IETF Logo Mail Archive

Re: [OAUTH-WG] TAuth

Justin Richer <jricher@mit.edu> Wed, 23 November 2016 16:28 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E334F129F0A for <oauth@ietfa.amsl.com>; Wed, 23 Nov 2016 08:28:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.698
X-Spam-Level:
X-Spam-Status: No, score=-5.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nritJH53xAmQ for <oauth@ietfa.amsl.com>; Wed, 23 Nov 2016 08:28:26 -0800 (PST)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CBA4129F09 for <OAuth@ietf.org>; Wed, 23 Nov 2016 08:28:25 -0800 (PST)
X-AuditID: 1209190c-7b3ff70000003e1f-25-5835c3a84422
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id DF.75.15903.8A3C5385; Wed, 23 Nov 2016 11:28:24 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id uANGSNNx020807; Wed, 23 Nov 2016 11:28:24 -0500
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id uANGSLKJ014954 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 23 Nov 2016 11:28:22 -0500
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <447103B3-BEEC-4913-AFB2-6F0A19AD77E9@teller.io>
Date: Wed, 23 Nov 2016 11:28:21 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <BAAAD5A4-BC68-4C00-8F06-0240F211F7A3@mit.edu>
References: <447103B3-BEEC-4913-AFB2-6F0A19AD77E9@teller.io>
To: Stevie Graham <sg@teller.io>
X-Mailer: Apple Mail (2.3124)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrLIsWRmVeSWpSXmKPExsUixCmqrLvisGmEQeM3a4sZP46yW3T1bGay eDyzyOLk21dsFqdnNrI7sHrsnHWX3WPJkp9MHqffXmQLYI7isklJzcksSy3St0vgyrg64xJz wXzTij2vNzI2MK7U7mLk5JAQMJHYdfw2axcjF4eQQBuTxN3pR5hBEkICGxklppy2hrAfMkk0 LRAEsZkF1CX+zLsEVsMroCexaf1bJhBbWEBWomnXFlYQm01AVWL6mhawOKeArcSs9z/A6lmA 4rfbvzBCzMmX6F73gBnC1pZYtvA11EwriZ8P9wPZHEB7bSTeTpYBCYsIKEjc6OtjgrhZVuLJ yUUsExgFZiG5aBaSi2YhmbqAkXkVo2xKbpVubmJmTnFqsm5xcmJeXmqRrqFebmaJXmpK6SZG cChL8uxgPPPG6xCjAAejEg/vjDWmEUKsiWXFlbmHGCU5mJREeU9vBArxJeWnVGYkFmfEF5Xm pBYfYpTgYFYS4VXeB5TjTUmsrEotyodJSXOwKInz/nf7Gi4kkJ5YkpqdmlqQWgSTleHgUJLg vXIIqFGwKDU9tSItM6cEIc3EwQkynAdo+DuQGt7igsTc4sx0iPwpRkUpcd77B4ESAiCJjNI8 uF5Qqkl4e9j0FaM40CvCvKtB2nmAaQqu+xXQYCagwZLfjEEGlyQipKQaGDffqmIsuuX9uDbx 4UlHw0MPfddydrJ+f1Yw26vn0Nerz1cf++t+RXjuw/Xf9CyZOy4fZCoOlI6yO3rxmk6Ysk3e adm2/AUrJFXqXbyebtxgtmyyxVf/3ecPWZ6cu0RW33nmjgfz18/bempnXOXfo+cF1T006/6d yu8Uc/ktzO5p9ntRN9fEOSlKLMUZiYZazEXFiQABsjU7EAMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/B97bfEUJKSsOBogalzACxSthwBs>
Cc: "<oauth@ietf.org>" <OAuth@ietf.org>
Subject: Re: [OAUTH-WG] TAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Nov 2016 16:28:28 -0000

Responses inline.

> On Nov 22, 2016, at 2:14 PM, Stevie Graham <sg@teller.io> wrote:
> 
> Hi,
> 
> Coming across this thread late. I’m the Author of the TAuth post.
> 
> > What I don't understand is that he's saying people disable TLS checks so he's going to solve it with mutual TLS? 
> 
> It’s simple. Mutual TLS enables service providers to assert the peers are properly authenticated and enforce this as a policy. This won’t stop an incompetent developer disabling peer verification but it will stop that developer using the service if they do.

