Re: [OAUTH-WG] Secdir last call review of draft-ietf-oauth-jwsreq-30

Watson Ladd <> Wed, 16 December 2020 05:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AEE0A3A08CA; Tue, 15 Dec 2020 21:01:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fnH1-U0R6XIo; Tue, 15 Dec 2020 21:01:56 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7EDCA3A10D9; Tue, 15 Dec 2020 21:01:43 -0800 (PST)
Received: by with SMTP id x20so25637387lfe.12; Tue, 15 Dec 2020 21:01:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=GM3YlPmDwJi9FGNtUMRLpJpRK4LOV69uZuZGdcYtqLs=; b=S5L+/GoZdGCMy+D1xOBtOrRLo5vFD33iaEPQf0MFHx0dPfm+BVNSWe5ep8EmaNC19c HmQVwuToFLFMMvRqlCvH5ZeR9NCc8t2S5GKD+wFv7IKOCM0LdVsu6e3B59tNenNf8WYg UxjC1ybxG2V+v3xxparRQgP29p7985k0l0zaL0F0Kg2+XnyVJyXabVy2+XPMs6TQbygW RG0x/yIh14S+wsCBl25pnbRsxGLnWU5OP2Egkf1OgoWIDNivFXpkrAOf3d14FASZ9eiH V2FsmzpQrOeUDsO0pOsgAuXQJQc5+7du/ntsoBqiFNJgjrAdJ8A4mqLB91fQ4maqnBLo B7tw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=GM3YlPmDwJi9FGNtUMRLpJpRK4LOV69uZuZGdcYtqLs=; b=dvv9QOKAwYHytlK+uFRClurdYnKz8SuJK0KrVHP4B/BI9PMfEgw5ax+CiZ2SO/mAAn w15WPVezDg3TdIWJEozBraOeMqCOqLM+/RbxzIQVx/NLohqyRrAilBKWVwPHlbFqkrNu +t//HolLGp3Mdo39hD+4SRKKNEnv8/94R9FaX9xpJH3gvlfxspwh4ogBT0uJaTEN8UUS hLSynlcW6Pnl37eQ48J187eSQjWQiztouHBqblK34hmg81o4ZOfuIUzlKYfGMpa7K6hm +ja/5CcBZARVBW3OoQhVDD/v5bBoiEq/W0Zn4ZKka+c2ObOqNdB1OLmCWAWHPJMfSZ5F YOPQ==
X-Gm-Message-State: AOAM532hVDzZHCa5Yi34lVnc7Smyr8xwrwbPqlzrX4mOzMP8EtvY+xmC 88phNPOTPNFzYShImYzNMg2qtv5xmf7ofBcc2jA=
X-Google-Smtp-Source: ABdhPJyL0lhH7B/dx4WQ6KbddHTBpLYINxPL+qhF5sD25pr5Ke5hUlmaSTXebezs3JorBulKLC9p27zm4B7tJaPA7yI=
X-Received: by 2002:a2e:874c:: with SMTP id q12mr13301792ljj.424.1608094901014; Tue, 15 Dec 2020 21:01:41 -0800 (PST)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Watson Ladd <>
Date: Tue, 15 Dec 2020 21:01:29 -0800
Message-ID: <>
To: Nat Sakimura <>
Cc: secdir <>, IETF oauth WG <>,,
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [OAUTH-WG] Secdir last call review of draft-ietf-oauth-jwsreq-30
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 16 Dec 2020 05:01:59 -0000

On Sat, Oct 31, 2020 at 6:13 AM Nat Sakimura <> wrote:
> Hi Watson,
> Thanks very much for the review. I thought I have sent my response
> earlier, which I actually did not. It was sitting in my draft box. I
> apologize for it.

