Re: [OAUTH-WG] AD review of draft-ietf-oauth-threatmodel-05
Phil Hunt <phil.hunt@oracle.com> Thu, 28 June 2012 03:22 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7668221F871E for <oauth@ietfa.amsl.com>; Wed, 27 Jun 2012 20:22:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.003
X-Spam-Level:
X-Spam-Status: No, score=-8.003 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_43=0.6, J_CHICKENPOX_52=0.6, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oj-6pfaXBUNU for <oauth@ietfa.amsl.com>; Wed, 27 Jun 2012 20:22:23 -0700 (PDT)
Received: from rcsinet15.oracle.com (rcsinet15.oracle.com [148.87.113.117]) by ietfa.amsl.com (Postfix) with ESMTP id B717621F871D for <oauth@ietf.org>; Wed, 27 Jun 2012 20:22:22 -0700 (PDT)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by rcsinet15.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id q5S3M5eu017669 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 28 Jun 2012 03:22:05 GMT
Received: from acsmt358.oracle.com (acsmt358.oracle.com [141.146.40.158]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id q5S3M24E005402 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 28 Jun 2012 03:22:03 GMT
Received: from abhmt104.oracle.com (abhmt104.oracle.com [141.146.116.56]) by acsmt358.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id q5S3M0ik023698; Wed, 27 Jun 2012 22:22:01 -0500
Received: from [25.36.28.229] (/74.198.164.229) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 27 Jun 2012 20:21:59 -0700
References: <4FC3C53E.8020704@cs.tcd.ie> <4FEB4B0C.2030700@lodderstedt.net> <4FEBA286.6020003@cs.tcd.ie>
In-Reply-To: <4FEBA286.6020003@cs.tcd.ie>
Mime-Version: 1.0 (1.0)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="us-ascii"
Message-Id: <FF22A4BE-653B-45C8-BD1F-43C5DD3A0B03@oracle.com>
X-Mailer: iPhone Mail (9B206)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Wed, 27 Jun 2012 20:21:54 -0700
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Cc: Derek Atkins <derek@ihtfp.com>, "oauth@ietf.org" <oauth@ietf.org>, Barry Leiba <barryleiba@computer.org>
Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-threatmodel-05
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jun 2012 03:22:25 -0000
Stephen One more threat has come up in the core spec that is being looked at. As Torsten is heading out on vacation I have agreed to augment if needed with any supplementary text to the threat model. Will keep you informed. Phil On 2012-06-27, at 17:17, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Hiya, > > Great. I've asked for IETF LC to start. I'll go through > the changes below during that in case there's some more > follow up. > > Thanks, > S. > > On 06/27/2012 07:03 PM, Torsten Lodderstedt wrote: >> Hi Stephen, >> >> I just submitted a new revision of the security document incorporating >> your review comments. >> >> Please find answers to your comments below. >> >> Thank you again for your detailed review. You helped us to significantly >> improve the document's quality. >> >> best regards, >> Torsten. >> >> Am 28.05.2012 20:34, schrieb Stephen Farrell: >>> Hi all, >>> >>> I've gotten the publication request for oauth-threatmodel >>> so here's my AD review of -05. >>> >>> Its quite a read (and a good one) but I've a bunch of >>> questions. Some of these will need fixing I suspect >>> but a lot are ok to fix later after IETF LC, depending >>> on whether the authors want to re-spin it before then >>> or not. But I'd like to at least see reactions to the >>> questions before I start IETF LC. >>> >>> Although there are many many nits and typos, those >>> don't actually make the document unreadable so >>> though I'd prefer to see 'em fixed now, I'm ok with >>> that happening later if its a problem to get it >>> all done now. >>> >>> If you want to argue for going ahead with IETF LC >>> now please do so, but I suspect that this might need >>> a revised ID to fix at least a couple of the points >>> raised below. If nobody does argue to go ahead now, >>> I'll mark it as revised ID needed, but first let's >>> see what the answers are to the questions. >>> >>> Cheers, >>> S. >>> >>> >>> (1) s/RFC1750/RFC4086/ is needed as noted in the write-up. >> done >>> (2) You don't say anything about the probability of >>> occurrence of the various threats. I realise that you >>> can't be precise but it