IETF Logo Mail Archive

Re: [OAUTH-WG] Signed JWK Sets

Neil Madden <neil.e.madden@gmail.com> Thu, 11 April 2024 21:15 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 259B9C14F747 for <oauth@ietfa.amsl.com>; Thu, 11 Apr 2024 14:15:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tVKkmlDhPRPX for <oauth@ietfa.amsl.com>; Thu, 11 Apr 2024 14:15:32 -0700 (PDT)
Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5ED6DC14F739 for <oauth@ietf.org>; Thu, 11 Apr 2024 14:15:32 -0700 (PDT)
Received: by mail-wr1-x430.google.com with SMTP id ffacd0b85a97d-346407b8c9aso98308f8f.0 for <oauth@ietf.org>; Thu, 11 Apr 2024 14:15:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712870130; x=1713474930; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=DQbH98FzlcL3n9dXr9c1LHc1LndA3wb3PvpbdAjDDlc=; b=kir51Muu+JE+d34o9cvOLl11dl5Cz40kAai3btrHRvK24ILJds8hbmCt08szF/Wf/N ToFH2UTgeDZjlRCc6Fd82rY1ceS+dBk9BlgSjV1Npx062h0bbpp9CTCiFhWaqgK/i3aL gixPWL4sfYMEqQsCLZE152xFVIeSbrNX2bbcr4SdKRnRoECNuDuWy0tP/+QYpYFlpDNP a8/glo5nHsxPP9YJVWjIvRjEYQLuCd3ITg2PiuMLTe+9V8eWhDn1wIqjVT0vMUiEEltb tR3L+k0PYkgtvUkajdX82RZUG9jn8UwNt90BhlCbV0WA6jqrdRKWrxr01F5avQd8+u92 FzXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712870130; x=1713474930; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=DQbH98FzlcL3n9dXr9c1LHc1LndA3wb3PvpbdAjDDlc=; b=ItfwJQv/lqT/SKQkkw5jS9OlHDfxJRw3wwxD8EUpBaKdoE/tw/vMBrffGvVoAOi2Cb AnyMJS1Fmx5K5bKk34xOGl0in+9MPG4l7ctlCPLL3Mm7D5llhpX3Oz41qEYwt+RMMtdp 27Wrtf+E+jhF+4sIwoRLApAdTRu+HB2fCGO4jHzMGePX2dnX2lyHKv63vvsQtzU990H0 c7sRzAIAv1/kiaQhLsDuAbHNB+3sjPHzTvjpZXRWGBUI64xDPcxBBjoNItvs/jWhVsX2 jU/7ufmtZzmzmhwS2Rk39gglk9lup3F5jtjgC0bNwVTqo0bv5W6fZTyy+JqnJM0p1AxD 7t7g==
X-Gm-Message-State: AOJu0Yx1wHoZ7D2YkI2Fu1zyOFLQ0Up0Xe6O5CZMB3MVmUlJDFHJn7mD yGvLCV07vWkiSbS/NqLX5C8+yN/a9i/Xk34FMANK6/IbQxuZOHGnTBoEvsXj
X-Google-Smtp-Source: AGHT+IEDiukE6VsCyr93JCpAEvvMrS+5eASvWtW4T35dBLfGLNCTkrCPH/Gk3wjaFWqwLORywCMLsA==
X-Received: by 2002:a05:600c:314d:b0:417:4ff3:391c with SMTP id h13-20020a05600c314d00b004174ff3391cmr609104wmo.3.1712870129887; Thu, 11 Apr 2024 14:15:29 -0700 (PDT)
Received: from smtpclient.apple (234.243.159.143.dyn.plus.net. [143.159.243.234]) by smtp.gmail.com with ESMTPSA id jg25-20020a05600ca01900b004169836bf9asm6528854wmb.23.2024.04.11.14.15.29 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 11 Apr 2024 14:15:29 -0700 (PDT)
From: Neil Madden <neil.e.madden@gmail.com>
Message-Id: <7D922D5F-5277-4884-820E-35DC3E02FCB3@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_538B6879-51C2-45F6-977C-F5461F69AE83"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.8\))
Date: Thu, 11 Apr 2024 22:15:28 +0100
In-Reply-To: <CAEM=y+WEgqLa7+0jreqHTK2UjueEWU+hJ05peuO6wSzyQ4WN=Q@mail.gmail.com>
Cc: OAuth WG <oauth@ietf.org>, Sharon Goldberg <goldbe@bastionzero.com>
To: Ethan Heilman <eth3rs@gmail.com>
References: <CAL02cgSANrR=nys3RXDOYJPibLkv25X8Okq4dhL0Dpfi_ZSS_A@mail.gmail.com> <CAL02cgQG4Fhn2zCmq0EFLJReB_jf257msdM9OEgYr03n6D1qRg@mail.gmail.com> <CAEM=y+WEgqLa7+0jreqHTK2UjueEWU+hJ05peuO6wSzyQ4WN=Q@mail.gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.8)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/B_IugW-92i6by0aOIIi4iMFYplE>
Subject: Re: [OAUTH-WG] Signed JWK Sets
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2024 21:15:36 -0000