My apologies for missing it in my inbox for a number of months.
> My responses inline:
> On Sat, Sep 26, 2020 at 9:46 AM Watson Ladd via Datatracker
> <> wrote:
> >
> > Reviewer: Watson Ladd
> > Review result: Serious Issues
> >
> > I generated this review of this document as part of the security directorate's
> > ongoing effort to review all IETF documents being processed by the IESG.  These
> > comments were written with the intent of improving security requirements and
> > considerations in IETF drafts.  Comments not addressed in last call may be
> > included in AD reviews during the IESG review.  Document editors and WG chairs
> > should treat these comments just like any other last call comments.
> >
> > Two minor issues: On page 4, "This offers an additional degree of privacy
> > protection." should be reworded. I don't think it makes sense in context, where
> > authenticity was discussed.
> In the course of the edit, explanation about two distinct privacy
> benefits was collated in one sentence and has become very difficult to
> parse.
> What it is trying to express as privacy benefits are the following.
> 1) The authorization request content is sent to the AS in the
> backchannel so it will not be exposed through the browser to the eyes
> of an active or passive outsider observing what is going on in the
> browser.  In the RFC6749 framework case, the authorization request
> goes through the browser redirect and it could leak to the adversary
> via WPAD/PAC Attack, referrer, browser history, etc. Also, if the
> browser was infected by an adversary controlled malware, the content
> can be sniffed by the adversary. In the case of JAR, it does not
> happen. This is one privacy benefit it is trying to explain.
> 2) The location that the authorization request is getting pushed to
> does not have to be the AS. A trusted third party that examines the
> content for the conformance to the collection minimization principle
> may act as the party that accepts the authorization request and issues
> the request_uri. AS can then just evaluate the domain part of
> request_uri to evaluate that the authorization request is conformant
> to this principle. This is another privacy benefit from the point of
> view of the individual user.

I'm fine with any fix to the sentence that makes sense. Don't think we
need to insert the above but I very much appreciate the explanation.

> > It took me a while to understand what the by reference method is: maybe the
> > intro should say via URL instead of by reference.
> request_uri can be URL or a handle such as URN. That is why the "by
> reference" word is being used, per the suggestion of the WG.

I'm fine with that, just noting my confusion.

> >
> >
> > And now for the thorny issues with this draft. Signatures and encryption are
> > different. And encrypting a signed blob doesn't mean the signer encrypted it.
> > Then there are a plethora of methods specified in the draft  to authenticate
> > the blob, which will give different results in maliciously constructed
> > examples. The security considerations section should discuss what the encrypted
> > vs signed choices give in the way of security, and it doesn't. This makes me
> > worry.
> We don’t expect the encryption to ensure authenticity, that’s what the
> signatures are used for.

This needs to be very clearly spelled out in the text. Lots of people
will not understand this. The wording of section 10.2 is at best
ambivalent, with multiple alternatives presented as acceptable.

> I didn't quite get what is meant by "plethora of methods specified in
> the draft to authenticate the blob ... "
> There is a bit of text about authenticating the source (=client) but
> not much on the blob itself.
> The discussion around the signature and/or encryption is covered in
> RFC7519 (JWT), the format that the request object assumes.
> This is required reading when implementing this spec, so WG thought it
> is not worth repeating here.
> Attacks etc. on the signature and encryption are covered in RFC7515
> and RFC7516 respectively.

Well, the draft happens to include the following text:
   "The Authorization Server MUST validate the signature of the JSON Web
   Signature [RFC7515] signed Request Object.  The signature MUST be
   validated using the key for that "client_id" and the algorithm
   specified in the "alg" Header Parameter."

Shouldn't the key be associated with a single algorithm? How do we
ensure that the common attack of telling the server to use hmac to
verify the signature doesn't work here?

> >
> > Looking at the cited reference for attacks, I see the fix is to include
> > information about which IPD was used by the RP. But the draft before us doesn't
> > mandate that. It's not clear than how the cited attack is prevented by the
> > draft. Saying that the communication through the user-agent is subject to
> The mention of mix-up attack was introduced after the Last call by one
> of the comment. It just added it in the sentence with a reference. I
> am ok to remove it.

That works for me.

> Having said that, the heart of mix-up attack is that the combination
> of the client believes that it is communicating with the
> attacker-controlled AS (AAS) while it in-fact is talking to Honest AS
> (HAS), AND HAS unable to find out that the client is thinking that it
> is talking to AAS not him.
> OAuth JAR seems to mitigate it in two ways:
> a) Use request_uri which is hosted by the AS. Then, if the client is
> thinking that it is talking to the AAS, then it will push it to AAS
> and when the user is redirected to HAS, HAS will find out that the
> request_uri is not created by herself and return an error, making the
> mix-up attack fail.
> b) Include `aud` in the request. Then, when the HAS will find that the
> request was minted to AAS and not her. So, it will result in an error,
> making the mix-up attack fail.

If the draft mandates doing this it addresses the attack and the
sentence can stay.

> So, I added mix-up attack to the sentence thinking the commenter's
> request to add it is fine, but I am fine with removing it.
> > manipulation, and this prevents it, ignores that the attacker in that position
> > sees a lot more. The user-agent as resource owner modifying the requested
> > resources is a very funny sort of attack: can't they do what they want with the
> > resources since they control the access?
> If the client is in the browser, yes.
> But in the mainstream case, the client is not in the browser but the
> web-server that the browser is communicating with and the resource
> access happens without being mediated by the browser.

My concern on this point is resolved.

> >
> >
> > Key management is ignored. This is a very important issue, especially
> A lot of ground is covered by RFC 7515, 7516, 7517, 7518, 7519, 7591,
> and 8414 so this document is not specifically restating them.
> >
> > considering the potential problems with the reuse of JWT. I'd like to see a
> Are you talking about the reuse of the request object by an adversary
> trying to act as an honest client?
> Even if it happens, the malicious client does not have the proper
> client credential so it cannot redeem the code it obtained with the
> token. It is no different than RFC6749 code grant. Protocols that
> extend it, such as OpenID Connect, have introduced nonce to prevent
> the reuse and used JAR (it is called request object there) to further
> protect tampering and achieve client authentication even in the front
> channel.
> > recommendation that keys be separated by intended uses, rather than limiting
> > particular fields in an ad-hoc manner.
> Could you kindly elaborate on the "ad-hoc manner" part so that I can
> understand it more fully?

10.8, Cross-JWT Confusion discusses avoiding signing certain fields,
rather than suggesting good key usage as a solution.

> >
> >
> > Then we have section 11. What section 11 introduces is an entire new dramatis
> > personae, the Trust Framework Provider, with no prior discussion of what it is
> > or a reference to where it is defined and a good number of statements about how
> > it works that aren't really  clear what they mean from the document to me.
> Trust Framework Provider first appears in 5.2.1.
> At the time of writing the related text, it was a pretty well-known
> concept. In the United State, it was part of its National Strategy
> (NSTIC) and internationally, it was even taken up at WEF Davos
> meeting. It is quite surprising that such a mainstream concept faded
> into obscurity so quickly. The reason for introducing it was to a)
> justify request_uri as some WG members wanted it to be removed, b)
> justify that requst_uri to be served from a different domain. Now that
> people appreciate it, e.g., it can be seen from PAR, the justification
> for a) probably is no longer required. A full explanation for b) would
> probably be a much longer text but I doubt if it belongs to this
> document. I am fine with removing the reference to Trust framework
> etc. as long as the capability to push the authorization request to a
> place other than the client or the authorization server is not
> removed.

Let's remove the text then, but keep the capability.

> >
> > My biggest concern is that these issues are signs that the problem this draft
> > is trying to solve and the mechanisms to solve it haven't been analyzed as
> > thoroughly as they should have been. Without that sort of thorough analysis
> > it's not certain that the mechanisms actually solve the problem and it's not
> > clear what the recommendations to implementers have to be to preserve those
> > properties.
> OAuth JAR, as the name "The OAuth 2.0 Authorization Framework: JWT
> Secured Authorization Request (JAR)" suggests, is a framework and not
> a house itself. One such example is FAPI [1] which was formally
> verified [2].

"It's possible to use this draft security" I don't think should be
enough anymore. Rather it should be impossible to use insecurely.

> [1]
> [2]
> >
> > Obviously this draft has had a long and tortured history with multiple reviews,
> >  and what I'm suggesting needs to happen is a lot of work. But it's essential
> > in any security protocol to do this analysis and be clear about what is, and
> > what is not, protected by the protocol.
> OAuth JAR is nothing but just another binding to OAuth 2.0. Where RFC6749
> binds it to form encoding, it provides two additional bindings:
>     1) binding to JWT, and
>     2) binding to the pushed authorization request that is referenced by a URI.
> It is this simple. As such, it would also inherit some of the
> shortcomings in RFC6749. However, it is not this document to address
> them. It should be done by other documents so that the result can be
> encoded using the mechanisms provided in this document.

This is not a simple matter. JWT has a long and twisted history with
some pervasive errors in common libraries, and is a fairly large
standard. OAuth 2.0 is also large. Ensuring that the mapping has the
right properties is going to be a mess. If the encoding does not
respect the semantics we have a serious security issue. If
implementors assume the encoding provides properties it does not, we
again have a security issue.

> It is quite surprising that this fact is not getting appreciated and
> is taking such a long time to complete.
> Maybe I should delete all the explanation text and leave it with just
> the core text. Explanation and justification text for defining
> additional bindings probably are just distractions now as it is now
> appreciated and used all over the world unlike when the project was
> started.

> >
> > Sincerely,
> > Watson Ladd
> >
> Thanks again for your detailed comments.
> Best wishes,
> --
> Nat Sakimura
> NAT.Consulting LLC

Astra mortemque praestare gradatim