seems wrong to say nothing. Would >>> it be worth at least saying that that's not done here and >>> that readers of this document need to do their own risk >>> analysis including that aspect? >> >> That's correct - I added the following paragraph to the introduction: >> >> "Note: This document cannot assess the probability nor the risk >> associated with a particular threat because those aspects strongly >> depend on the particular application and deployment OAuth is used to >> protect. Similar, impacts are given on a rather abstract level. But the >> information given here may serve as a foundation for deployment-specific >> threat models. Implementors may refine and detail the abstract threat >> model in order to account for the specific properties of their >> deployment and to come up with a risk analysis." >> >>> (3) Many deployments will use TLS accelerators. That >>> means that TLS isn't fully e2e, and that opens up some >>> (mainly) insider attacks or attacks that can be launched >>> from within a compromised DMZ, but from outside the server >>> applications. Does that need a mention somewhere? (I've >>> seen systems like that deployed and a lot could go wrong >>> from the inside, so I think this is a real threat.) >> >> I added another paragraph to section 5.1.1: >> >> "Note: this document assumes end-to-end TLS protected connections >> between the respective protocol entities. Deployments deviating from >> this assumption by offloading TLS in between (e.g. on the data center >> edge) must refine this threat model in order to account for the >> additional (mainly insider) threat this may cause." >> >>> (4) Could you use just one of "client identity" or "client >>> identifier" consistently? I'd much prefer the latter, >>> which has also been the outcome of various discussions on >>> this topic elsewhere. For example you say "revocation of >>> such an identity" at the end of p13, and that's a >>> potential rathole, better to say "revocation of the rights >>> associated with a client identifier" or similar I think. >>> And similar changes throughout. >> >> Replaced client identity by client identifier in most places and >> incorporated your proposed text >> >>> (5) 4.4.2.2: Here you recommend native applications should >>> use an embedded browser, but earlier you said that was a >>> bad idea. I think you need to be consistent or else >>> provide more about when its ok to embed and when its not. >>> Did I misread it or does that need a change? >> >> removed 3rd bullet as native apps should use code flow >> >> We also removed the 1st bullet in 4.4.1.9 >> >>> (6) 4.4.3.1: This calls for "obfuscation" of passwords in >>> logs. I think you ought be stronger there and call for >>> strong encryption of passwords wherever they are stored, >>> be that logs or DBs or whatever. Would'nt that be reasonable? >> >> This section is about preventing accidential exposure by the client. I >> think encryption is not appropriate here since the password is entered >> in the clear by the user. I added the advice to encrypt credentials as >> alternative means to salted hashes to 5.1.4.1.3. >> >>> (7) 4.6.4: 1st countermeasure: I don't think you mean >>> address here (in the sense of an IP address, which is what >>> that means) but rather the domain name or FQDN or URL. In >>> any case, you need to say what is meant clearly. (Also in >>> 5.1.5.6 and elsewhere when you use the term "address".) >> >> replaced address in most cases by URL and in some place by FDQN >> >>> (8) 4.6.6: You say to use Cache-Control, but don't say >>> how. Is more needed really? Maybe there's a good document >>> you could reference for that? (I'm not suggesting you add >>> a lecture on caching btw:-) >> >> Added text from core spec describing usage of Cache-Control and Pragma >> response header fields >> >>> (9) 5.1.1: needs a reference to RFC 5246 (and better to >>> just say TLS and not say SSL, at least for me :-) >> >> done >>> (10) 5.1.1: needs a reference to whatever you mean by >>> "VPN" since there are many types of VPN. I assume you mean >>> an IPsec VPN? But even if not, saying more would be good. >> >> Extended description and added reference to RFC 4301. >>> (11) 5.1.2: needs a reference to RFC 5280 and/or RFC 6125 >>> and/or RFC 2818. Bascially, you need to say how this is >>> done (by reference). >> >> Added