IETF Logo Mail Archive

Re: [OAUTH-WG] AD review of draft-ietf-oauth-pop-architecture

Phil Hunt <phil.hunt@oracle.com> Wed, 18 November 2015 21:03 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8C351B2EF1 for <oauth@ietfa.amsl.com>; Wed, 18 Nov 2015 13:03:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.786
X-Spam-Level:
X-Spam-Status: No, score=-4.786 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YnZwUa3b4xYF for <oauth@ietfa.amsl.com>; Wed, 18 Nov 2015 13:03:37 -0800 (PST)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61CA71B2EF0 for <oauth@ietf.org>; Wed, 18 Nov 2015 13:03:37 -0800 (PST)
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id tAIL3ZrL008804 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 18 Nov 2015 21:03:36 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0021.oracle.com (8.13.8/8.13.8) with ESMTP id tAIL3ZMP026421 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 18 Nov 2015 21:03:35 GMT
Received: from abhmp0012.oracle.com (abhmp0012.oracle.com [141.146.116.18]) by userv0121.oracle.com (8.13.8/8.13.8) with ESMTP id tAIL3YoC001794; Wed, 18 Nov 2015 21:03:34 GMT
Received: from [10.0.1.22] (/24.86.216.17) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 18 Nov 2015 13:03:34 -0800
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <CAHbuEH5nRQcKQMh8LDGdfBQ=Z4AWeKJxxCGV7V-gh_dSuSpb7w@mail.gmail.com>
Date: Wed, 18 Nov 2015 13:03:33 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <7028747C-88DD-43BD-B0A4-FDEB7662A208@oracle.com>
References: <CAHbuEH5nRQcKQMh8LDGdfBQ=Z4AWeKJxxCGV7V-gh_dSuSpb7w@mail.gmail.com>
To: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>
X-Mailer: Apple Mail (2.3096.5)
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/73A-1a7WjE_hUd6Wyocax_T73gc>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-pop-architecture
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2015 21:03:41 -0000

Comments inline.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com

> On Nov 16, 2015, at 12:37 PM, Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com> wrote:
> 
> Hello,
> 
> I reviewed draft-ietf-oauth-pop-architecture and have a few questions.
> 
> 1. Section 6, Threat Mitigation:
> 
> Last sentence of first paragraph, "To
>   simplify the subsequent description we assume that the token itself
>   is digitally signed by the authorization server and therefore cannot
>   be modified."
> 
> Since bearer tokens are not signed by default, is this proposing a
> change?  If so, where will that change occur?  To state that "it is
> assumed" without it being required anywhere is not a good assumption.
> I'd still see this as a risk or security consideration.  When OAuth is
> re-used by other protocols, I am seeing that re-use leave off basic
> protections that should be assumed like TLS, let alone digital
> signatures.  If this is required in the defined architecture (Section
> 7 - it does show this, but there are no MUSTs that I can find), just
> state that and refer to the requirement.

[PH] I think the change is the point of the POP specifications. We are talking about a new class of tokens that are specifically not Bearer tokens thus the threat mitigation states that POP tokens are assumed to be digitally signed.

Was that not clear from the introduction?
> 
> 2. Section 6, Threat Mitigation
> 
> Third paragraph, "As an example, TLS with a ciphersuite
>   that offers confidentiality protection has to be applied (which is
>   currently true for all ciphersuites, except for one).
> 
> Please list a reference so the reader knows which ciphersuites are
> acceptable from the recommended ones in RFC7525.  I don't recall there
> being any MTI ciphersuites for OAuth (I'm pretty sure there aren't and
> that we've discussed that already with previous drafts, so this should
> be spelled out more).
[PH] I think this can be simplified a bit. I think this was referring to a “NULL” ciphersuite which is what 7525 says should not be done.  We should also point to 7525.
> 
> 3. (Nit) Section 6.2, add a comma to improve readability
> From: "Instead of providing confidentiality protection the authorization
>   server could also put the identifier of the client into the protected
>   token with the following semantic:"
> To: "Instead of providing confidentiality protection, the authorization
>   server could also put the identifier of the client into the protected
>   token with the following semantic:”
> 
[PH] Will add to the next draft pending your comments on the above items.

> Thank you all for your work on this draft!
> -- 
> 
> Best regards,
> Kathleen
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email