On 11 Apr 2024, at 01:12, Ethan Heilman <eth3rs@gmail.com> wrote:
> 
> I want to voice my support for this draft: Proof of Issuer Key Authority (PIKA). The ability to reason about the past validity of JWKS is extremely useful for using OIDC in signing CI artifacts and e2e encrypted messaging.This includes what we are building at OpenPubkey (github.com/openpubkey/openpubkey <http://github.com/openpubkey/openpubkey>) and also proposed security improvements to software supply chain systems like SigStore (https://arxiv.org/pdf/2307.08201.pdf <https://arxiv.org/pdf/2307.08201.pdf>).
> 
> I want to underscore the value of PIKA to increase the security of JWKS URIs and OpenID Connect. Currently if an attacker compromises an OpenID Provider's JWKS URI the attackers can substitute their own public keys and impersonate any user to any relying parties who depend that OpenID Provider. The effects of Google, Microsoft or Okta's JWKS URI being controlled by a malicious party for even a few minutes could be devastating. The widespread deployment of PIKA would remove this risk and require that attackers compromise not only the JWKS URI but also the PIKA signing keys.

I'm still digesting this draft, and generally supportive of it. However, I don't think it stops the attack you mention here, which sounds similar to threats that Ryan Sleevi discussed for FastFed in [1]. Essentially, in the current OIDC model, an attacker that briefly compromises the jwks_uri of an OP (e.g. through a mis-issued TLS cert) can serve a JWK Set containing public keys under their own control with a long Cache-Control header. Clients then might blindly cache that key set even beyond the time when the certificate is revoked and the rightful owner restored.

But I think this attack is basically the same even with PIKA. The attacker in this case just uses their mis-issued cert to sign the PIKA and serve that instead, perhaps putting a really long "exp" claim in it so that clients cache it for a really long time. The only thing that would stop that is if the draft insisted that clients regularly perform an OCSP or CRL lookup on the cert in the x5c chain to make sure it hasn't been revoked. But that would completely negate the benefits of avoiding clients all hitting the OP jwks_uri: we've just shifted the burden from the OP to the CA.

Perhaps I'm missing something?

[1]: https://docs.google.com/document/u/1/d/e/2PACX-1vQQ-FhNjW0ZhZVTnK1VG_87IBNZKBaJmweYZb1VBRdQCMAWXekqKfxdNl8wL6FWFDJ9pxXxpr66-GZp/pub?utm_source=illuminatedsecurity&utm_medium=email <https://docs.google.com/document/u/1/d/e/2PACX-1vQQ-FhNjW0ZhZVTnK1VG_87IBNZKBaJmweYZb1VBRdQCMAWXekqKfxdNl8wL6FWFDJ9pxXxpr66-GZp/pub?utm_source=illuminatedsecurity&utm_medium=email> 

-- Neil

v2.23.0 | Report a Bug | By Email