reference to RFC 2818 since it seems to be closest to the problem >> >>> (12) 5.1.4.1: Isn't there some good reference you can give >>> here? (Having said that, I'd have to go look myself, but >>> I'd maybe start with owasp or sans.) >> >> added reference to OWASP >> >>> (13) 5.1.4.2.2: if p(collision) should be <=2^(-160) then >>> what's the point of saying it ought be <= 2^(-128)? Also >>> if sha-1 were perfect, then the 160 bits output would >>> really have a collision probability of about 2^(-80) with >>> many many tokens, but not 2^(-160). I think you need >>> to fix something there. Perhaps you're really saying that >>> all high-entropy secrets should be >=128 bits long and >>> constructed with a good (P)RNG? If so, saying so more >>> clearly would be better. Not everyone will get the >>> collision probability way of saying that even when its >>> properly stated. (This text is also repeated, be better if >>> you just said this once I think.) >> >> modified text as follows >> >> "When creating secrets not intended for usage by human users (e.g. >> client secrets or token handles), the authorization server should >> include a reasonable level of entropy in order to mitigate the risk of >> guessing attacks. The token value should be >=128 bits long and >> constructed from a cryptographically strong random or pseudo-random >> number sequence (see [RFC4086] for best current practice) generated by >> the Authorization Server." >> >> removed 5.1.5.11. (redundant text) and updated references accordingly >> >>> (14) 5.1.5.2: what is a "reasonable duration" - I don't >>> think its ok to say that but nothing else. Can't you give >>> some "reasonable" examples based on current usage? >> >> added examples and explanation of factors determining reasonable >> expiration time >> >> "Tokens should generally expire after a reasonable duration. This >> complements and strengthens other security measures (such as signatures) >> and reduces the impact of all kinds of token leaks. Depending on the >> risk associated with a token leakage, tokens may expire after a few >> minutes (e.g. for payment transactions) or stay valid for hours (e.g. >> read access to contacts). >> >> The expiration time is determined by a couple of factors, including: >> >> - risk associated to a token leakage >> - duration of the underlying access grant, >> - duration until the modification of an access grant should take effect, >> and >> - time required for an attacker to guess or produce valid token." >> >>> (15) 5.1.5.5: needs a reference to SAML assertions with >>> the current text. >> >> done - also added reference to RFC4120 in section 3.1 >>> (16) 5.2.2.3: this describes a refresh token rotation >>> scheme that I don't recall being discussed on the list, so >>> this is just to check that that rotation scheme, as >>> described, doesn't ring any alarms bells for the WG. If >>> not, that's fine. And if it was discussed on the list and >>> I've forgotten, then sorry about that:-) >> >> It has been discussed, the first time with the introduction of the >> option to return a new referesh token value in response to a refresh >> token grant request. A more recent discussion can be found here: >> http://www.ietf.org/mail-archive/web/oauth/current/msg06974.html >> >>> (17) 5.2.2.5: Using IMEI's like this has privacy >>> implications that I think you ought call out. A single >>> sentence and a reference to something that says "be >>> careful about privacy here" would be fine I'd say. (And >>> you need a reference for "IMEI" and to expand the term.) >> >> added note and reference to respective 3gpp spec >> >>> (18) 5.2.2.6: needs a reference for X-FRAME-OPTION. >>> There's a websec draft about that I think. >> >> added reference to >> http://tools.ietf.org/html/draft-gondrom-x-frame-options/ >>> (19) 5.2.3.4: what do you mean when you say "for different >>> deployments of a client"? That could be one secret per >>> install or one secret for all customers of a mobile >>> operator and those are radically different. I think you >>> need to be clear and hope you mean the former. That's >>> almost cleared up in the 3rd paragraph of the section but >>> I wanted to just check. Not sure "deployment" is the best >>> term there really - what's wrong with "installation"? >> >> nothing is wrong with "installation" :-) >> >> replaced deployment by installation and partially re-phrased section >> >>> (many:-) nits and typos: >>> >>> 2.3.1: maybe explain "handle-based design" or give a >>> reference? (Or maybe just a forward ref to 3.1?) >> >> added ref to 3.1 >>> 2.3.3: It might be worth re-iterating that the term >>> "client" in oauth is used differently, e.g. by copying a >>> bit of text from the base spec. I can see folks being >>> confused by this otherwise. >> >> copied a sentence from base spec and extended description >> >>> 3.1: "is digitally signed" - do you mean it has data >>> integrity and origin authentication? If MACs are commonly >>> used (or maybe authenticated encryption), and not >>> necessarily signatures, then saying that would be better. >> >> we mean data integrity and origin authentication - added some text to >> explain this >> >>> 3.1.2: typo: s/this mechanisms/this mechanism/ >>> >>> 3.1.2: maybe s/Expires_In/expires_in/ to match the case in >>> the base spec? I think it'd be better not to capitalise >>> this in case it finds its way into someone's code. You >>> could also use "Expires In" in the title and then say that >>> its "expires_in" in the protocol. Might be worth doing >>> something generic to call out when you're talking about >>> specific things from the protocol, e.g. use a convention >>> like ``expires_in'' or "expires_in" consistently and say >>> that in the intro. >> >> Renamed section to "Limited access token limetime" and changed wording >> to explicitely distinct between concept and protocol parameter. >> >>> 3.4: typo: s/the later/the latter/ >>> >>> 3.4: bullet item 1 isn't really a reason for anything but >>> a downside of doing this, at least as written. Maybe this >>> needs to be tweaked? >> >> tweaked it >>> 3.6: expand CSRF on 1st use and maybe give a reference >>> CSRF is expanded in 4.4.1.8 which is a good bit later, >>> and also in 4.4.2.5 which could presumably be >>> shortened a bit by removing the repetition. >> >> expanded CSRF a bit, added forward reference to 4.4.1.8 and shortened >> 4.4.2.5 >> >>> 3.7: typo: s/collage associated request/collate associated >>> requests/ >>> >>> 3.7: Maybe give a pointer to the definition of "native >>> application" in the base spec (Its section 9 of that.) >>> 2nd last para of p13 would be a good place for that. >> >> added pointer >> >>> section 4: maybe s/Security Threat Model/Threat Model/ >>> in the section title - what other kind of threat >>> model is there? >> >> changed to Threat Model >> >>> section 4: I wondered how we know the threat model >>> is "comprehensive"? Perhaps "detailed" is better? >> >> We are rather confident because we created the threat model a systematic >> way and had it reviewed by a lot of security folks >> >>> 4.2.1: typo: s/Users/users/g unless you mean something >>> special? >>> >>> 4.2.2: typo: s/a understandable/an understandable/ >>> >>> 4.2.2: "...based on who the client is." is unclear >>> and not gramatically nice:-) "...based on the client >>> identifier." would seem better. >>> >>> 4.3.1: typo? s/on transit/in transit/ Or did you >>> mean something else? and s/may attempts/may attempt/ >>> >>> 4.3.3: maybe s/Revelation/Disclosure/ to be a tad >>> less biblical:-) >> >> changed to "Revelation of client credentials during transmission" >> >>> 4.3.3: typo? 1st countermeasure reads oddly and >>> refers to a different place than other references >>> to TLS - is that correct? >> >> changed to standard wording >> >>> 4.3.3: digest auth is nearly the same as sending >>> credentials over the wire, TLS client auth based >>> on certificates would be a better example, even >>> if its not often done. >> >> Isn't TLS client authentication always combined with TLS protected >> communication? So this would merly be an additional and not alternative >> mechanism. >> >>> 4.3.4: 4.3.2 points to 5.1.4.1.2 but this doesn't. >>> Maybe it ought to? >> >> Sorry, don't understand this comment. Are you saying 5.1.4.1.2 should >> point back to 4.3.2? >> >>> 4.3.6: typo s/an authorization servers/an authorization >>> server/ >>> >>> 4.3.6: 4.3.5 refers to 5.1.4.2.2 wrt entropy. Is there >>> a reason to not do that here too? >> >> this section discussed a potential threat on dynamic client >> registration. Wen decided to remove the whole section as dynamic client >> registration is