Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-revocation-09: (with DISCUSS and COMMENT)
Richard Barnes <rlb@ipv.sx> Sat, 13 July 2013 19:30 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A34121F9CC7 for <oauth@ietfa.amsl.com>; Sat, 13 Jul 2013 12:30:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1JogHdz1Q7wK for <oauth@ietfa.amsl.com>; Sat, 13 Jul 2013 12:30:51 -0700 (PDT)
Received: from mail-oa0-f49.google.com (mail-oa0-f49.google.com [209.85.219.49]) by ietfa.amsl.com (Postfix) with ESMTP id 4625921F9C81 for <oauth@ietf.org>; Sat, 13 Jul 2013 12:30:51 -0700 (PDT)
Received: by mail-oa0-f49.google.com with SMTP id n9so14204654oag.8 for <oauth@ietf.org>; Sat, 13 Jul 2013 12:30:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=4v9wzzBAkaDb6ror81Yz+eHJKNpr7In1MyakoHLpWl4=; b=iYsVjD+09XlF0nCAnMQJYQIUK8l8RbUokeIc+zkFicsc/Cs+ebktD8+/nyn+vpfM3x MBsGacJ2dpQR9rdGndRTDcf0C+hh1iIx8hex7yJJ+U6Wi20LfKNKkmUc5Zn1va5VXLKz KNVYeNQEaMiVoovBx8kGg+9fWi6lnJ9ajNRzdDkt346vLO/VRt8xMb+5tv40GA+IYBLG eOy9tiG8tqHSHydvFncMuNHGXGRPmPV2//8DYJibWdqqxIWBFQeWdIrZnUr/9sQ8rpK+ 5M7dnI2P3tNpnkl6ZPuAVL7Cre1NN6yzFzFNC7nUfYefCwvPGyz97gAa5+N7U65Qi+6u TBpw==
MIME-Version: 1.0
X-Received: by 10.60.103.211 with SMTP id fy19mr38966275oeb.103.1373743850772; Sat, 13 Jul 2013 12:30:50 -0700 (PDT)
Received: by 10.60.26.135 with HTTP; Sat, 13 Jul 2013 12:30:50 -0700 (PDT)
X-Originating-IP: [108.48.145.202]
In-Reply-To: <51E15681.8070306@lodderstedt.net>
References: <20130529190805.7996.64437.idtracker@ietfa.amsl.com> <51BCAB42.3010204@lodderstedt.net> <CAL02cgQMeRMu9ShEsPcO1PYP0xJge0_jA5BvnWyTdcQcE1k9jA@mail.gmail.com> <51E15681.8070306@lodderstedt.net>
Date: Sat, 13 Jul 2013 15:30:50 -0400
Message-ID: <CAL02cgSGUv+VjM2f9=tWkuWd2P3JpcvbNMj4VZWAa-cETUiO_w@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Content-Type: multipart/alternative; boundary="089e0115e85e3cebb304e169aa20"
X-Gm-Message-State: ALoCoQllfLg3mcHyf5pTGvbgAAhvzBi9lal5Lo3DGnyscqsZoZJA15SIKsNCtNpK/O2SXBEEZOgl
Cc: draft-ietf-oauth-revocation@tools.ietf.org, oauth-chairs@tools.ietf.org, The IESG <iesg@ietf.org>, "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-revocation-09: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Jul 2013 19:30:56 -0000
Great, thanks! I have cleared. --Richard On Sat, Jul 13, 2013 at 9:30 AM, Torsten Lodderstedt < torsten@lodderstedt.net> wrote: > Hi Richard, > > thanks for your proposals. I adopted the draft accordingly. > > http://www.ietf.org/id/draft-ietf-oauth-revocation-11.txt > > regards, > Torsten. > > Am 12.07.2013 20:43, schrieb Richard Barnes: > > Hi Torsten, > > Sorry for the delay on this. I've cleared on D2. Focusing this > response on point D1: > > > ---------------------------------------------------------------------- >>> DISCUSS: >>> ---------------------------------------------------------------------- >>> >>> D1. The mandate for TLS usage actually seems backward here. Suppose a >>> server receives a request over HTTP. At this point, the credentials have >>> been exposed, so you would *want* the token to be invalidated! Suggest: >>> -- Clients MUST NOT send over HTTP >>> -- Server revocation URIs MUST be HTTPS >>> -- Servers MAY support HTTP to the corresponding URI, just in case the >>> client screws up >>> >> >> I see your point. Doesn't the last bullet contradict the first bullet? > > > They don't contradict each other; the third just assumes that the first > might not be universally true. But I would probably be happy with just the > first two. > > The scenario I'm worried about is the following: > > 1. An operator runs both HTTP and HTTPS servers under the name " > example.com". The HTTPS server is used for OAuth things, while the HTTP > server for unsecured, public-facing things. In particular, the revocation > URIs the server hands out point to the HTTPS server. > > 2. An attack or mishap manages to change the revocation URL from > "https:" to "http:" > > 3. When the client tries to revoke his token, he is able to successfully > open a TCP connection to the HTTP server. He then sends his revocation > request over the TCP connection. > > What is the safe thing for the server do now? The client has exposed > the token on the wire, so clearly it *should* be revoked. But if the OAuth > revocation service is only active on the HTTPS server, then it won't be. > > In the spec, there are two things we can do, (1) try to prevent this > scenario from happening, and (2) have it fail safely when it does happen. > In the above three suggested points, the first does (1) and the third does > (2). The document currently says that the server MUST require TLS (the > second bullet above). But that doesn't prevent the client from sending > TLS, so it doesn't prevent the scenario. > > Concrete suggestion to realize (1): > OLD: "This URL MUST conform to the rules given in [RFC6749], section 3.1." > NEW: "This URL MUST conform to the rules given in [RFC6749], section 3.1. > Clients MUST verify that the URL is an HTTPS URL." > > Concrete suggestion to realize (2): > OLD: > """ > Since requests to the token revocation endpoint result in the > transmission of plain text credentials in the HTTP request, the > authorization server MUST require the use of a transport-layer security > mechanism when sending requests to the token revocation endpoints. > """ > NEW: > """ > Since requests to the token revocation endpoint result in the transmission > of plain text credentials in the HTTP request, URLs for token revocation > endpoints MUST be HTTPS URLs. If the host of the token revocation endpoint > can also be reached over HTTP, then the server SHOULD also offer a > revocation service at the corresponding HTTP URI, but MUST NOT publish this > URI as a token revocation endpoint. This ensures that tokens accidentally > sent over HTTP will be revoked. > """ > > > > > > >
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Torsten Lodderstedt
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Torsten Lodderstedt
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes