[OAUTH-WG] Comments on ietf-oauth-dpop
Rohan Mahy <rohan.mahy@wire.com> Tue, 22 March 2022 15:24 UTC
Return-Path: <rohan.mahy@wire.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 187B33A1552 for <oauth@ietfa.amsl.com>; Tue, 22 Mar 2022 08:24:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wire-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JaiaTaBmHfjq for <oauth@ietfa.amsl.com>; Tue, 22 Mar 2022 08:24:16 -0700 (PDT)
Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com [IPv6:2607:f8b0:4864:20::52e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D528B3A157A for <oauth@ietf.org>; Tue, 22 Mar 2022 08:24:15 -0700 (PDT)
Received: by mail-pg1-x52e.google.com with SMTP id s72so10151782pgc.5 for <oauth@ietf.org>; Tue, 22 Mar 2022 08:24:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wire-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=i+brSwM7bi/odklRury9WtOOk3TxUjQokhHmK5C+ssQ=; b=awMvI91WoxEg77ZKmuwDs0lJlnGpp6GgbhRSiOGa10SnxE7wb49kEePJPrtOVIeC+t TfJ0oaSn0FmfMUZ1eFgI/6s0mEfyI/a2QHvMYYMXdZuWps11fSiwyxrnnZSdPRxAi6R6 F5ihg4B1DgNVz0X4LKgXO4i8fIwvjFrtjwlajThtQvBwRBA6s0Z2adTK7XUjO5qVk/jO V/BquWHpD41ToW7fSaA2z8ojP3vGdaqcSjEJbhVJBrBuknyOI+Kv69pm2DwC2JKVFLS8 Y7J3CjOejcWXANTKvL+XtBDTFEvXzgEAll+YONQ+eTEU1jkuvDVcz30lwUO/ZsbkQcPl 2r1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=i+brSwM7bi/odklRury9WtOOk3TxUjQokhHmK5C+ssQ=; b=M05pLKnO7By6qi2zY1K5bdEayya6HJP6j0t4RN1LFVa7U6xqBZLKK12uhpgkwT3Ro3 5UdkKlTBob+U6ZbV9IFlgVeKUDFAzsDht7RFiD1X8bn6RJcD7MwNAlskCqZuM19Coogh QXxWtz7eNK65osAR/5gPmFDbYjQxxvJxMy55SkNG7KznOEZZc8oEjRz7aP0rPHgG+fgn 0o1VtxKuG+VDIZN1tPyHmb9kbrmelkb1NgsbXTJ73o/2rm7bYYXOYFS4HvJTs9+MCkNn WU6O7OjRMZzvzQfCG8cnVxgDb+WsuaYjIxv6ycqelg0F4YRxXbuqzkQwt3z/7+ogzURj zM8w==
X-Gm-Message-State: AOAM53162pweU/mbZjNHRk/18TG3NCPcyfd/Ooh9PxY9awaJiUT6Pec7 OVywMHUHYNypxbU6YfJb35UWTgfGMmv3fRK4xOGZVb6prrBK4A==
X-Google-Smtp-Source: ABdhPJw4CEt+F1dM095KIhA82Vrdoe2Dmcahe5cxKTjSsQ0MRaDDR8FEwt9ql8gUhRvA4fbxDXCpc0ATGWeKgYq2mzM=
X-Received: by 2002:a63:fa43:0:b0:382:53c4:ca7c with SMTP id g3-20020a63fa43000000b0038253c4ca7cmr11613391pgk.33.1647962654248; Tue, 22 Mar 2022 08:24:14 -0700 (PDT)
MIME-Version: 1.0
References: <CACW8--PPqWp+AMCWTuFT3Q=w6OFpn2xrS=4Cu8oAd8wBEkDNYg@mail.gmail.com>
In-Reply-To: <CACW8--PPqWp+AMCWTuFT3Q=w6OFpn2xrS=4Cu8oAd8wBEkDNYg@mail.gmail.com>
From: Rohan Mahy <rohan.mahy@wire.com>
Date: Tue, 22 Mar 2022 08:24:03 -0700
Message-ID: <CACW8--PoQLzO3TP6Xi7PwY4vWoBHpUwn9Q3hz_3j375pvAo9gw@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="0000000000009c2abe05dad034c2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/6nCXxaxYhJMgaoMRmQjiOozBx3E>
Subject: [OAUTH-WG] Comments on ietf-oauth-dpop
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2022 15:24:22 -0000
Hi, Here are some comments on draft-ietf-oauth-dpop-06: 1) With such a significant attack possible as DPoP proof pre-generation, why isn't using the server nonce a SHOULD? Preventing a significant attack and making lifetime handling sane are two excellent reasons to use a server nonce. If an implementation has a good reason to not use a server nonce, we can give guidance about what additional steps the implementation needs to take. 2) The handling of lifetimes of DPoP proofs is vague: "acceptable timeframe" (Section 4.3), "relatively brief period" (Section 11.1). Is that 1 day,15 minutes, or 30 seconds? The normative text in the two sections seem contradictory. I think you need a lifetime parameter if a server nonce isn't included, or just pick a number (5 minutes?). 