IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-architecture-06.txt

John Bradley <ve7jtb@ve7jtb.com> Wed, 25 November 2015 20:25 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 336D31B2F75 for <oauth@ietfa.amsl.com>; Wed, 25 Nov 2015 12:25:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.89
X-Spam-Level:
X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u92XZxAG0_GB for <oauth@ietfa.amsl.com>; Wed, 25 Nov 2015 12:25:12 -0800 (PST)
Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AD1F1B2F65 for <oauth@ietf.org>; Wed, 25 Nov 2015 12:25:11 -0800 (PST)
Received: by qkao63 with SMTP id o63so20274321qka.2 for <oauth@ietf.org>; Wed, 25 Nov 2015 12:25:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=x2i5misi8AKB7eXj/r7Q9KKfjgfMALudv3NSoiMdB1M=; b=wNfmCJNA/nDzyr8tzqBTLY6oMBBTHQwcXAl1Zd6E4F5BY1wqz+SWcdxzlVnApQwWPe r/5ym3Mfax/CnJWH1D/Dyvb4Kx46CrfXBdv0H29oUpE2RZ5UGIZribrBXklSIIDGC7Jd xD0oZsqDxmRrCGTB5zoqKn9/N7RdzAvsQD26m8P/P+05Ttl1AfgG3w+DNqg8HfusqEtL JtTgqpPfaaA8JPG2pLCHTvZMqF6++RBeCv78Tgojr/oCj4Z3YTcXU22u+mLP2/TuUdPK onyrlgAWwdi8V6Qw9I5fz38yoIPUrPEfk6AzQiw3wDTZCZy9aNjl3vW/QaHt/vacD2vU hr5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=x2i5misi8AKB7eXj/r7Q9KKfjgfMALudv3NSoiMdB1M=; b=cj6YLSvL2qkShrDifsQVlrz722Lj50flA1QR4DV7GPzj5Y4EbT9Hx4EOmnVz95OCbG Vm7e/a2f/Ld8/uqFpawuSy+3hJbGFwITp1mMAB4zDu7U99tfpsI86soXBwK0r2WyPEtY YB4pX+OHURV3o1baBG48um/aCETOBeuPm/FVNCouLNZibgBP2vARR2WTw0RzAhgTXisP uiqaCqbhMLpXETrjfO6Z5dUX0OvsUSE6yfvegNJxtb3LpIV5nFzP8xRUIGkMJQO4gx8Z 1CSi29snHTNzzB8HPLbQ7HFzy/lA9eswGOROEQDvDjOTnyNoWbdGq2wriCUR8UZhJjWG CUMw==
X-Gm-Message-State: ALoCoQmVAxoMqBX+R6W82/vbcv2j//L+2N1wJWaGfB1EtxeIjxWYP3+Df5vXWVTWqJ8cj8Yiq0KB
X-Received: by 10.55.76.213 with SMTP id z204mr41201425qka.58.1448483110701; Wed, 25 Nov 2015 12:25:10 -0800 (PST)
Received: from [192.168.1.216] ([191.115.122.254]) by smtp.gmail.com with ESMTPSA id u59sm5995930qge.0.2015.11.25.12.24.55 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 25 Nov 2015 12:25:09 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_B1BF3DD0-B80D-4C79-B287-4BF5FA47E84D"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <FD46B414-EEEA-44AF-BEDC-F4F1DA425EBA@oracle.com>
Date: Wed, 25 Nov 2015 17:24:45 -0300
Message-Id: <E7CBB391-6411-42D2-BD45-70F9F90CA73F@ve7jtb.com>
References: <20151124200512.20833.28463.idtracker@ietfa.amsl.com> <F787FB76-5C8D-45F5-8A81-E430E75A0455@oracle.com> <CA+k3eCSeOyc2HMY+sK9rSjxkSAvNPWqwKyJNjDZAaCu2Stqk=w@mail.gmail.com> <16FAD3AC-CFB8-46D5-A12E-436E902EA439@oracle.com> <C9F8F669-E091-4E81-82B6-B5AF1A52F922@ve7jtb.com> <FD46B414-EEEA-44AF-BEDC-F4F1DA425EBA@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/7HnhhDZN0TwB65Ymjzcc6WNylfc>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-architecture-06.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2015 20:25:18 -0000

The client is verifying the certificate of the token endpoint not the signature of the token.  
That is why It is still vulnerable to man in the middle attacks 

There is no guarantee that the signing key for the AT is one that the client has any way to verify.  
The client checking the signature would not stop a man in the middle attack.

John B.


