBNOQev aQ8CekV.vowVlBoGXoEbC1IYr_69Mcgp8EJWlsYt5ZJLtVHsXIugdJa00ZCpKCgT_.KJcSjxoBIc UmrnAtVvUrpUcWZolSN.eT23x_p4tbIe05EmoPgZwbF4RCUZAgjWQXhiHMcAAoELw5NEk0Ev01He FUuyKhYZMffe3xa.GEdcgwZb0C7JehyB_cWeXDez2cdfN50Eicj4o5wxyboezT_h4jEMVG65M9Ns kewuHMcYWMV1Eh6GU6PWAFDdB1y8z43yeZ3S91k.xtguSbS7QgvUQkvlcyB54vdkmtAJMYDj3SOi lZiTIkhVuNRlK9rd0JZcFPBXJjaQp5JwFI_pz5bOgQx68hkCHJDrgtqvFhdFf0iUHTvYPKA4X05R jcO3Z0gS1y7raEpB_znaVqm8ml6OmmXPXxGM20zKMas4E.z0yHLqj6oYGsvMSCsIHUcfD6pyMz8N U1Kioe1ci0VOhqLk0I.x0V_GNUdHQrM78buFj8O.AlDMbTruLZTZdBp6MyoZbr0hDTU013.VJONH WwEwCok0NBurPrzgTH4C5HdNMb.rR8hNLN5P6KFJRVBwplGOq8PTHDOhNoQARK5fcnlzaViM2C1J weN1sMPpm3pHYS4SN94tV4..Qu3WqgeeVI3uRbwlclLoDheP.oLFN0wCrcpXqy6DbVpAXLrfLgu6 t_leJ0euAEh42yQtVNUwma7IRojo4Ct_I5mOSm56oi6aZV2uIX1_fHuyhojO4BYXToGg7LO7FJmm SgbbaPoRiHIdE5fI7pdoYe_XUHv_0IfDmjutaOuPOGbT76HJD_IpcZxtulbdwT.XSYIKF_8BblBf RPV4S67lSxIPZbDnplbHuAqXnwYcsLUQGHhFb_Z0p6v6LU1oMeD340VDSjpAOYApJ6wGWnOIV9Sz X_BBWmhTuS.I7H6mcpDifKTLFovywizv6ZwLSXXa38JLkoWlfveBxv_7okRBhIfrAwQlg6DbRQRp O.A5nGpHLeqP21M7rAH0xjPBDGBZs7WBE6BN7XzgvZIUHtOV_EaDVQhWUo0wYj9uXuKYSlEhA_8o funO5A1ur3TRCrbYy4xLPfUk2nkC3nVPDrYB3VrSPa8Fps098jm5dxiGlRKIpsEcJEGD9ZjZp6kj vrfwoVnSY0rS_hNNjbDvcrE60MK_mkbI.ZBNrCdjfX1gBzUW0RpiuY5QiFDs3.tKURjS9E7i0dTJ 4_9LoEVNMw_sIdOoC6NXkdC_FE98-
Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Tue, 14 Apr 2020 15:35:00 +0000
Received: by smtp422.mail.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID b7d1e069ae2a850e53e7517c9b5406a2; Tue, 14 Apr 2020 15:32:58 +0000 (UTC)
To: Denis <denis.ietf@free.fr>, oauth@ietf.org
References: <158628195716.9275.10690808358259357603@ietfa.amsl.com> <CAGL6epJ6W6AKptXw72cw2eaO+582_iYhKSK5h6BGBWeDJW9zNg@mail.gmail.com> <CAGL6epJc4CGDy9DwL3-BJh6MrELY3C-RUmcH716WN4k3Un11FA@mail.gmail.com> <361d7891-01be-8e22-7765-613e727b2bc1@free.fr> <CAD9ie-u4xaoRmNG3Sgj+cNWG4M8BzaM1YFF4Oy4Q2A6gdFWDhw@mail.gmail.com> <CAGBSGjpV=QNHPJfXXLcxHwYwHZrKXEQVjf3eJg+b8z=qpRAJcA@mail.gmail.com> <CAO_FVe67Ta_c1stGAH2b6mC_9FcfcZ_Vs6OdD4S4--vOac_y-g@mail.gmail.com> <CAO_FVe7hZH+83=OzU3b-c_b1XkCKbbKe+EVQ5vs++HO31orWkg@mail.gmail.com> <CAD9ie-ucnSnE=yW6PM6BFke7aS+Hs6z5DrE3zg0YLiikeK=9Ww@mail.gmail.com> <CAO_FVe7Ki=9+GGGRQUb3+shEiNkn4Dvpa9S6ukCZvkPOOKBHhQ@mail.gmail.com> <60478f63-257c-a05a-1587-505b9190205e@free.fr> <871581ba-ab3e-da6f-90f2-083803defbea@aol.com> <32164a9c-c75c-14a4-d982-c55ee8ab0d1d@free.fr>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <40ff7dfa-ddea-7798-0618-34454b5c7a4c@aol.com>
Date: Tue, 14 Apr 2020 11:32:54 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <32164a9c-c75c-14a4-d982-c55ee8ab0d1d@free.fr>
Content-Type: multipart/alternative; boundary="------------453B4A82809C4733BBC4E04E"
Content-Language: en-US
X-Mailer: WebService/1.1.15651 hermes Apache-HttpAsyncClient/4.1.4 (Java/11.0.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/36q6VZGn-X4ndSnNw75fMWoGS_o>
Subject: Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Apr 2020 15:35:02 -0000

Hi Denis,

If the same token is used (within a session) for multiple API calls then 
all those API calls can be correlated together even if the token does 
not have a 'sub' claim because the token itself is the correlating 
identifier (same is true for the session identifier).

In regards to the AS issuing a token with a 'sub' claim, after 
re-reading the spec (rfc 7519) I believe the AS could issue the 'sub' 
value as "urn:anonymous:<large random number>" and create a new value 
with every token that is issued. This is similar to how Shibboleth 
supports attribute based access control with SAML assertions. Given it 
appears we disagree in our interpretations of the spec, I'm fine 
agreeing to disagree :)

Thanks,
George

On 4/14/20 11:23 AM, Denis wrote:
> George,
>
> I disagree with you:
>
>    The 'sub' claim must be unique (local to the issuer or globally)
>    with every issued token.
>
> In addition, inter-API correlation prevention does not necessarily 
> require a unique token for every API call,
> since in many cases a session can be opened and one JWT can be used 
> during the whole session (during successive calls).
>
> Denis
>
>>
>>
>> On 4/14/20 10:23 AM, Denis wrote:
>>> Unfortunately, this is not possible since RFC 7519 (4.1.2) states:
>>>
>>>         The subject value MUST either be scoped to be *locally 
>>> unique in the context of the issuer or be globally unique*.
>> Regarding this phrase from RFC 7519, I don't agree that it prevents 
>> the solution Vittorio suggested. While for any token issued the 'sub' 
>> claim must be unique (local to the issuer or globally); that doesn't 
>> mean it can't be different with every issued token. This would 
>> require the client to request a new token before every API invocation 
>> but it would suffice to protect against the suggested privacy 
>> correlation issues.
>>
>> Note that inter-API correlation prevention is VERY difficult and 
>> really requires a unique token for every API call as the token itself 
>> can be a correlation handle (e.g. hash the token and it becomes the 
>> correlation identifier if the token is being reused for multiple API 
>> calls).
>>
>> Thanks,
>> George
>>

v2.23.0 | Report a Bug | By Email