3) I had a similar thought to Nicolas Mora about including other assertions/tokens. There should be a way to chain, include, or reference other OAuth assertions and bind them somehow with the DPoP. This will be a common and important model. 4. Right now you describe the access token hash before describing the access token itself. I think it would be very useful to show the a worked example of an access token and then its hash used subsequently. Also Section 4.3 step 11 feels like a circular description. Please rewrite more verbosely to be clearer: Currently: "when presented to a protected resource in conjunction with an access token, ensure that the value of the ath claim equals the hash of that access token and confirm that the public key to which the access token is bound matches the public key from the DPoP proof." 5. Re: IANA registration of the MIME type. TL;DR: Just register application/dpop+jwt. Long version: The semantics of the thing you want to register is application/dpop. The first syntax you are defining is jwt. For example, iCalendar has three formats: text/calendar (iCal), application/calendar+json (jCal), and application/calendar+xml (xCal). NITS: - Spell out first use of acronyms: JWT, JWK, JWS, TLS, JOSE, PKCE, - Add reference to TLS, XSS, Crime/Heartbleed/BREACH/etc., HTTP, JOSE, on first use - First sentence of Section 2 (Objectives): add a comma (access tokens_,_ by binding) to make it clear that "binding a token" is doing the preventing instead of the stealing in the sentence. - Section 2 para 5: s/XXS/XSS/ - Maybe mention why you are using ASCII (7-bit) when the charset in the examples is UTF-8. I hope these comments are useful. Many thanks, -rohan *Rohan Mahy *l Vice President Engineering, Architecture Chat: @rohan_wire on Wire Wire <https://wire.com/en/download/> - Secure team messaging. *Zeta Project Germany GmbH *l Rosenthaler Straße 40, <https://maps.google.com/?q=Rosenthaler+Stra%C3%9Fe+40,%C2%A0+10178+Berlin,%C2%A0+Germany&entry=gmail&source=g>10178 Berlin, <https://maps.google.com/?q=Rosenthaler+Stra%C3%9Fe+40,%C2%A0+10178+Berlin,%C2%A0+Germany&entry=gmail&source=g> Germany <https://maps.google.com/?q=Rosenthaler+Stra%C3%9Fe+40,%C2%A0+10178+Berlin,%C2%A0+Germany&entry=gmail&source=g> Geschäftsführer/Managing Director: Morten J. Broegger HRB 149847 beim Handelsregister Charlottenburg, Berlin VAT-ID DE288748675
- [OAUTH-WG] Comments on ietf-oauth-dpop Rohan Mahy
- Re: [OAUTH-WG] Comments on ietf-oauth-dpop Nicolas Mora
- Re: [OAUTH-WG] Comments on ietf-oauth-dpop Joseph Heenan
- Re: [OAUTH-WG] Comments on ietf-oauth-dpop Brian Campbell
- Re: [OAUTH-WG] Comments on ietf-oauth-dpop Rohan Mahy
- Re: [OAUTH-WG] Comments on ietf-oauth-dpop Brian Campbell
- Re: [OAUTH-WG] Comments on ietf-oauth-dpop Brian Campbell
- Re: [OAUTH-WG] Comments on ietf-oauth-dpop Rohan Mahy
- Re: [OAUTH-WG] Comments on ietf-oauth-dpop Brian Campbell
- Re: [OAUTH-WG] Comments on ietf-oauth-dpop Rohan Mahy