IETF Logo Mail Archive

Re: [OAUTH-WG] security considerations for draft-ietf-oauth-mtls-12

John-Mark Gurney <jmg+oauth@newcontext.com> Thu, 01 November 2018 21:01 UTC

Return-Path: <john-mark.gurney@newcontext.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA077129AB8 for <oauth@ietfa.amsl.com>; Thu, 1 Nov 2018 14:01:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=newcontext.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rgbaa479LHkd for <oauth@ietfa.amsl.com>; Thu, 1 Nov 2018 14:01:45 -0700 (PDT)
Received: from mail-pf1-x436.google.com (mail-pf1-x436.google.com [IPv6:2607:f8b0:4864:20::436]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BEBD127B92 for <oauth@ietf.org>; Thu, 1 Nov 2018 14:01:45 -0700 (PDT)
Received: by mail-pf1-x436.google.com with SMTP id j13-v6so6427289pff.11 for <oauth@ietf.org>; Thu, 01 Nov 2018 14:01:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=newcontext.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=dyVHKtN/89vofzodDI1ZVUMu/KEXJ3K7BizUJAdd484=; b=DBpGCjB8QV+lXvCS3SDwdihLXTRtPf1IB/snpIZJwggFz6SL2IPdc/vp28uphVEfFN wPORZQxgDvLP+8tvvApLe9TDRNO3MvncOIHydWPKH4x4BBEarqpO7ONtTrWofNU6nXcz NAsSJdaNk3s9H0hEU7x+RmWBOExrYoa+RuBavTm2gMX1q+7A1DaVg2vni32w3g9tvBby 6e6FN9TziEXQp7RWgd5/wX1INKaR0AG+YkoDbdAgTJNuODZBKo/N70BrERnHfgZVkP2Y TYYSDGk+5loJbbhCoPiqWzf8Pdw5QutSaW/l5OhpP8FunFgmUkxtcepmHc02benNqywg Vagg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=dyVHKtN/89vofzodDI1ZVUMu/KEXJ3K7BizUJAdd484=; b=IlTNqJm+mO4lxd6vPFzv+92wOvo2DxbpZ60lWgYzHvlqqAl1whiErD7LmWen9yJ2AE yrb2zrYAnnB5DL+IO1O1G3LxyuDy4pfp45H45gMDdZvQJTTTErQNl0zyRAuuE9S/JNzw zyIr22+HQKn97P2B2jdSR5jc0/RohSdMkmxatHTNboezJGmwJ9J33MPYbf8jkurh+2/9 c3BTHDYL/m9u8wP0b97xORQGhaRCbebUq8scB3OmChQYKpQiEPbD9tg788XplSePzapl hX1RVIvUFnr48eZAn/dkO1DPpAdlPPpH9k9NsCjTAZmz/AT2l49WasWAnz16Pv8Ok2h7 Buvg==
X-Gm-Message-State: AGRZ1gKsYJ9/G5WamQVfbUqHtwVc+TK7g2HXrTieuWSVCdgbsSi4u2IG U0DxsjDD2tJWbQcU/zqZyRPPKCmL4NQvs7prrfzGhw==
X-Google-Smtp-Source: AJdET5cdTpPYelbxEkhtfIW5vFEsrKIZb3lsNH+bAoZPAs8+yaYUz8qwQNrOkAOC5uQS2jbnHmGaw0ZxzHaoB11jiOo=
X-Received: by 2002:a63:1520:: with SMTP id v32-v6mr8609986pgl.150.1541106104642; Thu, 01 Nov 2018 14:01:44 -0700 (PDT)
MIME-Version: 1.0
References: <CALgdmdsoj9uaVyha5x7anxt4iU_0f8FqyfjNH00Syd-MKSQ_UQ@mail.gmail.com> <CA+k3eCT78Vszyh4Ue+yZ+5pK22yxrhHMwEGty=sXTDs5ttOvVg@mail.gmail.com>
In-Reply-To: <CA+k3eCT78Vszyh4Ue+yZ+5pK22yxrhHMwEGty=sXTDs5ttOvVg@mail.gmail.com>
From: John-Mark Gurney <jmg+oauth@newcontext.com>
Date: Thu, 01 Nov 2018 14:01:33 -0700
Message-ID: <CALgdmdu+H5vbjTj9W=kq1JL3i_UvvURR=A6N7WEW4P3evxR3yw@mail.gmail.com>
To: bcampbell@pingidentity.com
Cc: oauth@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/DOxuYrWLUbk8oI-ckFHyrGOYyC8>
Subject: Re: [OAUTH-WG] security considerations for draft-ietf-oauth-mtls-12
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2018 21:01:47 -0000

I do not have a good enough understanding of OAuth nor how it is used
in this draft to be able to write a proper security considerations
section about it.  You mention that the OAuth certification is
different than one for client cert authentication, but as I don't know
the standard well enough, I do not know the implications of it.

Even if the paragraph reads something like: Though client certs are
public in TLS versions 1.2 and before, they are not a privacy concern
because of x, y and z.  This would allow people who are reviewing it
to understand why it is not a privacy issue.

I only briefly reviewed this document because a coworker asked about
it, but I raised this concern because it was not mentioned in the
security considerations section.
On Thu, Nov 1, 2018 at 7:37 AM Brian Campbell
<bcampbell@pingidentity.com> wrote:
>
> To be honest, I thought that was a relatively well known aspect of TLS 1.2 (and prior) and a noted difference of the new features in TLS 1.3. Also, I'd note that we're well past WGCL for this document. But, with that said, I suppose adding some privacy considerations text on the subject is worthwhile. Would you propose some text for the WG to consider, John-Mark? Bearing in mind that the implications of a certificate presented by, and representing, an OAuth client are somewhat different than for an end-user doing client cert authentication.
>
>
>
>
> On Wed, Oct 31, 2018 at 4:12 PM John-Mark Gurney <jmg+oauth@newcontext.com> wrote:
>>
>> I would suggest that the security considerations section of
>> draft-ietf-oauth-mtls-12 be expanded to include the privacy
>> implications of using this on versions of TLS before 1.3.  On all
>> versions of TLS before 1.3, the client cert is not encrypted and can
>> be used by third parties to monitor and track users.  I recently
>> posted a blog entry about this:
>> https://blog.funkthat.com/2018/10/tls-client-authentication-leaks-user.html
>>
>> Thanks.
>>
>> John-Mark Gurney
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

v2.23.0 | Report a Bug | By Email