Re: [OAUTH-WG] DPoP - Document Shepherd Review
Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> Tue, 05 July 2022 17:15 UTC
Return-Path: <rifaat.s.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79E21C15AD55 for <oauth@ietfa.amsl.com>; Tue, 5 Jul 2022 10:15:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x0UYR7S0n3sU for <oauth@ietfa.amsl.com>; Tue, 5 Jul 2022 10:14:59 -0700 (PDT)
Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com [IPv6:2a00:1450:4864:20::32f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3910FC15AD4E for <oauth@ietf.org>; Tue, 5 Jul 2022 10:14:59 -0700 (PDT)
Received: by mail-wm1-x32f.google.com with SMTP id h14-20020a1ccc0e000000b0039eff745c53so7620630wmb.5 for <oauth@ietf.org>; Tue, 05 Jul 2022 10:14:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ix5EQMlpoc2lCm1wp9ad9sFEUpDnMKk8J8wbPVVmAso=; b=A3ek2TYg1rIeyhPhvVJ/nDmV9WAjZeESGis0pY2qXXT/l/DgXSo/AvHw0UKjspM5t+ 5s9yhzIX+GjNkPiLH826m/p5PE7KIBqHMF/0UHHOYkDGGIbYIbk6+3elg7RIPcP1RoXV b6Mv9PkE+f516lri09/q8nuNKNMxBR0xrAC1SjBCoUiYxrvnwDZqUJDhbSYsYEYU58XD ff/VHC8fXO6Vgk8RiLooHZl0JGgUqAADCFEcuQKaJDYow6iSD7kx8YZc+Bw1yDmyTqML 19t5HZBDdDQIWOzSpP4SqERM4gcq9GZdUHpN4Bmvq8lGIMIYXpBNwDIurSaOuJ7hUAeb jnVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ix5EQMlpoc2lCm1wp9ad9sFEUpDnMKk8J8wbPVVmAso=; b=1MMYxdKuSHqJCIPHFUWp+ruL4qGEDS2gydg5pljampwkETTK4e1uYNiMTHav+IMNT3 /dXi5ESrOj1A87Ru6wNdIPHh1S6ln03X8JLfH3Ry4EVCRLF69h7VPG7VL+I+2Bm4laDD xIAcLD8ZyqadXaf/zm/8eTVj3RrkZOPrABUvQDTxWRQdnZRbMmN/JhBh1C+RCb1n1AnL r53TayE3W1kp6w9ExqOungKmgQ9UI3W6vStNa3KsXyNA8qznO+IgEdv6vycwySx0EkJw yo/mXYz+9YsrYV3ZtEoqq8hUd6AMSpT4NcH5cSnIhmolTll1RyFm+EUrAUNzgShR817H hYqw==
X-Gm-Message-State: AJIora9BsIAY/wG5d/dbHArO0rXVOz/K9JAioSc3PY6/6Hh1Us0h9uO0 4kFkI2hJtfrUJRo2xTTC/ail/id5JaRJYXDNrzg8Wt8icuA=
X-Google-Smtp-Source: AGRyM1vm0hDLMg5ME4cKF4qDaxiaGjiOEuDzA10q5UfE7J9Aj5MAsK2ie0VIyFxiK6exr7hWL7EQ/xobiVvxkClHQ9k=
X-Received: by 2002:a7b:cb8a:0:b0:3a0:ac8a:7c43 with SMTP id m10-20020a7bcb8a000000b003a0ac8a7c43mr38910129wmi.152.1657041297382; Tue, 05 Jul 2022 10:14:57 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP_0LLLmwdPa2sjsp8mmjOO2woQbdLf3XyPzUsJ_CuogXQ@mail.gmail.com> <CA+k3eCRyoncwUGu3cpnsXut6t8u2UUD9ZmBYYTCf7J9e3tpfzQ@mail.gmail.com>
In-Reply-To: <CA+k3eCRyoncwUGu3cpnsXut6t8u2UUD9ZmBYYTCf7J9e3tpfzQ@mail.gmail.com>
From: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Date: Tue, 05 Jul 2022 13:14:46 -0400
Message-ID: <CADNypP-nrgPHHbmxUZke=9UdpHWhv9wnd-v5vdC-36jgSSNBUw@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e8a24b05e311fd34"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/9FItYIZn_DjpXcbt2by79t0DiG8>
Subject: Re: [OAUTH-WG] DPoP - Document Shepherd Review
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jul 2022 17:15:03 -0000
Thanks Brian! See my replies inline below. On Thu, Jun 30, 2022 at 6:52 PM Brian Campbell <bcampbell@pingidentity.com> wrote: > Thanks for shepherding Rifaat. And apologies for the slow reply. My > attempts at answering questions and responding to comments are inline > below. > > > On Fri, Jun 3, 2022 at 11:55 AM Rifaat Shekh-Yusef < > rifaat.s.ietf@gmail.com> wrote: > >> The following is my review as a document shepherd: >> >> Section 4.3 >> >> Last sentence >> >> Since the document uses “SHOULD”, this implies that there are some valid >> cases where this is not needed. >> >> Should a text be added to explain when this is not needed? >> > > > What about giving a bit more context about why they should? Changing that > sentence to say, "To reduce the likelihood of false negatives, servers > SHOULD employ Syntax-Based Normalization (Section 6.2.2 > <https://rfc-editor.org/rfc/rfc3986> of [RFC3986]) and Scheme-Based > Normalization (Section 6.2.2 <https://rfc-editor.org/rfc/rfc3986> of [ > RFC3986]) before comparing the htu claim." And also maybe changing it to > a little "should". > > Yes, that works. I suggest keeping it as "SHOULD" to encourage implementers to use this, unless they have a really good reason not to. > > >> >> Section 6.1 >> >> 1. >> >> First sentence - what is the reason for using “SHOULD”, instead of >> “MUST” in this case? >> >> > > Good question. I think it was a bit of carryover from OAuth in general not > strictly defining access token format or content. And wanting to not > encroach on that. But that's kinda covered/allowed for in general by > Section 6 already. And Section 6.2 is effectively the same as 6.1 but for > introspection and it doesn't use "SHOULD". I think the “SHOULD” in the first > sentence of 6.1 should be removed thereby making it an implicit must - like > "when using JWT, this is how it is". That would align with the way it's > described for introspection. Also leaves some room for hash algorithm > agility via a new confirmation method member (described in > https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-09.html#name-access-token-and-public-key) > without going against a "MUST" > > I am fine with removing the "SHOULD" to make it an implicit must. > > >> >> 1. >> >> The DPoP Proof contains a hash of the Access Token, and the Access >> Token contains a hash of the public key in the DPoP Proof. >> >> Why do you need both? Would one of these be sufficient? >> > > > The latter (AT containing a hash of the public key in the DPoP Proof) is > needed and largely sufficient for the main goals of binding the AT to a key > held by the client. The former (DPoP Proof containing a hash of the AT) > was added later via very rough WG consensus - it can prevent some esoteric > swapping of tokens that I never really understood to be honest and also > limits the impact of using maliciously precomputed and exfiltrated proofs > (https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-09.html#section-2-6 > talks about it a bit). Use of the nonce mechanism, which was added to the > draft even later, also (and better) protects against precomputed and > exfiltrated proofs. The value of the AT hash in the proof seems somewhat > questionable. To me anyway. But removing it at this point is potentially > problematic due to inertia, existing implementations/deployments, rough WG > consensus, and more. > > I think that at least a text is needed to justify this, and explain the " it can prevent some esoteric swapping of tokens" issue. Maybe we can discuss this during one of the side meetings in Philly. > > >> Section 7.1 >> >> 1. >> >> “if the request does not include valid credentials or does not >> contain an access token sufficient for access, the server can respond >> with a challenge to the client to provide DPoP authentication information.” >> >> >> Should the “can” be replaced with a “SHOULD”? >> > > > FWIW, there was some discussion around that sentence that included some > pushback on dropping the "can". > https://github.com/danielfett/draft-dpop/issues/119 and > https://github.com/danielfett/draft-dpop/pull/122 have the conversation. > I'm rather hesitant to try and change it after all that. > > > Ok > >> >> 1. >> >> Also, I think it would be clearer if you can explicitly state what >> the authorization server should do when it does not challenge the client, >> which I am assuming will be something along the lines of: “the >> authorization server issues an error response per Section 5.2 of RFC6749“ >> >> > > The section in question is about protected resource access so anything > about the authorization server wouldn't be appropriate there. The protected > resource / RS always has the option to simply fail the request and can do > that however it sees fit. I'm not sure how to state that in the document > text. Or if anything should be stated, honestly. > > Ok > > >> >> Section 7.2 >> >> 1. >> >> “Specifically, such a protected resource MUST reject a DPoP-bound >> access token received as a bearer token per [RFC6750 >> <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-08.html#RFC6750> >> ].” >> >> >> I think that I understand what you are trying to say with this sentence, >> but the way the sentence reads is confusing to me. >> >> I am assuming what you are trying to say is something along the lines of >> “a dpop protected resource must reject a request that provides a bearer >> token”. Is that correct? If so, can you please rephrase the sentence to >> make it clearer? >> > > > That's not quite correct. That paragraph > <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-09.html#section-7.2-1> > (copied below) is attempting say that a protected resource that will > accept either "Authorization: Bearer <bearer token>" or "Authorization: > DPoP <dpop-bound token>" is required to reject a request that uses the > Bearer scheme with a DPoP-bound access token. This is to prevent > downgraded usage of a bound access token without demonstrating possession > of the key to which it is bound. > > "Protected resources simultaneously supporting both the DPoP and Bearer > schemes need to update how evaluation of bearer tokens is performed to > prevent downgraded usage of a DPoP-bound access token. Specifically, such a > protected resource MUST reject a DPoP-bound access token received as a > bearer token per [RFC6750 > <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-09.html#RFC6750>]." > > Got it. > > >> >> >> 1. >> >> “A protected resource that supports only [RFC6750 >> <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-08.html#RFC6750>] >> and is unaware of DPoP would most presumably accept a DPoP-bound access >> token