> On Nov 25, 2015, at 5:19 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
> 
> Thats not what I am on about. 
> 
> Kathleen objected to the signed requirement in sec 6 without making it clear in sec 5. 
> 
> We can't have it both ways. Be both opaque and signed for the client to verify.  
> 
> If I restore the requirements than the threat mitigation assumption of signed tokens must also be removed. 
> 
> Phil
> 
> On Nov 25, 2015, at 12:02, John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>> wrote:
> 
>> The token is opaque to the client.  It’s format is a matter between the RS and the AS. 
>> 
>> Where do we require the client verify the token?    The RS is the only party that needs to verify the access token.
>> 
>> The information that the client needs about the token is in additional meta-data delivered with but not in the AT.
>> 
>> I agree with Brian that is wrong on two counts.
>> 
>> 1) the token is opaque to the client.
>> 2) one method of delivering the key to the RS is in a signed JWT.  It is however also possible (if not ideal) for the AT to be a reference, and introspected by the RS to get the key.
>> 
>> So 
>> "In contrast to bearer tokens [RFC6750] which call for tokens that are opaque to OAuth 2.0 clients, this specification defines the requirements for proof-of-possession ("PoP") tokens that may are also opaque to OAuth 2.0 clients but may be parsed and verified, or introspected by OAuth 2.0 Resource Servers. When token endpoints issue “PoP” tokens they provide the OAuth Client additional parameters with information on what key material to use for the proof.”
>> 
>> Or given that they are both opaque that part of the statement could be dropped.
>> 
>> John B. 
>> 
>> 
>>> On Nov 25, 2015, at 12:44 PM, Phil Hunt <phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>> wrote:
>>> 
>>> Except that later on we require the token be signed and the client verify that signed token. IOW mutual pop. 
>>> 
>>> Phil
>>> 
>>> On Nov 25, 2015, at 07:30, Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote:
>>> 
>>>> Looking at the diff I noticed the following new text, which seems to conflate bearer/PoP and opaqueness to the client. A client demonstrating proof-of-possession of some key is orthogonal to the client being able to parse and understand the access token itself. 
>>>>  
>>>> "In contrast to bearer tokens [RFC6750] which call for tokens that are opaque to OAuth 2.0 clients, this specification defines the requirements for proof-of-possession ("PoP") tokens that may be parsed and verified by OAuth 2.0 clients and relying parties."
>>>> 
>>>> On Tue, Nov 24, 2015 at 1:07 PM, Phil Hunt <phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>> wrote:
>>>> This draft addresses review comments from Kathleen and Erik raised since the last draft.
>>>> 
>>>> It may not include some of the discussion from yesterday/today.  I will add that as the group decides.
>>>> 
>>>> Cheers,
>>>> 
>>>> Phil
>>>> 
>>>> @independentid
>>>> www.independentid.com <http://www.independentid.com/>
>>>> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>>>> 
>>>> > On Nov 24, 2015, at 12:05 PM, internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> wrote:
>>>> >
>>>> >
>>>> > A New Internet-Draft is available from the on-line Internet-Drafts directories.
>>>> > This draft is a work item of the Web Authorization Protocol Working Group of the IETF.
>>>> >
>>>> >        Title           : OAuth 2.0 Proof-of-Possession (PoP) Security Architecture
>>>> >        Authors         : Phil Hunt
>>>> >                          Justin Richer
>>>> >                          William Mills
>>>> >                          Prateek Mishra
>>>> >                          Hannes Tschofenig
>>>> >       Filename        : draft-ietf-oauth-pop-architecture-06.txt
>>>> >       Pages           : 23
>>>> >       Date            : 2015-11-24
>>>> >
>>>> > Abstract:
>>>> >   The OAuth 2.0 bearer token specification, as defined in RFC 6750,
>>>> >   allows any party in possession of a bearer token (a "bearer") to get
>>>> >   access to the associated resources (without demonstrating possession
>>>> >   of a cryptographic key).  To prevent misuse, bearer tokens must be
>>>> >   protected from disclosure in transit and at rest.
>>>> >
>>>> >   Some scenarios demand additional security protection whereby a client
>>>> >   needs to demonstrate possession of cryptographic keying material when
>>>> >   accessing a protected resource.  This document motivates the
>>>> >   development of the OAuth 2.0 proof-of-possession security mechanism.
>>>> >
>>>> >
>>>> > The IETF datatracker status page for this draft is:
>>>> > https://datatracker.ietf.org/doc/draft-ietf-oauth-pop-architecture/ <https://datatracker.ietf.org/doc/draft-ietf-oauth-pop-architecture/>
>>>> >
>>>> > There's also a htmlized version available at:
>>>> > https://tools.ietf.org/html/draft-ietf-oauth-pop-architecture-06 <https://tools.ietf.org/html/draft-ietf-oauth-pop-architecture-06>
>>>> >
>>>> > A diff from the previous version is available at:
>>>> > https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-pop-architecture-06 <https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-pop-architecture-06>
>>>> >
>>>> >
>>>> > Please note that it may take a couple of minutes from the time of submission
>>>> > until the htmlized version and diff are available at tools.ietf.org <http://tools.ietf.org/>.
>>>> >
>>>> > Internet-Drafts are also available by anonymous FTP at:
>>>> > ftp://ftp.ietf.org/internet-drafts/ <ftp://ftp.ietf.org/internet-drafts/>
>>>> >
>>>> > _______________________________________________
>>>> > OAuth mailing list
>>>> > OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>>> 
>>>> 
>>>> 
>>>> -- 
>>>>  <https://www.pingidentity.com/> 				
>>>> Brian Campbell
>>>> Distinguished Engineer
>>>> Ping Identity
>>>> @	bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>
>>>> 	+1 720.317.2061
>>>> 	@pingidentity
>>>> Connect with us!
>>>>  <https://www.pingidentity.com/> <https://www.pingidentity.com/>
>>>>  <https://ping.force.com/Support/PingIdentityCommunityHome> <https://ping.force.com/Support/PingIdentityCommunityHome> <http://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm>  <https://twitter.com/pingidentity>  <https://www.youtube.com/user/PingIdentityTV>  <https://www.linkedin.com/company/21870>  <https://www.facebook.com/pingidentitypage>  <https://plus.google.com/u/0/114266977739397708540>  <http://www.slideshare.net/PingIdentity>  <http://flip.it/vjBF7>  <https://www.pingidentity.com/blogs/>_______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>

v2.30.2 | Report a Bug | By Email | System Status