subject of current charter and respective security >> considerations should delt with in this context. >> >>> 4.4: typo? s/tokens endpoint/token endpoint/ ? >>> >>> 4.4.1.1: typo: s/by different ways/in different ways/ >>> >>> 4.4.1.1: typo-fix-typo? HTTP has a "Referer" header field, >>> but you fixed their typo here - might be better to live >>> with the bad spelling, in which case >>> s/referrer/referer/g;-) >> >> ok :-) >> >>> 4.4.1.1: Is there no better way to reference these >>> OASIS docs? More importantly, is there no better (more >>> stable) reference than thomasgross.net for the >>> PDF you reference? Tidying this up would be good. >> >> added references to OASIS documents and stable reference to 3rd document >> in proceedings of Computer Security Applications Conference >> >>> 4.4.1.1 and elsewhere: a few times you say "such as >>> TLS or SSL," I think it'd be better to just say TLS >>> there and do it consistently everwhere. In other >>> places (e.g. 4.4.1.5) you say "HTTPS" - again that'd >>> be better done consistently. >> >> removed SSL - would you expect us to replace HTTPS by TLS? We used HTTPS >> for the more specific case of HTTP+TLS >> >>> 4.4.1.1: typo: s/redeem a authorization code/redeem >>> an authorizatio code/ >>> >>> 4.4.1.4: "counterfeit a valid client" reads oddly, >>> do you mean "pretend to be a valid client"? If so, >>> I think that'd be clearer. >>> >>> 4.4.1.4: "and to prevent unauthorized access to >>> them" - I think you might add "via the oauth >>> protocol" there since the AS isn't responsible for >>> all possible ways of preventing unauthorized access. >>> >>> 4.4.1.4: typo: s/not neccesserily indicates/doesn't >>> necessarily indicate/ >>> >>> 4.4.1.4: typo: s/user should be explained the purpose/ >>> something better/ :-) >> >> tried my best: >> >> "In this context, the authorization server should explain to the >> end-user the purpose, scope, and duration of the authorization the >> client asked for. " >> >> >>> 4.4.1.4: expand/define CAPTCHA on 1st use. Give a >>> reference for this too. Especially since you also >>> have 5.1.4.2.5, which is maybe the best place for >>> the reference. >> >> Changed counter measure paragraph from: >> "If the authorization server automatically authenticates the end- >> user, it may nevertheless require some user input in order to >> prevent screen scraping. Examples are CAPTCHAs or user-specific >> secrets like PIN codes." >> to: >> "If the authorization server automatically authenticates the end-user, >> it may nevertheless require some user input in order to prevent screen >> scraping. Examples are CAPTCHAs (Completely Automated Public Turing test >> to tell Computers and Humans Apart) or other multi-factor authentication >> techniques such as random questions, token code generators, etc." >> >> >>> 4.4.1.4: isn't a PIN code another user authentiation? >>> Seems like a bad example of automatic authentication, >>> since it isn't automatic if the user has to enter a >>> PIN. >> >> see above >>> 4.4.1.6: Is Facebook a trademark? Maybe better to not >>> use that if so? >> >> Changed Facebook reference section to: >> (e.g. as in the implementation of "Login" button to a third-party social >> network site) >> >> >>> 4.4.1.7: typo: s/achieve that goal/achieves that goal/ >>> >>> 4.4.1.7: typo: s/victims resources/victim's resources/ >>> >>> 4.4.1.7: typo: s/The attackers gains/The attacker gains/ >>> >>> 4.4.1.7: typo: s/then the target web site/rather than >>> the target web site/ >>> >>> 4.4.1.7: "session fixation" could do with a reference >>> or definition, and that might be better earlier in >>> this section and not just in the countermeasures >>> part. >> >> changed >> >> "The authorization server may also enforce the usage and validation of >> pre-registered redirect URIs (see Section 5.2.3.5). This will allow for >> an early recognition of session fixation attempts." >> to: >> "The authorization server may also enforce the usage and validation of >> pre-registered redirect URIs (see Section 5.2.3.5). This will allow for >> an early recognition of authorization code disclosure to counterfeit >> clients." >> >> >>> 4.4.1.7: typo: s/kind of attacks/kind of attack/ >>> >>> 4.4.1.8: typo: s/not follow untrusted/to not follow >>> untrusted/ >>> >>> 4.4.1.9: maybe add a reference for "iframe"? And >>> you say "iFrames" later, better to be consistent. >>> >>> 4.4.1.9: 1st countermeasure - do you mean end-user >>> authorization here or end-user authentication? And >>> would it be better to say "system browser" or >>> something rather than "external browser"? (I forget >>> what phrase you used for that earlier but there >>> was something bettter:-) >> >> We mean "authorization" >> >> We came to the conclusion that it does not matter in which browser the >> page is loaded - removed 1st bullet >> >>> 4.4.1.9: "javascript framebusting" really needs >>> a reference >> added >>> 4.4.1.10: typo: s/the victims resources/the victim's >>> resources/ >>> >>> 4.4.1.10: typo: s/or split the/or splits the/ >>> >>> 4.4.1.10: "corresponding form post requests" isn't >>> clear to me - does that need rephrasing or is it >>> just me? >>> >>> 4.4.1.10: this is the first mention of cookies, which >>> I found surprising, but that's all;-) >>> >>> 4.4.1.10: the 2nd "ways to achieve this" bullet is >>> a bit unclear - which "It" and whose browser? I >>> think this could be clearer. >>> >>> 4.4.1.10: typo: s/as native app/as a native application/ >>> >>> 4.4.1.10: what does "assume" the threat mean? >>> >>> 4.4.1.10: typo: s/an user interaction/a user interaction/ >>> >>> 4.4.1.10: typo: s/CAPTCAs, or/CAPTCHAs/ or else get >>> rid of the "or" from the last bullet >>> >>> 4.4.1.10: typo: s/send out of bound/sent out of band/ >>> >>> 4.4.1.10: typo: s/instance message/instant message/ >> >> considerably re-worded this section >> >>> 4.4.1.11: typo? s/directing user(s) browser/directing >>> the user's browser/ ? >>> >>> 4.4.1.11: I don't get the explanation here. Are you >>> assuming (but not saying) that generating non-trivial >>> entropy is a slow process? (e.g. /dev/random blocking?) >>> Its also not clear what "pool" you mean? This probably >>> needs a bit of tweaking. >>> >>> 4.4.1.12: semicomplete.com may not be a sufficiently >>> stable reference - can't you find a better one? >> >> unfortunately not >>> 4.4.1.12: typo: s/Defenses such rate limiting/Defenses >>> such as rate limiting/ >>> >>> 4.4.1.12: typo: s/an anonymizing systems/an anonymizing >>> system/ >>> >>> 4.4.1.12: nicest typo yet! s/annoying system/anonymizing >>> system/ :-) >>> >>> 4.4.1.12: typo? maybe s/iframe/iFrame/ again? >>> >>> 4.4.1.12: 1st reference to "the CSRF token" here? That >>> might warrant a reference of some sort? (Maybe to >>> a later section?) >>> >>> 4.4.1.12: Facebook again. >>> >>> 4.4.1.12: Signing the code seems like a bit of a hack. Do >>> you really want to recommend this here? I suspect it'd end >>> up different if you actually tried it out aiming for an >>> interoperable solution. I'd suggest deleting this, or >>> maybe make it less specific, e.g. saying if origin >>> authentication for authorization codes could be validated >>> by clients, then that'd be a countermeasure, but that >>> there's no current spec for that. (And doing that might >>> just move the DoS to somewhere else depending how you >>> did it.) >>> >>> 4.4.2: typo: s/and It cannot/and it cannot/ >>> >>> 4.4.2.1: Is the countermeasure here TLS? If so, better to >>> say so. >>> >>> 4.4.2.2: requests aren't cached are they but rather >>> responses? >>> >>> 4.4.2.3: typo: s/An malicious/A malicious/ >>> >>> 4.4.2.3: The reference back to 4.4.1.4 isn't very >>> clear since a lot of the countermeasures there >>> mention authentication. It'd be better to explicitly >>> list things here or else if you stick with the >>> backwards reference to be more explicit about whic >>> exactly apply. >>> >>> 4.4.2.5: Is this entirely identical to 4.4.1.8? That >>> doesn't seem right. If it is, then say so explicitly. >>> If not, then say what's different. >>> >>> 4.4.3: 1st mention of username/password anti-pattern, >>> so you could add a reference >>> >>> 4.4.3: Be good to metion here that passwords are often >>> used for >1 service, so this anti-pattern risks whatever >>> else is accessible with that credential or an >>> algorithmically derivable equivalent (e.g. >>> joe@example.com/pwd might easily allow someone to guess >>> that the same pwd is used forjoe.user@example.net) and >>> then another countermeasure is to educate users to >>> not use the same pwd for multiple services (hard as >>> that is to really do;-) >>> >>> 4.4.3.4: again digest