Re: [OAUTH-WG] [Editorial Errata Reported] RFC6819 (4267)

Torsten Lodderstedt <torsten@lodderstedt.net> Sun, 01 March 2015 10:13 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 026F61A8895 for <oauth@ietfa.amsl.com>; Sun, 1 Mar 2015 02:13:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.152
X-Spam-Level:
X-Spam-Status: No, score=-0.152 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vQSA8_X-h_ik for <oauth@ietfa.amsl.com>; Sun, 1 Mar 2015 02:13:35 -0800 (PST)
Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.31.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 906931A1B85 for <oauth@ietf.org>; Sun, 1 Mar 2015 02:13:35 -0800 (PST)
Received: from [79.253.34.96] (helo=[192.168.71.100]) by smtprelay01.ispgateway.de with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.84) (envelope-from <torsten@lodderstedt.net>) id 1YS0sJ-00082H-Nr; Sun, 01 Mar 2015 11:13:27 +0100
Message-ID: <54F2E645.8030003@lodderstedt.net>
Date: Sun, 01 Mar 2015 11:13:25 +0100
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: RFC Errata System <rfc-editor@rfc-editor.org>, mark.mcgloin@ie.ibm.com, phil.hunt@yahoo.com, stephen.farrell@cs.tcd.ie, Kathleen.Moriarty.ietf@gmail.com, Hannes.Tschofenig@gmx.net, derek@ihtfp.com
References: <20150209201010.C43A6180092@rfc-editor.org>
In-Reply-To: <20150209201010.C43A6180092@rfc-editor.org>
Content-Type: text/plain; charset=iso-8859-15; format=flowed
Content-Transfer-Encoding: 7bit
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/ChGsOETcuHnfAVpvR6uHpHvnG10>
Cc: david.gladstone@nib.co.nz, oauth@ietf.org
Subject: Re: [OAUTH-WG] [Editorial Errata Reported] RFC6819 (4267)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Mar 2015 10:13:38 -0000

Hi all,

@David: Thanks for reporting this issue.

Mark, Phil and I discussed the errata and came to the following conclusion:

The introduction is correct because this section is about "DoS Attacks 
That Exhaust Resources" caused by the fact that the AS creates a 
nontrivial amount of entropy for every token. BUT one recommended 
counter-measure is

- The authorization server should include a nontrivial amount of entropy 
in authorization "codes"

which definitely does not make sense because it recommends to do what 
the AS already does (and what enables this attack angle).

Our recommendation as authors is to remove this bullet.

kind regards,
Torsten.

Am 09.02.2015 um 21:10 schrieb RFC Errata System:
> The following errata report has been submitted for RFC6819,
> "OAuth 2.0 Threat Model and Security Considerations".
>
> --------------------------------------
> You may review the report below and at:
> http://www.rfc-editor.org/errata_search.php?rfc=6819&eid=4267
>
> --------------------------------------
> Type: Editorial
> Reported by: David Gladstone <david.gladstone@nib.co.nz>
>
> Section: 4.4.1.11
>
> Original Text
> -------------
> If an authorization server includes a nontrivial amount of entropy
>
> Corrected Text
> --------------
> If an authorization server includes a trivial amount of entropy
>
> Notes
> -----
> The threat being described outlines a scenario where too little entropy is involved; countermeasures include using non-trivial amounts of entropy.
>
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party (IESG)
> can log in to change the status and edit the report, if necessary.
>
> --------------------------------------
> RFC6819 (draft-ietf-oauth-v2-threatmodel-08)
> --------------------------------------
> Title               : OAuth 2.0 Threat Model and Security Considerations
> Publication Date    : January 2013
> Author(s)           : T. Lodderstedt, Ed., M. McGloin, P. Hunt
> Category            : INFORMATIONAL
> Source              : Web Authorization Protocol
> Area                : Security
> Stream              : IETF
> Verifying Party     : IESG
>