Re: [OAUTH-WG] review draft-ietf-oauth-security-topics-13 [3/3]

Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 19 November 2019 10:18 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B12C11208D1 for <oauth@ietfa.amsl.com>; Tue, 19 Nov 2019 02:18:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H0uH2_WM1Kup for <oauth@ietfa.amsl.com>; Tue, 19 Nov 2019 02:18:37 -0800 (PST)
Received: from mail-pg1-x532.google.com (mail-pg1-x532.google.com [IPv6:2607:f8b0:4864:20::532]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D2051208AB for <oauth@ietf.org>; Tue, 19 Nov 2019 02:18:37 -0800 (PST)
Received: by mail-pg1-x532.google.com with SMTP id r18so11107128pgu.13 for <oauth@ietf.org>; Tue, 19 Nov 2019 02:18:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=UGcrvpjfuOJyJpRaAelgu+c5wZv3JriYX6nR5xA0Jpw=; b=YZZqQNSHE61n8s1HK7Wlc4ukRZl8X6AKj8QbnDbTTBwzTg6ZFHR5Y81xAsbJpsI2lN NoxssnSCg2ajFmA8/7rNvMauCjFJ8hijAP0e9pmxO1N/zArVEX17gordaKt5Qht9QKy1 aUWhbk3eltpip1PcTYg5G2tncpji9S/Z8wFvydiYbIUWuW2y/iO5gzVbLeMAUwufBsM/ AYwuxIbB+YG2F6O6i16B8ADF2p7vLghWHCJcGOKM8xN82J2/78IlAcGlQpOzlfq5n7bN m/uLSPSP+UVwzZipR+fs5s5WC2Dmxw9gBuWwnJjgLlR9Fsm6aRsP8asD5BArptX7rD4i 1/Kg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=UGcrvpjfuOJyJpRaAelgu+c5wZv3JriYX6nR5xA0Jpw=; b=t1NcnXwuGwPsNNyzdXE+ksTVZEw98PEvHNuK3RusuopRMGbi/pPDQ3JaImfvAuSJ8c RL5qtoQa7koWOldw17e3COwdsAL5Y8YpicuhqIdIBrQ64UQXJ01cpcPYtNg7Kwq6UY0k g06wfhpCh3xHO3b4LBV7gp9lqJLYfNjc13SqOGaYW/Sfl1rEHUncOguYtMBlQBhHZBQG nXDrGPUYGNhv2V7Lix57j4uO3ISQZtB/e+N4VlsORWkCvIPohxpRn88v8Yen6mm5b+Z9 P+KuCtR1j84vxZIk35SfWqptcV3qsKGqc84fOgC979TXD/DM5bZMdJ56iw8dHiBzQ29J 5fJg==
X-Gm-Message-State: APjAAAX0DPe5AQDavAlq7iaIDn5rpO5bDPxSHsBMLxR2Vdoi5o9hQ6NS OsAkBCfSg3bje42FkZzArZl1zkic0c4Gl9gU
X-Google-Smtp-Source: APXvYqyqRvutXkKseAQhfjtX3Q6UQF106rvcxz5xFxKqYmkrMNDIssQP+z8UF5YWnCsoWFPEsTmy/A==
X-Received: by 2002:a63:1e1f:: with SMTP id e31mr4635841pge.303.1574158716636; Tue, 19 Nov 2019 02:18:36 -0800 (PST)
Received: from [192.168.20.7] ([118.200.165.182]) by smtp.gmail.com with ESMTPSA id k24sm26474543pfk.63.2019.11.19.02.18.35 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 19 Nov 2019 02:18:35 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail-9CEE768B-F0E6-4461-BEA9-7C72C557C078"; protocol="application/pkcs7-signature"; micalg="sha-256"
Content-Transfer-Encoding: 7bit
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Mime-Version: 1.0 (1.0)
Date: Tue, 19 Nov 2019 18:18:34 +0800
Message-Id: <68C13255-EB30-4B1B-A8BD-A3D993802450@lodderstedt.net>
References: <CA+iA6uhdYVKpPw15G0ra=PvusrJ3d7btYM4VgHuco2=hv81fgw@mail.gmail.com>
Cc: "oauth@ietf.org" <oauth@ietf.org>
In-Reply-To: <CA+iA6uhdYVKpPw15G0ra=PvusrJ3d7btYM4VgHuco2=hv81fgw@mail.gmail.com>
To: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
X-Mailer: iPhone Mail (17A878)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/9JzuG-ugAacFxIXIyJL1hRmqp5M>
Subject: Re: [OAUTH-WG] review draft-ietf-oauth-security-topics-13 [3/3]
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2019 10:18:43 -0000

Oh, I see where you are heading. We potentially can cut some bells and whistles out of the current text.