auth isn't a good example >>> here, but client certs are. >>> >>> 4.4.3.6: What does "Abandon on grant type..." mean? >>> If you mean "don't do this" then say that more >>> clearly. >> >> Changed to "Consider not to use grant type "password"" >> >>> 4.6.2: typo: s/transport security measure/transport >>> security measures/ or maybe just say TLS >>> >>> 4.6.2: typo: s/nounces/nonces/ >>> >>> 4.6.3: 1st countermeasure: maybe s/difficult/infeasible/ >>> I don't see why "difficult" guessing is hard enough? >>> >>> 4.6.4: typo: s/a valid access tokens/a valid access token/ >>> >>> 4.6.4: Do you mean the IP address in the 2nd >>> countermeasure? I'm not sure, esp. given the above. >>> >>> 4.6.4: typo: s/miss the capabilities/lack the capability/ >>> >>> 4.6.6: reference to 2616 is broken >>> >>> 4.6.6: Should you reference httpbis drafts? Just asking, I >>> can see arguments for referencing just 2616 or just >>> httpbis or both, given that this'll be read for hopefully >>> a while after httpbis is done. >>> >>> 4.6.7: referrer vs. referer again >>> >>> 4.6.7: What is an appropriat logging configuration? Can >>> you give a reference maybe or is it really that well >>> known? >>> >>> 4.6.7: Reloading the target page again? Are you really >>> recommending that? >>> >>> 5.1: typo: s/consideratios/considerations/ >>> >>> 5.1.3: I think you should note the email notifications >>> can be a phishing vector so don't make your emails >>> such that lookalike phish messages can easily be >>> derived from them. >>> >>> 5.1.3: Don't you need to say something about getting >>> email notifications delivered and not treated as spam? >>> Maybe you could recommend dkim here or other ways to >>> get better delivery. (Not sure myself, probably best >>> to ask someone who operates like this so see if there's >>> stuff to be said.) >>> >>> 5.1.4.1.3: typo: s/not store credential/not store >>> credentials/ >>> >>> 5.1.4.1.4: salted hashes don't prevent offline >>> dictionary attacks, they just increase the workload >>> >>> 5.1.5.1.4: would it be worthwhile recommending that >>> different client credentials be used in development >>> or integration mode vs. when operational? I've seen >>> a bunch of times when programmers were given "live" >>> API keys when that could've been avoided. >>> >>> 5.1.4.1.5: I don't get this. If it was only that >>> easy:-) I think you need to say which private keys >>> are used here and for what for this section to be >>> useful. >>> >>> 5.1.4.2.1: I think you could note that complex password >>> policies can also increase the liklihood that users >>> re-use passwords or write them down or store them >>> somewhere not so good, if e.g. the entropy required >>> over all the user's passwords (dozens usually) is >>> too great for long-term memory. >>> >>> 5.1.5.1: typo: s/Basis of/The basis of/ >>> >>> 5.1.5.1: typo: s/sensible service/sensitive service/ >>> (2nd best typo:-) >>> >>> 5.1.5.3: typo: s/preciser/more precise/ >>> >>> 5.1.5.3: typo: s/refreshments/refreshes/ >>> >>> 5.1.5.4: 2nd bullet is not a threat but a goal >>> >>> 5.1.5.4: typo: s/redeem a/redeem an/ >>> >>> 5.1.5.5: what is a "rough" server? Do you mean rogue? >>> >>> 5.5.5.6: I think you need to clarify what "address" >>> means here too. >>> >>> 5.1.5.9: please clarify if you mean digitally signed >>> (asymmetric) or also include MACing here >>> >>> 5.1.5.10: typo: s/Self-contained/Self-contained tokens/ >>> >>> 5.1.5.10: s/privacy/confidentiality/ ? >>> >>> 5.1.5.10: this (typically, I'd guess) requires sharing >>> symmetric keys between server nodes, so you should >>> say that as its a bunch of work. >>> >>> 5.1.5.11: I don't get why you want to repeat this >>> text (and its error:-) better to refer back to >>> the earlier section I think. >>> >>> 5.1.5.12: Another place where a SAML reference would >>> be needed. >>> >>> 5.1.6: 2nd bullet is not a "measure" but a goal. If >>> you had something in mind, it doesn't come out from >>> that text. >>> >>> 5.2.2.2: You say the binding should be protected, but >>> don't say how. I think you ought. >>> >>> 5.2.3: typo: s/sub-sequent/subsequent/ but maybe >>> better to delete the word >>> >>> 5.2.3: 2nd bullet - "trustworthiness" has gotta >>> be the wrong word there, what did you mean? >>> >>> 5.2.3: typo: s/statics/statistics/ >>> >>> 5.2.3: typo: s/support achieve objectives/achieve these >>> objectives/ ? >>> >>> 5.2.3: typo: s/by hand of an administrator/something >>> better/ >>> >>> 5.2.3.1: "prevents...overestimating" seems wrong, I think >>> you mean it reduces the probability of mistakenly treating >>> a useless authentication as a good one. (The point is >>> that servers don't "overestimate," only people do that.) >>> >>> 5.2.3.1: "cannot be entirely protected" seems like >>> understatement - the reality is any such secret will >>> leak out from anything that's any way successful. It >>> only protects stuff that *nobody* cares about. >>> >>> 5.2.3.1: typo: s/trust on/trust/ But I'd rephrase it >>> to not use the terms "trust" nor "identity" and then >>> it'd be better I think. >>> >>> 5.2.3.2: typo? s/The authorization may/The authrozation >>> server may/ ? Not sure what "issue a cliend id" means >>> either. (Same in 5.2.3.3) >>> >>> 5.2.3.4: typo: s/A authorization server/An authorization >>> server/ >>> >>> 5.2.3.5: what are "validated properties"? >>> >>> 5.2.3.5: what is the 1st bullet list on p57? there's >>> no introductory text? >>> >>> 5.2.3.5: the "it" in "it only works" in the last >>> paragraph isn't clear - which "it" do you mean? >>> >>> 5.2.3.5: saying discovery "gets involved" seems >>> wrong - do you mean "is used"? And what is the >>> "that" in "that's no longer feasible"? >>> >>> 5.2.3.6: typo: s/be unintentionally for/unintentionally >>> affect/? >>> >>> 5.2.3.7: typo: s/to distribute client_secret/to >>> distribute a client_secret/ >>> >>> 5.2.4.1: Is a "security certificate" a public key >>> certificate? If so, saying that is better. >>> >>> 5.2.4.1: the references to 5.7.2.x are wrong and >>> look like you're missing some xref's in the xml >>> maybe >>> >>> 5.2.4.2: you said "address" again, so the usual >>> question arises :-) >>> >>> 5.2.4.3: typo: s/in all situation/in situations/ >>> (not sure "all" is right so suggest deleting it) >>> >>> 5.2.4.4: again, be good to say how to protect >>> the binding >>> >>> 5.2.4.5: as for 5.2.4.4 say how binding is done >>> >>> 5.3.1: typo: s/a associated/an associated/ >>> >>> 5.3.1: "entirely protected" is (again:-) understatement >>> see above for a suggestion >>> >>> 5.3.1: what does "trust on the client's identity" mean? >>> Its not clear anyway >>> >>> 5.3.3: typo: s/operation systems/operating systems/ >>> (enrire 2nd & 3rd paras could do with re-phrasing) >>> >>> 5.3.4: typo: s/their level/the level/ >>> >>> 5.3.5: this is too terse - is it really finished? I'd >>> say there's a sentence or two missing. >>> >>> 5.4.2: what does it mean to "encourage resource >>> servers" to do something? I guess you mean to encourage >>> the people deploying those to pick resource servers >>> with that capability and to turn that on. >>> >>> 5.4.2: not sure if everyone will know what a >>> "distinguished name" is, maybe add a reference to >>> rfc 5280? >>> >>> 5.4.2: token-bound secrets would be used to MAC >>> the request and not to sign, be better to make that >>> clear even if you still call that "signing" here >>> (its not really, if we're being pedantic) >>> >>> 5.4.2: typo: s/This mechanisms/This mechanism/ >>> >>> 5.4.2 and 5.4.3: I forget - where are the protocol >>> mechanisms for this defined? Can you give a reference >>> or say that its future stuff if there aren't any >>> good ones? >>> >>> 5.5: typo: s/capable to validate/capable of validating/ >>> >>> 8.1: Is the base spec really normative? I'd say you're >>> fine with that as informative too. >>> >>> 8.2: there are a bunch of references missing as per >>> the questions above >>> >>> 8.2: is there no better (more stable) reference than >>> portablecontacts.net? >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >
- [OAUTH-WG] AD review of draft-ietf-oauth-threatmo… Stephen Farrell
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-thre… Torsten Lodderstedt
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-thre… Stephen Farrell
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-thre… Stephen Farrell
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-thre… Torsten Lodderstedt
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-thre… Phil Hunt
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-thre… Stephen Farrell
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-thre… Phil Hunt