Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resource-indicators-02
Brian Campbell <bcampbell@pingidentity.com> Mon, 22 July 2019 12:37 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07C8F120043 for <oauth@ietfa.amsl.com>; Mon, 22 Jul 2019 05:37:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9oZgJAywriJs for <oauth@ietfa.amsl.com>; Mon, 22 Jul 2019 05:37:43 -0700 (PDT)
Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DEFE12001A for <oauth@ietf.org>; Mon, 22 Jul 2019 05:37:43 -0700 (PDT)
Received: by mail-io1-xd30.google.com with SMTP id j5so69334743ioj.8 for <oauth@ietf.org>; Mon, 22 Jul 2019 05:37:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UTdXiLjJKAEZgPC7I5O30J24mmZrVWdclJZlnsHlPJI=; b=PlupWsneDQ6qUs1YYvYwpRzYvxRv9ZeNoWk455daAXVNQLevC5OOt9SHFaeQdNn85F 7gU6I1ExHudhhtsUet7tQi52//VRFMLO2UUxqpys90PZMqt7oaRvqilodFwh5m9dS36z 950NINUspe9gKm8HrToB7PpuUcVHMJhDNZECM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UTdXiLjJKAEZgPC7I5O30J24mmZrVWdclJZlnsHlPJI=; b=B3m0x2QACEASfp4h36g/A+LoRzlSz9cbANHpKV7NGOiS2dWD5BRgYalvtaJl1Sj+R/ 0Op2SK9MQ1LfBwFeTIkvEHW+WL7YedawbFk8/BIniygJiB2mp7MidzsD0Iye6j+I0NZh Ub31RyV7bgeKLjIKKLSqvH4IXHkH1dFWwIIMio6sa58dqtG3a1dM6d9/6AjbDFzr26sF px6PN1knPdfnaJ1AA2+WKtYlUcDldX/BGLjtZkp+CRSL0c3QukNy6VuoKTMr46TIPX1T qIudKRVyvqljXoK69Y/h+0PgSWYPoiYQSPLx2Oj05t/Tw8Pd/H6d4HUALUcO9KsvU8fq mQTg==
X-Gm-Message-State: APjAAAXnjV1K6L6H9XBf5wNQDV49swFrJ3GNmshWsuqXdoWFcZPvcJ4B ilMBVomh6qq9UMlEH72L0OjiTquxhtea2ghYOf0NK/tJ4UfAdngwF0wlT8xbIMV9qQOMuqpLthL xQsS33ziGD6trEoDvDio=
X-Google-Smtp-Source: APXvYqw1Zm6+vswfN7oK2Z3qwjQWAoRWfEAriOVv02WfpuewGyk45PFBbKamO+alR6PtqGxsjNLOWRONt8E/TNH51b8=
X-Received: by 2002:a5d:87c6:: with SMTP id q6mr43146767ios.115.1563799062721; Mon, 22 Jul 2019 05:37:42 -0700 (PDT)
MIME-Version: 1.0
References: <359EC4B99E040048A7131E0F4E113AFC01B33D6046@marchand> <CA+k3eCRS2HKDUWkHQzwoMVauUK7UBadw_pWdF6cXh0+BSZTbBA@mail.gmail.com> <359EC4B99E040048A7131E0F4E113AFC01B33D784A@marchand> <359EC4B99E040048A7131E0F4E113AFC01B33DEA6C@marchand>
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFC01B33DEA6C@marchand>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 22 Jul 2019 06:37:16 -0600
Message-ID: <CA+k3eCRRhn2FBg4cTQAA6bY8rXvehKnAiZ-bJKY8tZb2J_o0bA@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a25388058e445795"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3XXqIoSKMU4cjBnVaa8u54qd7EM>
Subject: Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resource-indicators-02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jul 2019 12:37:46 -0000
Yes, sorry about that. I realized this yesterday and as tried to write
quickly from from my phone just before my flight took off for Montreal
<https://mailarchive.ietf.org/arch/msg/oauth/2ss3hDa0xPQxaWiW6txj9W-vpqo>,
I'd gotten distracted with the question of what to do with the
registrations and lost track of this fork of the thread. There are indeed
a couple of outstanding bits that need to be addressed in a -04.
I'll change adapt to downscope.
Regarding your unanswered questions from below - partially quoted here for
reference:
'If the initial request was notionally a scope of “all the houses on the
block”, but the server knew that this request was too broad and down-scoped
to “only the corner house”, wouldn’t this actually be worse for privacy?'
-> the idea there is privacy in terms of limiting what one service
potentially leans about other services the user is using. In the houses on
the block case you mentioned, the downscoping prevents the corner house
from learning that the user also accesses the other houses on the block.
