IETF Logo Mail Archive

Re: [OAUTH-WG] security considerations for draft-ietf-oauth-mtls-12

Neil Madden <neil.madden@forgerock.com> Thu, 01 November 2018 14:55 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 272DB12777C for <oauth@ietfa.amsl.com>; Thu, 1 Nov 2018 07:55:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IBMECzZu0Xtj for <oauth@ietfa.amsl.com>; Thu, 1 Nov 2018 07:55:26 -0700 (PDT)
Received: from mail-wr1-x442.google.com (mail-wr1-x442.google.com [IPv6:2a00:1450:4864:20::442]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27E10124BAA for <oauth@ietf.org>; Thu, 1 Nov 2018 07:55:26 -0700 (PDT)
Received: by mail-wr1-x442.google.com with SMTP id u1-v6so20399033wrn.0 for <oauth@ietf.org>; Thu, 01 Nov 2018 07:55:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=NFFOMn4GWiNc0QfnHz86IZCwpz6i+00ioJ/+Nh/yvmk=; b=jtLaEIWqwzzt9W67jE+Sq1mPuUyPeZbpVCavqfYlQAsvcn5f7zutjyqUrHqj2LmWgc 8yyVd4RLmSMGgaRa3h6QaBmB5NleeQzeVGMcLEG4dz8Oe3cDs3V93sHvBJXohGiPw5ER hyuRR161OxY4t2Fi/xY/y69MXEZkv1QnujiQ8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=NFFOMn4GWiNc0QfnHz86IZCwpz6i+00ioJ/+Nh/yvmk=; b=LiEl8lmpa661Gz79WgcQyLCMvdPASWFxyiy3pSC2mC6sGp5SymBng9xbneR0K+KN5q a12z+tYOETS8ihzS2N6vZuct1rB6pfhFhwDq/RmHURF5pmHezqxjpykaksjgH0et9uII 5ylPnmNrpGYspzp4akrTzX9LVV5I44gmlUjoQ9NXuSsI8KrOiwrB0xhfqWLI2B7XjiSs 6udJNJE88T81T+/wCMw590NANMa15DXmELPdmuHyUytupWPKRS7ZpK7aSlNGN8FTbBHQ VSQX7PiaXVKSBmEz3T/SDhsSLnYQaM//ebP4+Q6NrM8Zw8b1nif1MKa9ijWxZd4D5qd2 nFdg==
X-Gm-Message-State: AGRZ1gJjaxXt9PCF4dKUQffy73XtECUyIlTFTeLGkommhHPEUhxzSQeI x0Q8xxMfI4GziYbhFCWLGSjiuQ==
X-Google-Smtp-Source: AJdET5fTN4kB/biZivm+aAtJFe8tSAO29tqrmk6kKD8RGlO3hqQk0kXM5cyRQ0NIih8f6OmqqdL89g==
X-Received: by 2002:adf:bd0f:: with SMTP id j15-v6mr6494303wrh.267.1541084124502; Thu, 01 Nov 2018 07:55:24 -0700 (PDT)
Received: from guest2s-mbp.lan (41.167.189.80.dyn.plus.net. [80.189.167.41]) by smtp.gmail.com with ESMTPSA id y21-v6sm10206981wma.36.2018.11.01.07.55.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 01 Nov 2018 07:55:23 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.0 \(3445.100.39\))
From: Neil Madden <neil.madden@forgerock.com>
In-Reply-To: <CA+k3eCT78Vszyh4Ue+yZ+5pK22yxrhHMwEGty=sXTDs5ttOvVg@mail.gmail.com>
Date: Thu, 01 Nov 2018 14:55:22 +0000
Cc: jmg+oauth@newcontext.com, oauth <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E3A46223-AA0E-4364-9CD1-C5A7F2F37A9D@forgerock.com>
References: <CALgdmdsoj9uaVyha5x7anxt4iU_0f8FqyfjNH00Syd-MKSQ_UQ@mail.gmail.com> <CA+k3eCT78Vszyh4Ue+yZ+5pK22yxrhHMwEGty=sXTDs5ttOvVg@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3445.100.39)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/4U5A3VTOwmH4PtoRQj5vK4o9fdU>
Subject: Re: [OAUTH-WG] security considerations for draft-ietf-oauth-mtls-12
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2018 14:55:30 -0000

I believe the standard approach to this is to only prompt for a client certificate in a renegotiation handshake rather than in the initial handshake. Renegotiations are encrypted under the existing TLS session.

— Neil

> On 1 Nov 2018, at 14:37, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> wrote:
> 
> To be honest, I thought that was a relatively well known aspect of TLS 1.2 (and prior) and a noted difference of the new features in TLS 1.3. Also, I'd note that we're well past WGCL for this document. But, with that said, I suppose adding some privacy considerations text on the subject is worthwhile. Would you propose some text for the WG to consider, John-Mark? Bearing in mind that the implications of a certificate presented by, and representing, an OAuth client are somewhat different than for an end-user doing client cert authentication. 
> 
> 
> 
> 
> On Wed, Oct 31, 2018 at 4:12 PM John-Mark Gurney <jmg+oauth@newcontext.com> wrote:
> I would suggest that the security considerations section of
> draft-ietf-oauth-mtls-12 be expanded to include the privacy
> implications of using this on versions of TLS before 1.3.  On all
> versions of TLS before 1.3, the client cert is not encrypted and can
> be used by third parties to monitor and track users.  I recently
> posted a blog entry about this:
> https://blog.funkthat.com/2018/10/tls-client-authentication-leaks-user.html
> 
> Thanks.
> 
> John-Mark Gurney
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email