[OAUTH-WG] Comments on draft-ietf-oauth-security-topics-05
Phil Hunt <phil.hunt@oracle.com> Thu, 22 March 2018 09:52 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6457126C19 for <oauth@ietfa.amsl.com>; Thu, 22 Mar 2018 02:52:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.009
X-Spam-Level:
X-Spam-Status: No, score=-2.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8WjHXmPBsDAY for <oauth@ietfa.amsl.com>; Thu, 22 Mar 2018 02:52:16 -0700 (PDT)
Received: from userp2130.oracle.com (userp2130.oracle.com [156.151.31.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84A831205D3 for <oauth@ietf.org>; Thu, 22 Mar 2018 02:52:13 -0700 (PDT)
Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w2M9itmj056476 for <oauth@ietf.org>; Thu, 22 Mar 2018 09:52:13 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : content-type : mime-version : subject : message-id : date : to; s=corp-2017-10-26; bh=Drcrr9szsMIXdxyrBXzGRWWb4Oqy1ft6PL/ca6N0ZjI=; b=o+o6SHNGi9XGuWN4TZUgzKqSzC44qYKeWPk7NNZbfjZ3N3xBh/qtDYXePWES2faPUEwZ AVmd2dCoC7d52fuuF5luVQ1G9hAjgUCESH5yJGE7oGuBkV49hUpavBccgkiLA7SKkJ8F B9KQWdojYsmhWJBpeLyWaBxzkGd6PbcyeIskgVqhS2BQCXKw4wBHi0OcPEVEdR0hECce Bwa+0CYdGOZgboxjCr6xSp8lYsj0qvE4LYJMuZRbpeinoPCHnCRUpBxBwFpejDRHpygE 2jJYWZo+yBlEBhwSSRy/FS6a0NfK5NFk4D8/s9EBzmLxzPC3DL2/2zePx73VSZyEkgNP ig==
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by userp2130.oracle.com with ESMTP id 2gva3mr17u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <oauth@ietf.org>; Thu, 22 Mar 2018 09:52:12 +0000
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id w2M9qBkQ032165 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <oauth@ietf.org>; Thu, 22 Mar 2018 09:52:11 GMT
Received: from abhmp0003.oracle.com (abhmp0003.oracle.com [141.146.116.9]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w2M9qBwi001271 for <oauth@ietf.org>; Thu, 22 Mar 2018 09:52:11 GMT
Received: from dhcp-9f83.meeting.ietf.org (/31.133.159.131) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 22 Mar 2018 02:52:11 -0700
From: Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D251A6B3-AF70-4B36-B9A6-1ED2C359A6E2"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Message-Id: <261C62EA-2327-4EF5-8585-542AA7672893@oracle.com>
Date: Thu, 22 Mar 2018 09:52:08 +0000
To: OAuth WG <oauth@ietf.org>
X-Mailer: Apple Mail (2.3445.5.20)
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8839 signatures=668695
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803200127
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/AK-meof_YqMYg4sgDsu9kFEQ6zs>
Subject: [OAUTH-WG] Comments on draft-ietf-oauth-security-topics-05
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Mar 2018 09:52:18 -0000
Torsten, Great document! Some minor nits and comments: Abstract - double period after first sentence. > It updates and extends the OAuth 2.0 Security Threat Model to > incorporate practical experiences gathered since OAuth 2.0 was > published and cover new threats relevant due to the broader > application of OAuth 2.0. When I first read, it sounds like this is a replacement for the threat model or at least could be read that way. I think you mean readers still need to read 6819. How about... "This specification uses the OAuth 2.0 Security Threat Model and supplements it to incorporate practical experiences gathered"... Section 1. The paragraph starting “OAuth initially assumed a static…” appears to continue the previous bullet point. Should the paragraph be indented? Last paragraph 3.1.1 > This kind of injections is covered in > Section Code Injection. Should this say Section 3.5? Section 3.1.5 This paragraph seems unfinished... > > Question: Does redirect uri validation solve any problem for > native apps? Effective against impersonation when used in > conjunction with claimed HTTPS redirect URIs only. > For Windows token broker exact redirect URI matching is important > as the redirect URI encodes the app identity. For custom scheme > redirects there is a question however it is probably a useful part > of defense in depth. Section 3.4 > AS returns client_id and its iss in the response. Client compares > this data to AS it believed it sent the user agent to. “client_id” and “iss” attributes do not appear to have any marking (<spanx style=“verb”>) in multiple locations in the document. Section 3.5 > How does an attack look like? How about: "An attack looks like:” Writing style of the following comment seems like an editors note rather than a comment for the reader. Rephrase? > But this approach conflicts with the idea to enforce exact redirect > URI matching at the authorization endpoint. Moreover, it has been > observed that providers very often ignore the redirect_uri check > requirement at this stage, maybe, because it doesn't seem to be > security-critical from reading the spec. Is this appropriate for a BCP (seems like a WG discussion item)? > The authors therefore propose to the working group to drop this > feature in favor of more effective and (hopefully) simpler approaches > to code injection prevention as described in the following section. Section 3.5.1 This seems a bit tentatively worded… > PKCE seem to be the most obvious solution for OAuth clients as it > available and effectively used today for similar purposes for OAuth > native apps whereas "nonce" is appropriate for OpenId Connect > clients. Formatting problem (missing line between paragraphs)? > Note on pre-warmed secrets: An attacker can circumvent the > countermeasures described above if he is able to create or capture > the respective secret or code_challenge on a device under his > control, which is then used in the victim's authorization request. > Exact redirect URI matching of authorization requests can prevent the > attacker from using the pre-warmed secret in the faked authorization > transaction on the victim's device. > Unfortunately it does not work for all kinds of OAuth clients. It is > effective for web and JS apps and for native apps with claimed URLs. > Attacks on native apps using custom schemes or redirect URIs on > localhost cannot be prevented this way, except if the AS enforces > one-time use for PKCE verifier or Nonce values. Phil Oracle Corporation, Identity Cloud Services Architect @independentid www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
- [OAUTH-WG] Comments on draft-ietf-oauth-security-… Phil Hunt
- Re: [OAUTH-WG] Comments on draft-ietf-oauth-secur… Torsten Lodderstedt