as a bearer token” >> >> >> Wouldn't such a resource server check the value of the WWW-Authenticate >> header to make sure it contains the Bearer scheme, which means that the >> request is most likely to be declined? >> > > > What that is trying to say is that a protected resource that only does or > knows about the RFC6750 Bearer scheme ("Authorization: Bearer <token>") > will almost certainly accept a bound access token sent via the Bearer > scheme. > > Ok > > >> >> Section 10.1 >> >> Why define two different mechanisms to achieve the same thing? >> >> This seems to add complexity without an obvious benefit. >> > > > This is a bit of a tricky area. The benefit with PAR is the direct request > from client to AS, which allows for an actual DPoP proof to be used for the > eventual binding of the authorization code to the key. Also the client > doesn't have to do the JWK hash in that case. Whereas the normal > authorization request is indirect via the browser and just a hash of the > key is given for the code binding with the dpop_jkt parameter. And the > client has to compute the hash. But PAR is just an alternative way to pass > the authorization parameters (like dpop_jkt) so it's kinda awkward to use > things together like this. > https://github.com/danielfett/draft-dpop/issues/103 and > https://github.com/danielfett/draft-dpop/pull/111 have some discussion > around this but there was some in person talk too so that's not complete. > > I don't love that there's two different mechanisms here. But it's what we > were able to come up with given all the factors. Certainly open to > considering improvements but am pretty much at a loss of what that might > be. > > Let's discuss this during one of the side meetings in Philly > > >> >> Section 11.6 >> >> Should the algorithms be explicitly called out? Or at least reference a >> document that calls out such algorithms? >> > > > There isn't a single such document and it's not necessarily a static list > of algorithms. I was about to say we could point to the JOSE alg registry > but glancing again at it > https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms > and I suspect that'd confuse more than help. We could perhaps list > some/many of the algs with the qualification that it's not an exclusive or > complete list? But I'm not sure how useful that would be, to be honest. > > If you do not specify any algorithm, how do you ensure interop? I think this is worth a discussion in Philly > > >> >> Section 11.7 >> >> Why is OAuth Token Binding included? >> > > > Yeah, that doesn't make sense to encourage its use because it's not a > viable thing to use. OAuth Token Binding should be removed from Section > 11.7. Was that what you were getting at? That particular text in the > paragraph that mentions token binding has been in the draft for a long time > and honestly never made a lot of sense to me. So I could envision removing > more. But that's maybe more than you were aiming for. > > I am actually in favor of removing it > >> >> Section 11.8 >> >> Why not include algorithm agility to make sure the mechanism is ready to >> allow for more secure algorithms in the future? >> > > Algorithm agility is a whole can of worms that can be accomplished in > different ways with different amounts of added complexity and potential > vulnerabilities and issues of interop and MTI. Section 11.8 describes how > DPoP allows for algorithm agility (without using the exact words) by > suggesting that new dpop binding cnf method and/or AT hash claim be > defined using a "better" hash algorithm if/when the need arises (OAuth > 2.0 Mutual-TLS takes a similar approach FWIW). The intent of doing it > that way was to keep things as simple as possible in the spec right now > without completely closing the door on future needs. . > > This is another topic that is worth a discussion in Philly. Regards, Rifaat > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*
- [OAUTH-WG] DPoP - Document Shepherd Review Rifaat Shekh-Yusef
- Re: [OAUTH-WG] DPoP - Document Shepherd Review Brian Campbell
- Re: [OAUTH-WG] DPoP - Document Shepherd Review Rifaat Shekh-Yusef
- Re: [OAUTH-WG] DPoP - Document Shepherd Review Brian Campbell
- Re: [OAUTH-WG] DPoP - Document Shepherd Review Brian Campbell
- Re: [OAUTH-WG] DPoP - Document Shepherd Review Brian Campbell
- Re: [OAUTH-WG] DPoP - Document Shepherd Review Daniel Fett
- Re: [OAUTH-WG] DPoP - Document Shepherd Review Rifaat Shekh-Yusef
- Re: [OAUTH-WG] DPoP - Document Shepherd Review Justin Richer
- Re: [OAUTH-WG] DPoP - Document Shepherd Review Justin Richer
- Re: [OAUTH-WG] DPoP - Document Shepherd Review Brian Campbell
- Re: [OAUTH-WG] DPoP - Document Shepherd Review Rifaat Shekh-Yusef