'I also don’t follow how reducing the scope impacts confidential data.' ->
to be honest, this particular text came as a suggestion from another WG
member on review of an earlier version of the document. So I struggle a bit
to defend/explain it but I think the idea is that in some cases a scope
value itself might contain sensitive data like an account number or
transaction identifier (e.g. something like "acct:123456789" or
"tx:987654321"). This is somewhat uncommon in practice today but does
happen in some situations. The same principal of limiting the scopes
revealed across different services applies here too but with arguably worse
consequences due to the sensitive data within the scope value. It's the
same concept though and I think the mention of confidential data and scope
here in the document is more likely cause confusion than it is to help
anything. As such, I'm proposing to change that sentence as follows to
remove the confidential bit and somewhat better describe the cross-service
scope revealing issue.
"This further improves privacy as scope values give an indication of
what services the resource
owner uses and downscoping a token to only that which is needed for a
particular service can
limit the extent to which such information is revealed across
different services."
On Sun, Jul 21, 2019 at 4:53 PM Roman Danyliw <rdd@cert.org> wrote:
> Hi Brian!
>
>
>
> Thanks for the update in -03. The item below is the only thing that
> remains outstanding.
>
>
>
> Thanks,
>
> Roman
>
>
>
>
>
> *From:* Roman Danyliw
> *Sent:* Wednesday, July 17, 2019 6:05 PM
> *To:* Brian Campbell <bcampbell@pingidentity.com>
> *Cc:* oauth@ietf.org
> *Subject:* RE: [OAUTH-WG] AD Review:
> draft-ietf-oauth-resource-indicators-02
>
>
>
>
>
> *From:* Brian Campbell [mailto:bcampbell@pingidentity.com
> <bcampbell@pingidentity.com>]
> *Sent:* Wednesday, July 17, 2019 4:35 PM
> *To:* Roman Danyliw <rdd@cert.org>
> *Cc:* oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] AD Review:
> draft-ietf-oauth-resource-indicators-02
>
>
>
> [snip]
>
>
>
> (2) Section 2.2. in the sentence "To the extent possible, when issuing
> access tokens, the authorization server should adapt the scope value
> associated with an access token to the value the respective resource is
> able to process and needs to know":
>
> -- is this language suggesting that the authorization server is modifying
> the scope value based on the resource it sees? I'm trying to understand
> what "adapt" means, especially in relation to the improved security and
> privacy the subsequent sentence suggests.
>
>
>
> Perhaps "adapt" wasn't the best choice of word but it's meant to say that
> an authorization server with sufficient understanding of what scopes are
> applicable to what resources (which won't always be the case or even
> possible but sometimes) could limit the scope associated with an access
> token (downscoping really) to only the scope that is applicable to the
> resource.
>
>
>
> Some of the examples (figures 2 - 6) attempt to show, among other things,
> a hypothetical case of how this might go down.
>
>
>
> In Figure 2 the initial authorization request that's approved has scope of
> calendar & contacts and resources https://contacts.example.com/ &
> https://cal.example.com/
>
>
>
> A subsequent access token request (Figure 3) has resource
> https://cal.example.com/ and the issued access token scope (Figure 4) is
> "adapted" to that resource to be only calendar
>
>
>
> Another subsequent access token request (Figure 5) has resource
> https://contacts.example.com/ and the issued access token scope (Figure
> 6) is downscoped based on that resource to be only contacts
>
>
>
> Would it be easier to understand if the word "downscope" was used rather
> than "adapt"?
>
>
>
> [Roman] Using “downscope” does work for me. It captures that the server
> is going to reduce the scope (and certainly not expand it).
>
>
>
>
> -- (Depending on the above) Is there a security consideration here for the
> server relative to confidential scope values and how they might be modified?
>
>
>
> I'm not sure, to be honest. Downscopping when possible and to the extent
> possible is usually a good idea (least privilege and all that) but I think
> maybe I'm missing your point/question.
>
>
>
> [Roman] Yes, least privilege was part of it and I think the text above
> gets at it. However, the other part is the relationship with the next
> sentence in the paragraph, “This further improves privacy as scope values
> give an indication of what services the resource owner uses and it improves
> security as scope values may contain confidential data”. If the initial
> request was notionally a scope of “all the houses on the block”, but the
> server knew that this request was too broad and down-scoped to “only the
> corner house”, wouldn’t this actually be worse for privacy? I also don’t
> follow how reducing the scope impacts confidential data.
>
>
>
>
>
--
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately
by e-mail and delete the message and any file attachments from your
computer. Thank you._
- [OAUTH-WG] AD Review: draft-ietf-oauth-resource-i… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Brian Campbell
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Brian Campbell
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Brian Campbell
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Brian Campbell
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Brian Campbell
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Brian Campbell
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw