IETF Logo Mail Archive

Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)

John Bradley <ve7jtb@ve7jtb.com> Thu, 16 October 2014 16:11 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB79A1A86E4 for <oauth@ietfa.amsl.com>; Thu, 16 Oct 2014 09:11:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pyGytsrw48Xj for <oauth@ietfa.amsl.com>; Thu, 16 Oct 2014 09:10:57 -0700 (PDT)
Received: from mail-qa0-f42.google.com (mail-qa0-f42.google.com [209.85.216.42]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7827B1A3BA4 for <oauth@ietf.org>; Thu, 16 Oct 2014 09:10:53 -0700 (PDT)
Received: by mail-qa0-f42.google.com with SMTP id j7so2612070qaq.15 for <oauth@ietf.org>; Thu, 16 Oct 2014 09:10:52 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=ZZ8xiT5CNiGqNY5q5HNLA7TUsqZbb1l6ba8GgpT/oLo=; b=hG2oKSG+34gSDT4FXfAIiTnn616pIJBNoKieDHSdrGHnA8SUJaQ7BLZor1hNhdQ2qG Jd8w59rBaMBMi0h1wdkgODmYJ9h59q7M9cdJPFDMU6Sac7i5IFJX9OsiDwAfOPSw95/q 25exgSvo+Ek6smNGAVauVxLgGy1vzPsqKyitb7CzRnbm2iz597Db510PbScY8+pILYGQ JeadlOLB6hvRp5k5LrqJkP9caLoaPObxp/CM+WzIoq/vYQ6HstzOKJnghUexiTpIYCYH mfMNoYJWSYyAtDO1sNEUVLHzzJ+ohVvQXh+KmXKAsNucJvQ799FU2eVluwIkTQxYxydL D9/A==
X-Gm-Message-State: ALoCoQnmbBvUIS3MvfuGBY8x9bbibUAm5udsdQNFH6S+dbgVTI20wFMnP7cH7fCxka6B9fTtm3wt
X-Received: by 10.140.38.176 with SMTP id t45mr3291306qgt.3.1413475852689; Thu, 16 Oct 2014 09:10:52 -0700 (PDT)
Received: from [192.168.8.100] ([201.189.87.10]) by mx.google.com with ESMTPSA id 18sm8204640qgl.5.2014.10.16.09.10.50 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 16 Oct 2014 09:10:52 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_1395E981-AFA3-44A5-BBC8-FAF7C5B63DCB"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CAL02cgS6L3j_+Xoepk5K3v95zpLnHXr+wpEg1bV4DXrs_bQt_A@mail.gmail.com>
Date: Thu, 16 Oct 2014 13:10:51 -0300
Message-Id: <5BA73F24-B14A-4A7F-980A-B589A217712C@ve7jtb.com>
References: <20141016034735.18695.61014.idtracker@ietfa.amsl.com> <4E1F6AAD24975D4BA5B16804296739439BB13261@TK5EX14MBXC286.redmond.corp.microsoft.com> <CAL02cgS6L3j_+Xoepk5K3v95zpLnHXr+wpEg1bV4DXrs_bQt_A@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/4QweYzG4Dq0Gk0nchfeXSdASBiI
Cc: "draft-ietf-oauth-assertions@tools.ietf.org" <draft-ietf-oauth-assertions@tools.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>, "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Oct 2014 16:11:03 -0000

Having an audience is an important part of keeping the assertions from being reused inappropriately.

I think the difference between this and PKIX is that a certificate references a private key so is in a sense only usable by the holder of that key.

If we were talking about holder of key /Proof of Possession JWT and SAML assertions then perhaps there is a corner case for not specifying an audience.

Using bearer assertions, I don't think the hypothetical flexibility gain is worth the inevitable security issues caused by not having an issuer, and people, not understanding the consequences of that.

John B.

On Oct 16, 2014, at 12:39 PM, Richard Barnes <rlb@ipv.sx> wrote:

> On Thu, Oct 16, 2014 at 8:29 AM, Mike Jones <Michael.Jones@microsoft.com> wrote:
> Thanks for your review, Richard.  I'm replying to your DISCUSS about the audience being required below...
> 
>                                 -- Mike
> 
> > -----Original Message-----
> > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Richard Barnes
> > Sent: Wednesday, October 15, 2014 8:48 PM
> > To: The IESG
> > Cc: draft-ietf-oauth-assertions@tools.ietf.org; oauth-chairs@tools.ietf.org;
> > oauth@ietf.org
> > Subject: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17:
> > (with DISCUSS and COMMENT)
> >
> > Richard Barnes has entered the following ballot position for
> > draft-ietf-oauth-assertions-17: Discuss
> >
> > When responding, please keep the subject line intact and reply to all email
> > addresses included in the To and CC lines. (Feel free to cut this introductory
> > paragraph, however.)
> >
> >
> > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
> > for more information about IESG DISCUSS and COMMENT positions.
> >
> >
> > The document, along with other ballot positions, can be found here:
> > http://datatracker.ietf.org/doc/draft-ietf-oauth-assertions/
> >
> >
> >
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> > "The assertion MUST contain an Audience that identifies the Authorization
> > Server as the intended audience.  Assertions that do not identify the
> > Authorization Server as an intended audience MUST be rejected."
> >
> > Could you please identify the threat model within which this "MUST" is required?
> > This requirement doesn't follow from any of the threats elaborated in Section 8.
> 
> Sure, this is to prevent a legitimate assertion intended for one authorization server being captured by the attacker and sent to a different authorization server.  Unless there's an audience for the authorization server to check, there's no way for the authorization server to reject assertions intended to be used by a different server.  Using the audience is the normal way to prevent this attack.
> 
> That all assumes that the issuer of the assertion intends to limit it to a specific authorization server.  That is not the case with many assertion systems today, e.g., PKIX.
> 
>  
> > The Audience is only necessary if the Issuer wishes to constrain the set of
> > Authorization Servers with which an assertion may be used.  So ISTM that this
> > should be "MAY contain..."
> 
> Constraining the set to the intended server is basic to the security guarantees.  If I can take a server intended for server1 and get server2 to accept it, all security bets are off.
> 
> That's dramatically overstating things.  The only security bet that is off in that case is that the assertion is not limited to one authorization server.  Which may or may not be the issuer's intent.
> 
> The only thing I could see justifying this requirement is something in the overall OAuth architecture that requires authorizations to be scoped to a specific authorization server.  If that exists, add a citation and I'll clear.  Otherwise, this needs to be un-MUST-ed.
> 
> --Richard
> 
> 
>  
> 
> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> >
> > "keyed message digest" -> "Message Authentication Code"
> >
> > That's the proper terminology [RFC4949], especially since there are MACs that
> > are not based on digests.
> >
> > "This mechanism provides additional security properties." -- Please delete this or
> > elaborate on what security properties it provides.
> >
> > Section 8.2 should note that "Holder-of-Key Assertions" are also a mitigation for
> > this risk.
> >
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email