> Am 19.11.2019 um 18:06 schrieb Hans Zandbelt <hans.zandbelt@zmartzone.eu>:
> 
> 
> How about:
> 
> - don't use the Implicit or Resource Owner Password Credentials  grant types
> - perform exact matching of redirect URIs and make then Client/AS specific
> - use PKCE
> 
> Hans.
> 
>> On Tue, Nov 19, 2019 at 5:58 PM Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
>> 
>> 
>> > On 19. Nov 2019, at 17:10, Hans Zandbelt <hans.zandbelt@zmartzone.eu> wrote:
>> > 
>> > 
>> > 
>> > On Tue, Nov 19, 2019 at 10:38 AM Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
>> > Hi Hans, 
>> > 
>> > > On 18. Nov 2019, at 04:11, Hans Zandbelt <hans.zandbelt@zmartzone.eu> wrote:
>> > > 
>> > > Hi,
>> > > 
>> > > Please find my feedback from page 21 onwards below.
>> > > 
>> > > Hans.
>> > > 
>> > > Overall I would argue there's room for a very concise guidance section that says: do this, don't do that, without explanation, just as a reference for developers; the current text provides in depth analysis but that is perhaps not suitable for developers who just want to know what to do (or not to do) and don't really care about the background/reasoning
>> > 
>> > While section 4 gives the raw security threat analysis, we tried to summarise the actionable guidance in section 3. What do you miss there?
>> > 
>> > I'd rather see it even shorter and more concise, but I guess you're right, it is there
>> 
>> Do you want to suggest some text?
>> 
>> >  
>> > > 
>> > > P21
>> > > first bullet
>> > > "the client has bound this data to this particular instance." -> particular instance of what?
>> > 
>> > This bullet refers to the note above. 
>> > 
>> > "Note: this check could also detect attempts to inject a code which
>> >    had been obtained from another instance of the same client on another
>> >    device, if certain conditions are fulfilled:"
>> > 
>> > ok, I see
>> >  
>> > > 
>> > > 3rd paragraph:
>> > > "call to the tokens endpoint." -> "call to the token endpoint."
>> > 
>> > Fixed 
>> > 
>> > > 
>> > > last paragraph could forward point to the next section by adding something like
>> > > "using one of the mechanisms described in the next section."
>> > 
>> > Incorporated 
>> > 
>> > > 
>> > > P22
>> > > 3rd paragraph:
>> > > is the token binding guidance still accurate? it seems to be overestimating the adoption 
>> > 
>> > You mean this statement? 
>> > 
>> > "Token binding is
>> >       promising as a secure and convenient mechanism (due to its browser
>> >       integration).  As a challenge, it requires broad browser support
>> >       and use with native apps is still under discussion.”
>> > 
>> > yeah, but after re-reading I guess this actually spells out the adoption conditions, so it is fine
>> > 
>> > Hans.
>> >  
>> > 
>> > Thanks,
>> > Torsten. 
>> > 
>> > > 
>> > > -- 
>> > > hans.zandbelt@zmartzone.eu
>> > > ZmartZone IAM - www.zmartzone.eu
>> > > _______________________________________________
>> > > OAuth mailing list
>> > > OAuth@ietf.org
>> > > https://www.ietf.org/mailman/listinfo/oauth
>> > 
>> > 
>> > 
>> > -- 
>> > hans.zandbelt@zmartzone.eu
>> > ZmartZone IAM - www.zmartzone.eu
>> 
> 
> 
> -- 
> hans.zandbelt@zmartzone.eu
> ZmartZone IAM - www.zmartzone.eu