What I’m saying is that it’s a matter of complexity. The argument in the article I read was that deployment of TLS with server verification was difficult for developers. Mutual TLS is several order of magnitude more difficult. Does it give you reasonably strong client authentication? Of course, but when usability and security fight, usability wins. I never argued that it’s less secure, just less usable. The two arguments being made in the TAuth essay are mutually exclusive: “we can’t use this because it’s too hard / we must use this because it’s more secure”. You can’t say something is too difficult to use and then replace it with something even more difficult. 

> 
> > The reason an OAuth 2.0 server does not authenticate _public_ clients is because, by definition, a public client cannot keep its client secret confidential and so client authentication is almost meaningless. <snip> but they don't recognize that their insistence relies on the assumption that a secret key embedded in a client application can be kept confidential.
> 
> This is incorrect. Modern mobile clients are capable of keeping a secret confidential, e.g. the Secure Enclave Processor on modern iOS devices and the Android analogues. The SEP can generate key material and use it to encrypt and sign arbitrary data. Key material is generated within the SEP and cannot be exfiltrated. To me this is the definition of being able to protect its own secrets. The TAuth bearer token analogue is not sensitive at all and cannot be used without the corresponding key material.

You’re conflating configuration time secrets (the lack of which defines public clients) and runtime secrets. The ability for mobile applications to keep per-instance runtime secrets is exactly why we have both Dynamic Registration and PKCE in OAuth. What you’re describing in TAuth is largely analogous to the PoP token efforts here in OAuth.

> 
> > Does adding TOKBIND resolve the issues?
> 
> Feel free to correct me here. I wasn’t that familiar with token binding but after reading the draft IMO it’s inferior to TAuth because it binds tokens to the connection. This necessitates refresh tokens, which I find an impediment to developer experience. TAuth binds tokens to the identity (the cert and pkey) thus can be reused again and again across TLS sessions. Token binding also provides no cryptographic guarantees that the peers are verified and that the connection is private.

Token binding folks, correct me if I’m wrong, but this is my understanding: You don’t require refresh tokens with token binding, as the token can be used across multiple TLS connections to the same resource server. Refresh tokens help with cases where the resource owner isn’t present anymore and the access token is no longer valid. 

There are still a lot of other issues with the premise of TAuth and its marketing. It’s not the technology of binding an access token to a certificate identity — that’s not even that new: I proposed and built that years ago in an OAuth system in the healthcare space. In our case it ended up not working very well because of the complexities of managing mutual TLS and client certificates at the resource servers. We’re moving away from single-API systems and on to complex micro-service architectures with distributed resource servers all protected by a common AS. Keeping client credentials sync’d to such resource servers is difficult, and you’ll need a way to do that. It’s doable, just difficult to deploy.

But the thing is: you can do everything that TAuth can do — and then some — by augmenting OAuth with a few simple things. First, we’ve got a way to bind a certificate to a client, which is being discussed in a current draft here in the WG. The next step would be to tie that keying information to the token itself at issuance, which is covered in PoP architecture. The last step, and only missing step, is a presentation mechanism that binds the access token to the client’s certificate over mutual TLS. If you’re OK with the pain of mutual TLS (which is a huge if), then that part’s not difficult at all and could be written up in a short spec.

Instead, what really bothers me is the misinformation of what makes OAuth insecure and how TAuth fixes those things. The reality is that most of the problems cited for OAuth are deployment decisions (which do have very valid but not universal applicability), and TAuth is really just leaving different doors open for problems. For example, the essay I read states that “OAuth tokens can’t be revoked quickly but TAuth tokens can”. This is just patently false, given that you can deploy OAuth with a shared data store or token introspection and get the same immediate revocation capabilities. It also states that OAuth tokens have to expire but TAuth tokens can live forever — again, this is patently false. OAuth tokens don’t have to expire, but it’s considered good practice for them to do so in order to limit the attack surface. Do you really want a powerful credential sitting around forever? That’s caused many problems in OAuth 1 systems, which is why we built in the assumption of expiration possibilities in OAuth 2 and the refresh token mechanism (which is not a bearer token, mind you, and has a completely different attack surface). And if you’re going after developers who can’t get server-side TLS right (as per the introduction of the article), those same developers have exactly zero chance of getting mutual TLS right. 

In the end, I welcome you to contribute TAuth to the working group here and hopefully have it adopted into the OAuth ecosystem. 

 — Justin

v2.23.0 | Report a Bug | By Email