Re: [OAUTH-WG] Refresh tokens in Security BCP -15
Aaron Parecki <aaron@parecki.com> Mon, 06 April 2020 13:59 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FF723A0140 for <oauth@ietfa.amsl.com>; Mon, 6 Apr 2020 06:59:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zVw3nKm0zLZX for <oauth@ietfa.amsl.com>; Mon, 6 Apr 2020 06:59:42 -0700 (PDT)
Received: from mail-il1-x135.google.com (mail-il1-x135.google.com [IPv6:2607:f8b0:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87B8C3A012A for <oauth@ietf.org>; Mon, 6 Apr 2020 06:59:41 -0700 (PDT)
Received: by mail-il1-x135.google.com with SMTP id t11so14762314ils.1 for <oauth@ietf.org>; Mon, 06 Apr 2020 06:59:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=L+G4eNM21YKrbigQFAMb6zUn5s3bjTAJmCzztPLNK+E=; b=UBRfUmd3QIcFCxw8w1qjW6cc9mf6KvU9u33YK/7EJSjsDiIIDrCsEs9ZlknIdz5b5u ogkBOMhdUp1S8e2WfNR1tgVqPnB+9HaneNHHKvRcqP+MplgB85+frin+gyIB8WZUXAOd 4DB7HI5+J6/qO6PEKiL92Q1w13FwFovFXi5gxKJIj6oXOsGItEWr6hF4GJAStAvhMzoS tfgXHMeMNaZaiB/hCX8IOX7ea2oSHx2fk740lHd+UOwD7ov5UvDlGR1uZkpViqmgCztp PtqYyBVhiIY4fUcJX1Q1Il9fXYR67oy22KnbiDjA6JwEztfd7uVKkZp2UyCP52r4ikXE SPoQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=L+G4eNM21YKrbigQFAMb6zUn5s3bjTAJmCzztPLNK+E=; b=mNblJQijovsNsUXmixGvnPbhCSqBYlHN7+yR/GHao9EUd/YmJKGtXYnsh1r/RD5Snl 8M95h+KjwkVJxd/o/bc6pYuPUb1GoU6y+c5akzPzoja6sG78ev3apL0C2VIH+Pl7K6l0 JxmA6l4PKfShAS6wMJDjEji0VHkcQfJ/8aATOjVsEDf2QM5cc+5vXsvrJYUU6cjVE0BF TVcYteJaoLnHoKrMKrFT2jIDK+xkWz1AwCT5Fvd0TPSc/YM2St0VKChLdWqFi5dP4xjk vx+9lbJlVVgf+ulNAW4zJGFwopvsZi5JTSgV+pxmsc0XNuGVPPubftKMbC5lJi4xtvgX NKrA==
X-Gm-Message-State: AGi0PuYsogBSiJK87jmBDtppyJN889Ox2FKRUZr/Vkb+9wlyBaYgqNAP 0IQrgEiRWJFRGS6+1jQ1iNbJRQogq+k=
X-Google-Smtp-Source: APiQypJEN2DsdktuR0fQx1ke8bMZaw5pLdU4Mvpia7MJHtqWFdKWqQ3GhCjyRMJLBmKs+CfHVFu5gA==
X-Received: by 2002:a92:c00e:: with SMTP id q14mr19804278ild.124.1586181580738; Mon, 06 Apr 2020 06:59:40 -0700 (PDT)
Received: from mail-io1-f52.google.com (mail-io1-f52.google.com. [209.85.166.52]) by smtp.gmail.com with ESMTPSA id e62sm5981033ill.52.2020.04.06.06.59.39 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 06 Apr 2020 06:59:39 -0700 (PDT)
Received: by mail-io1-f52.google.com with SMTP id i3so15789510ioo.13 for <oauth@ietf.org>; Mon, 06 Apr 2020 06:59:39 -0700 (PDT)
X-Received: by 2002:a5d:9cc3:: with SMTP id w3mr6450569iow.14.1586181579203; Mon, 06 Apr 2020 06:59:39 -0700 (PDT)
MIME-Version: 1.0
References: <CAGBSGjpuZkie-oHe4W70K1MP1fancSEMuyiqvTgBc=KcJQX4ow@mail.gmail.com> <d7e00273-b8d4-4921-6634-4c2720279f4b@danielfett.de>
In-Reply-To: <d7e00273-b8d4-4921-6634-4c2720279f4b@danielfett.de>
From: Aaron Parecki <aaron@parecki.com>
Date: Mon, 06 Apr 2020 06:59:28 -0700
X-Gmail-Original-Message-ID: <CAGBSGjr3_nrpMbkpkGgz0XzicyCUnAQNhfkwecTj1CCSzQXGGA@mail.gmail.com>
Message-ID: <CAGBSGjr3_nrpMbkpkGgz0XzicyCUnAQNhfkwecTj1CCSzQXGGA@mail.gmail.com>
To: Daniel Fett <fett@danielfett.de>
Cc: OAuth WG <oauth@ietf.org>, Torsten Lodderstedt <torsten@lodderstedt.net>
Content-Type: multipart/alternative; boundary="00000000000093ee1005a29fadf3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/AmJnysJvJ6EyiHDmEsuaY-ZdchA>
Subject: Re: [OAUTH-WG] Refresh tokens in Security BCP -15
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2020 13:59:45 -0000
Keeping the details in section 4 makes sense. I think why I was confused is that there isn't a subheader in section 2 for refresh tokens so it's not immediately obvious until you get to section 4. What about adding a new subhead in section 2 with just that short summary and referring to section 4 for details? Aaron On Mon, Apr 6, 2020 at 12:24 AM Daniel Fett <fett@danielfett.de> wrote: > Hi Aaron, > > Am 05.04.20 um 21:24 schrieb Aaron Parecki: > > I believe the document would flow better if section 4.12 about Refresh > Tokens were moved into section 2. The Refresh Token section contains > descriptions of some pretty significant normative behavior, and I worry > that it will get lost in the long list of attacks and mitigations. > > Section 2 starts with a description: "This section describes the set of > security mechanisms the OAuth working group recommends to OAuth > implementers.", and the whole section on refresh tokens seems like a pretty > significant recommendation. > > So far the approach was to keep the recommendations in Section 2 rather > brief and to have the details in Section 4. I would like to keep it that > way. > > The Refresh Token section in Section 4 has a lot of discussion that puts > the recommendations in context. Section 2 refers to that section with the > sentence "Refresh tokens MUST be sender-constrained or use refresh token > rotation as described in Section 4.12.". It catches the main normative > change and refers Section 4 for details. > > I propose to just highlight that sentence a little bit more (make it its > own paragraph). > > -Daniel > -- ---- Aaron Parecki aaronparecki.com @aaronpk <http://twitter.com/aaronpk>
- [OAUTH-WG] Refresh tokens in Security BCP -15 Aaron Parecki
- Re: [OAUTH-WG] Refresh tokens in Security BCP -15 Aaron Parecki
- Re: [OAUTH-WG] Refresh tokens in Security BCP -15 Daniel Fett