[OAUTH-WG] Language in the security BCP for cases where raw U/P is unavoidable
Vittorio Bertocci <vittorio.bertocci@auth0.com> Wed, 24 July 2019 15:32 UTC
Return-Path: <vittorio.bertocci@auth0.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40188120383 for <oauth@ietfa.amsl.com>; Wed, 24 Jul 2019 08:32:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.738
X-Spam-Level:
X-Spam-Status: No, score=-1.738 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auth0.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dbKSYHStFWgl for <oauth@ietfa.amsl.com>; Wed, 24 Jul 2019 08:32:55 -0700 (PDT)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A886112037A for <oauth@ietf.org>; Wed, 24 Jul 2019 08:32:54 -0700 (PDT)
Received: by mail-lf1-x12b.google.com with SMTP id b17so32288480lff.7 for <oauth@ietf.org>; Wed, 24 Jul 2019 08:32:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=google; h=mime-version:reply-to:from:date:message-id:subject:to; bh=KCIg+3CuX7FWMh5QVh5b8rh7axEEulnxrJfCDJZCllg=; b=qcnB9mv1M5ky2HALWcofvfzONQ3yfY4qTOwAGBY4lhhtlxDDyapdQVkM59RDtUOB0L 51GpowZ291DxZShkp36SovzARRw03d/g/5pV38Nvkyj9xWfizgNhCLwXQpODP44m2QqO sg9IqfnF+YU9sqViXf8Q07KxukytF8DjoB/KFDVkIOXtnqU3JEw/9o96R/O8tw3qi2IN AZemqtOiX5H4w2kpFRcShKl5RdemD02Yq43vahT1Bmlwmbns8bSfE+6orLrYSFKBpSdg ZyKkAQ59wq+4Ucc7eLbTGUiSVHkN6FWHTF8Fz1YiI0wgfAT6yrNvseCiGqWo0GmvQPNe Kzhg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:reply-to:from:date:message-id :subject:to; bh=KCIg+3CuX7FWMh5QVh5b8rh7axEEulnxrJfCDJZCllg=; b=GLH9n9Zi0y/VtWVPfrhP6B5lm1MS19G8MfRxo6wX4J75YW5/iMd+WELL2eRlLCCk7x nDobFM4XGPKBkS3IIcS7gmTVu9EUsZZGFVNnymPIkK9nfJphjZJEaSPQSDMpS1xxcgcS 8lqdsTNxbc6Q9GIXx/w9km+oSVeU0AwesS2q6vV6vIalq2nQe2d3pTdgFGe5Gf3RbTcx zO+dgJVlSJdDu71IVrO13Hf0UMJ1oGb2SDuTDO6YNKfYs/iurO3MeUgbv9wAzmZG5VJs bg0bGHNuEjm52fIjiFTjn3YXIvUL/vhQem6rHcOLwuigb/3luVAEdZOvFJs+mvY63twx xSaA==
X-Gm-Message-State: APjAAAXxFLWq5MvnJfnGLrkTf38ZJJLAH7wK2EGMNDzwiOq5tuXLuRoC veqrnpXU9FAEfrwU9ZNGuqTwTp2oI2W40iaERA5VraeCYpBa3bJF
X-Google-Smtp-Source: APXvYqyR+vYqnSp62xl+Yo5seZXW8QMyiH+Vc8TqEV+Kemy6id2u5KaMudlkygoGp/tncIrapfPnOC15ziDQIQWWakQ=
X-Received: by 2002:a19:c887:: with SMTP id y129mr39150971lff.73.1563982372310; Wed, 24 Jul 2019 08:32:52 -0700 (PDT)
MIME-Version: 1.0
Reply-To: Vittorio@auth0.com
From: Vittorio Bertocci <vittorio.bertocci@auth0.com>
Date: Wed, 24 Jul 2019 08:32:42 -0700
Message-ID: <CAO_FVe5MadB0Gdp20LnvVrPJ5-pchuGK2bORQZfGGQH5OamNeA@mail.gmail.com>
To: IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bcaed5058e6f057f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7ZLO20jGyp4qOCQ27alYbs15DAo>
Subject: [OAUTH-WG] Language in the security BCP for cases where raw U/P is unavoidable
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 15:32:57 -0000
During Daniel's security BCP presentation yesterday, I commented that although I support deprecating ROPG, I also believe we should acknowledge scenarios where U/P use is unavoidable and give clear actionable guidance to developers. Daniel observed that not every scenario is prone to be addressed via OAuth2, and invited me to suggest some language to add to https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-3.4 clarifying that. Here's the proposed language: Please note: there are scenarios, such as legacy script languages, apps > using connections strings and similar, where the direct use of username and > password is required to maintain backward compatibility. Addressing those > scenarios is outside of the scope of the OAuth2 authorization framework. As a side note: I worry a bit that giving explicit license to people to ignore OAuth2 for that particular scenario might provide a bit of slippery slope/broken window effect where developers won't use standard solutions in other scenarios as well. At the same time, if we don;t want to tackle that particular class of scenarios, I think it's fair of us to be explicit about it.
- [OAUTH-WG] Language in the security BCP for cases… Vittorio Bertocci
- Re: [OAUTH-WG] Language in the security BCP for c… Nat Sakimura