Re: [OAUTH-WG] AD review of draft-ietf-oauth-jwsreq
Denis <denis.ietf@free.fr> Tue, 03 January 2017 16:52 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 538A412968E for <oauth@ietfa.amsl.com>; Tue, 3 Jan 2017 08:52:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vthmuUVS0nal for <oauth@ietfa.amsl.com>; Tue, 3 Jan 2017 08:52:23 -0800 (PST)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [IPv6:2a01:e0c:1:1599::15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CF1112965A for <oauth@ietf.org>; Tue, 3 Jan 2017 08:52:23 -0800 (PST)
Received: from [192.168.0.13] (unknown [88.182.125.39]) by smtp6-g21.free.fr (Postfix) with ESMTP id 2676D7803DC for <oauth@ietf.org>; Tue, 3 Jan 2017 17:52:20 +0100 (CET)
To: oauth@ietf.org
References: <CAHbuEH4Vxdda4yUH932GEZjEiLi1KdYU9_1MLoLAn_AZA=41Yw@mail.gmail.com> <CABzCy2BoAYtpsbU6Pi3rimVOdQcsop=P5k3-+9BLoNXmi8Pc9w@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <aad3663c-aed1-61d9-5356-58c1e6f94bd2@free.fr>
Date: Tue, 03 Jan 2017 17:52:22 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.6.0
MIME-Version: 1.0
In-Reply-To: <CABzCy2BoAYtpsbU6Pi3rimVOdQcsop=P5k3-+9BLoNXmi8Pc9w@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------105FC74356C43C7F3AEF10A8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Bi0IlcLGWgN3R1_3rSwbxrqFvfE>
Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-jwsreq
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2017 16:52:26 -0000
Hello, I have only recently subscribed to this mailing list and hence I was not present when the WGLC was launched on this document. I have several concerns and comments about this draft : *1°. The draft will be unable to move to Draft Standard* The Intended status of draft-ietf-oauth-jwsreq is Standards Track. RFC 5657 states: Advancing a protocol to Draft Standard requires documentation of the *interoperation *and implementation *o**f the protocol.* The goal of RFC standard Track document is define *interoperable protocols, *hence not simply to define the syntax of a request leaving dozens of possibilities about the treatment of the parameters that may be included in the request to the AS. Generally speaking, the text is silent about the treatment of _every_ parameter of the JAR. In particular, what kind of verification and processing SHALL be done by the Authorization Server on "aud", since both "iss" and "aud" SHOULD be present (see page 6) in the Authorization Request. The document currently fails to *clearly indicate which parameters of the JAR are used by the Authorization Server to validate the JAR itself and which parameters are used to build the requested access token*. For example, is the "aud" parameter supposed to identify the AS or the RS ? This means that the text should be sufficiently clear so that two different implementations can interoperate. This will not be the case if the text stays like this. The goal of Standard Tracks RFCs is not to define frameworks but *interoperable protocols.* In addition to this major concern, I have other concerns: *2°. Security consideration: the Alice and Bob Collaboration attack (ABC attack)* Since the time RFC 6819 was written, a new kind of attack has been mentioned on the WG mailing list: the ABC attack (*Alice and Bob Collaboration attack*) where Bob accepts to collaborate with Alice to get an access token that Alice will then be able to use. There is no external attacker, but only two users who agree to collaborate to cheat an application server. It is a major problem typically when an access token only contains a claim like "older then 18". This kind of attack is not mentioned in this draft, nor if it can be countered in the context of RFC 6749 (OAuth 2.0 Authorization Framework). It would not be reasonable to consider the Alice and Bob Collaboration attack as being out of scope of the OAuth 2.0 Authorization Framework; or ... if it is, this should be clearly stated in the abstract and in the security considerations section. But in the later case, this would be as if a security hole would be left out of the scope of the OAuth 2.0 Authorization Framework. OAuth was designed from a perspective that there is a trust relationship between the AS and RS so that things like AT token format were left unspecified. This is a major design error. As long as the AT token format will be left unspecified, it will not be possible to counter the ABC attack. JAR is applicable to all kinds of OAuth authorization request. It is considered as just another kind of encoding instead of query parameters. In case query parameters are being transmitted within the URL, the ABC attack remains. So the ABC attack is not specific to this document only, but to all this series of documents. :-( Readers might think that the authentication of authorization requests solves one left opened security issue but in practice it does not. Hence, this document can mislead many readers. IMO, in order to counter the ABC attack it is first necessary to specify one or more token syntax and the trust relationships : -between the token requestor and the AS, -between the AS ands the RS, and -between the token requestor and the RS, The global security picture is governed by: -the two ways protocol between the token requestor and the AS, as well as the format the access token request and the processing of each of its parameters by the AS, -the construction of each of parameter of the access token by the AS, -the two ways protocol between the token requestor and the RS, as well as the format of the access token itself and the validation of each of its parameters by the RS, *3°.**Privacy consideration: Authorization Servers may be able to act as Big Brother* Section 11 (Privacy Considerations) does not contain text to explain that an Authorization Server might be able to act as Big Brother if it is able to know where each access token it issues will be used. The use of a audience parameter without any semantics in it should be recommended. Other people have already pointed it out. Basically, in this context, trust means that a user A trusts a server /_B for doing some actions C_/ (and not for any kind of action). Thus, a user A can trust a server B to provide him with a subset of his attributes in an access token but he does not necessarily trust that same server B to keep private the list of the servers where he will use this access token (if B would be in a position to know the identity of these resource servers). OpenID Connect is based on OAuth 2.0. OpenID Connect does either take into consideration this privacy issue. *4°. Minors issues (when compared to the others):* 1) The abstract states: While it is easy to implement, it means that (a) the communication through the user agents are not integrity protected and thus the parameters can be tainted, and (b) the source of the communication is not authenticated. (...) This document introduces the ability to send request parameters in a JSON Web Token (JWT) instead, which allows the request to be JWS signed and/or JWE encrypted so that the integrity, source authentication and confidentiality property of the Authorization Request is attained. Since the main purpose is integrity protection and authentication, the JAR SHALL be signed and MAY be encrypted. Replace with: (...) which allows the request to be JAR to be signed and optionally encrypted (...) 2) On page 9 the text states: The authorization request object MUST be either (a) JWS signed; or (b) JWE encrypted; or (c) JWS signed and JWE encrypted. This should be replaced by: The authorization request object MUST be either (a) JWS signed; (b) JWE encrypted (when secret keys are being used); or (c) JWS signed and JWE encrypted. 4) On page 14, in section 6.3, the text states: the Authorization Server then validates the request as specified in OAuth 2.0 [RFC6749]. This is rather vague, since no specific section from RFC 6749 is being pointed at.RFC 6749 is a framework with many options. In the context of this draft, it would be beneficial to indicate which kind processing of the JAR parameters shall be done by the Authorization Server. This issue clearly relates to the first major issue: interoperability. Denis
- [OAUTH-WG] AD review of draft-ietf-oauth-jwsreq Kathleen Moriarty
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-jwsr… Nat Sakimura
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-jwsr… Kathleen Moriarty
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-jwsr… Denis
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-jwsr… Nat Sakimura
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-jwsr… John Bradley
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-jwsr… Nat Sakimura
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-jwsr… Benjamin Kaduk
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-jwsr… Denis
- Re: [OAUTH-WG] AD review of draft-ietf-oauth-jwsr… Kathleen Moriarty