Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-revocation-09: (with DISCUSS and COMMENT)
Richard Barnes <rlb@ipv.sx> Fri, 12 July 2013 18:44 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE66F21F9B00 for <oauth@ietfa.amsl.com>; Fri, 12 Jul 2013 11:44:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IYPZ8RyVSnQT for <oauth@ietfa.amsl.com>; Fri, 12 Jul 2013 11:44:06 -0700 (PDT)
Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com [209.85.214.182]) by ietfa.amsl.com (Postfix) with ESMTP id 1370121F9A23 for <oauth@ietf.org>; Fri, 12 Jul 2013 11:43:45 -0700 (PDT)
Received: by mail-ob0-f182.google.com with SMTP id va7so11745829obc.13 for <oauth@ietf.org>; Fri, 12 Jul 2013 11:43:44 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=1vOrryqER6vlNPVePYQ/zOpzhl3SRQB54yhDpgU9Bos=; b=SF/11xp99nXcVGhjN6bKHyKGYrQ+FelUNNN/GQM8OkT6mDhXfqZrrcs2PL5kDe/pP0 zgQaIlD/z4EJGWUqISSeacSOIEnebXjutEstZMrYNcqixKLOfdkyNMaV4xTKSBNSI5Me cXnnw28LtjkiJmYAIaFOcWhX/lz3Nl5wv3N5xCehYgBXxUbA0fNPXT5bhKRXXqrDemA8 hGjCkPb1m9HreXLrXxNzobuEq1erynwbBvo+m3HMPl8qBKqxOWns3azsylurcFWbsWmv Mq42oGp3NhQAlCb/iloAf6f/1QCerMekbMTGBhRRRmjItEbTAT/dQ53NKabehEtmCT9/ RTpg==
MIME-Version: 1.0
X-Received: by 10.60.43.226 with SMTP id z2mr37138007oel.76.1373654624544; Fri, 12 Jul 2013 11:43:44 -0700 (PDT)
Received: by 10.60.26.135 with HTTP; Fri, 12 Jul 2013 11:43:44 -0700 (PDT)
X-Originating-IP: [128.89.253.61]
In-Reply-To: <51BCAB42.3010204@lodderstedt.net>
References: <20130529190805.7996.64437.idtracker@ietfa.amsl.com> <51BCAB42.3010204@lodderstedt.net>
Date: Fri, 12 Jul 2013 14:43:44 -0400
Message-ID: <CAL02cgQMeRMu9ShEsPcO1PYP0xJge0_jA5BvnWyTdcQcE1k9jA@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Content-Type: multipart/alternative; boundary="001a11333dcef0b86104e154e3a8"
X-Gm-Message-State: ALoCoQk5IyQxqGEe6+uB98QcfD4XfqVVPZtiWhI32jEOq4bKev24VFXD2/XOj6CGBI9tT/hQ/f5N
X-Mailman-Approved-At: Fri, 12 Jul 2013 12:02:51 -0700
Cc: draft-ietf-oauth-revocation@tools.ietf.org, oauth-chairs@tools.ietf.org, The IESG <iesg@ietf.org>, "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-revocation-09: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jul 2013 18:44:12 -0000
Hi Torsten, Sorry for the delay on this. I've cleared on D2. Focusing this response on point D1: ------------------------------**------------------------------**---------- >> DISCUSS: >> ------------------------------**------------------------------** >> ---------- >> >> D1. The mandate for TLS usage actually seems backward here. Suppose a >> server receives a request over HTTP. At this point, the credentials have >> been exposed, so you would *want* the token to be invalidated! Suggest: >> -- Clients MUST NOT send over HTTP >> -- Server revocation URIs MUST be HTTPS >> -- Servers MAY support HTTP to the corresponding URI, just in case the >> client screws up >> > > I see your point. Doesn't the last bullet contradict the first bullet? They don't contradict each other; the third just assumes that the first might not be universally true. But I would probably be happy with just the first two. The scenario I'm worried about is the following: 1. An operator runs both HTTP and HTTPS servers under the name "example.com". The HTTPS server is used for OAuth things, while the HTTP server for unsecured, public-facing things. In particular, the revocation URIs the server hands out point to the HTTPS server. 2. An attack or mishap manages to change the revocation URL from "https:" to "http:" 3. When the client tries to revoke his token, he is able to successfully open a TCP connection to the HTTP server. He then sends his revocation request over the TCP connection. What is the safe thing for the server do now? The client has exposed the token on the wire, so clearly it *should* be revoked. But if the OAuth revocation service is only active on the HTTPS server, then it won't be. In the spec, there are two things we can do, (1) try to prevent this scenario from happening, and (2) have it fail safely when it does happen. In the above three suggested points, the first does (1) and the third does (2). The document currently says that the server MUST require TLS (the second bullet above). But that doesn't prevent the client from sending TLS, so it doesn't prevent the scenario. Concrete suggestion to realize (1): OLD: "This URL MUST conform to the rules given in [RFC6749], section 3.1." NEW: "This URL MUST conform to the rules given in [RFC6749], section 3.1. Clients MUST verify that the URL is an HTTPS URL." Concrete suggestion to realize (2): OLD: """ Since requests to the token revocation endpoint result in the transmission of plain text credentials in the HTTP request, the authorization server MUST require the use of a transport-layer security mechanism when sending requests to the token revocation endpoints. """ NEW: """ Since requests to the token revocation endpoint result in the transmission of plain text credentials in the HTTP request, URLs for token revocation endpoints MUST be HTTPS URLs. If the host of the token revocation endpoint can also be reached over HTTP, then the server SHOULD also offer a revocation service at the corresponding HTTP URI, but MUST NOT publish this URI as a token revocation endpoint. This ensures that tokens accidentally sent over HTTP will be revoked. """
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Torsten Lodderstedt
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Torsten Lodderstedt
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes