Re: [OAUTH-WG] Comments on draft-ietf-oauth-security-topics-06.txt
Joseph Heenan <joseph@authlete.com> Tue, 22 May 2018 18:20 UTC
Return-Path: <joseph@authlete.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2547B129C6C for <oauth@ietfa.amsl.com>; Tue, 22 May 2018 11:20:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=authlete-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EdUr5o3lB5dk for <oauth@ietfa.amsl.com>; Tue, 22 May 2018 11:20:51 -0700 (PDT)
Received: from mail-wr0-x234.google.com (mail-wr0-x234.google.com [IPv6:2a00:1450:400c:c0c::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 329981201F8 for <oauth@ietf.org>; Tue, 22 May 2018 11:20:51 -0700 (PDT)
Received: by mail-wr0-x234.google.com with SMTP id w3-v6so14150929wrl.12 for <oauth@ietf.org>; Tue, 22 May 2018 11:20:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=authlete-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=KxgNtCoTf70rBF6Y8DnOnzKyNgYlbe2GKniPQLvckVk=; b=HO5vDufLHkj+smc+0qXuFZ9Qc0mAyclHT2RQSzNbfN+4LQcziuk/BhS29uK6PNS+av p5vq9taueA623fAVbHj4sy9KiocdU7KXQzh2KlioUlrRTakXesrZyysTBc8MjwPqdvm2 cRcwPFHn1D3QDQyanqDADxVBNb6ZRrfYdnevl55xWXLZtFq4uzP2KT+Njtqarr2EN5zg OPHVPIQx/KbH8N61kDj0vusioho2wEPF0qIeBJlDJZu3LKaytpbO1P6fVtHs4TVIsKE5 Qm7tt6XB2ouLhol35woOlSToFqrKI8ayJ4R0aPXRe6keh754Z+SInnBAvS0tFAlgme74 fe3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=KxgNtCoTf70rBF6Y8DnOnzKyNgYlbe2GKniPQLvckVk=; b=gNTdE8GAD06ojSSjG1Ixhq51OdlB9X5DB4sqmJfMYt+y2OmjCsu4+za3r4Y95+Iyvd 9vz0GtNvzK5a9ArYGnLES8AcPDVVLc+sPI5Xw4W4FyBL9bR450mza785+RxYlMRmZhCN O2auK7/nkwLuCeKywbKIgnOKbM/gptjgKch/afO/CBIQKhPFDVfkhRNY805BrChBBnqO 3Y+z2z8dLLD9c6hW5Mr8NOFOVKRJmKPW+bCLKWND0tQoIyPDbTAKrSfGhIrqBpDlPNvO U5EQibGhu6L2iPRYjva7BpYFqIpLKdNMWYpshWpB97zFGe7rl5VTUI65gHMtCVTzZlJq uyvg==
X-Gm-Message-State: ALKqPwcnQMfqm2C/5DVm3oPukaSn14x9AOdUlIZ3zM27w5LI/nZabhKz hu+9iKuov3V+w+kgmwduMS2XpQ==
X-Google-Smtp-Source: AB8JxZp97eAaLQdFqiV1DAykdSq6vz9H5uPv5AVB9/DwrkRLiU3tzjTBbltM4YsjTMW9zsU4IZSbhA==
X-Received: by 2002:adf:9561:: with SMTP id 88-v6mr9931209wrs.264.1527013249551; Tue, 22 May 2018 11:20:49 -0700 (PDT)
Received: from dhcp127.sh2.org.uk (home.heenan.me.uk. [212.159.108.133]) by smtp.gmail.com with ESMTPSA id g192-v6sm624732wmd.36.2018.05.22.11.20.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 22 May 2018 11:20:48 -0700 (PDT)
From: Joseph Heenan <joseph@authlete.com>
Message-Id: <689F7720-B5D8-4686-A8E1-79E2ABEBEDF1@authlete.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1BCDAFBE-FD18-43AE-9DC6-B3B2DC0FF51F"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Tue, 22 May 2018 19:20:47 +0100
In-Reply-To: <1fe04f5e-b968-5a6d-efe8-b47da5e28592@free.fr>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
To: Denis <denis.ietf@free.fr>
References: <152681629717.2793.15028642368623108299@ietfa.amsl.com> <34B9FBE9-788E-4B1C-B2A4-08FD14EC2BD5@lodderstedt.net> <1fe04f5e-b968-5a6d-efe8-b47da5e28592@free.fr>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/DLzwAG97AP9fidzB2ntZEn1LR1g>
Subject: Re: [OAUTH-WG] Comments on draft-ietf-oauth-security-topics-06.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 May 2018 18:20:53 -0000
Hi Denis, > On 22 May 2018, at 14:05, Denis <denis.ietf@free.fr> wrote: > In particular, the text states: > > "Clients shall use PKCE [RFC7636] in order to (with the help of the authorization server) detect and prevent attempts > to inject (replay) authorization codes into the authorization response". > > This is incorrect, since RFC7636 should be used when the authorization code is returned from the authorization endpoint > within a communication path that is not protected by Transport Layer Security (TLS). > That is not really the full story as we've seen attacks where URLs that you would expect to be protected by TLS are vulnerable; one example is: https://www.blackhat.com/docs/us-16/materials/us-16-Kotler-Crippling-HTTPS-With-Unholy-PAC.pdf IMHO it would be sane to use PKCE anywhere where a code is returned in the URL and there isn't another proof of possession / token binding mechanism in play. Joseph
- [OAUTH-WG] I-D Action: draft-ietf-oauth-security-… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Torsten Lodderstedt
- [OAUTH-WG] Comments on draft-ietf-oauth-security-… Denis
- Re: [OAUTH-WG] Comments on draft-ietf-oauth-secur… Joseph Heenan
- Re: [OAUTH-WG] Comments on draft-ietf-oauth-secur… Denis
- Re: [OAUTH-WG] Comments on draft-ietf-oauth-secur… Joseph Heenan