IETF Logo Mail Archive

Re: [OAUTH-WG] security considerations for draft-ietf-oauth-mtls-12

Brian Campbell <bcampbell@pingidentity.com> Sun, 04 November 2018 00:13 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19535128CF2 for <oauth@ietfa.amsl.com>; Sat, 3 Nov 2018 17:13:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KGpizhIgAFgr for <oauth@ietfa.amsl.com>; Sat, 3 Nov 2018 17:13:23 -0700 (PDT)
Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA6E612896A for <oauth@ietf.org>; Sat, 3 Nov 2018 17:13:23 -0700 (PDT)
Received: by mail-io1-xd2a.google.com with SMTP id o19-v6so3998417iod.3 for <oauth@ietf.org>; Sat, 03 Nov 2018 17:13:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GNRMwpV//Tb13dbJi2OFiZ8eJLWTNLpKL9EBCo+4BIc=; b=NtMcrD4XkkpGi39cYpqbZ+Da75usioryzHeSAhgFtXdj6fOYJxr6yL1YXU4yC2rcfO a50ctrNN6fSaWqU09yy4qq8aJ9XqtHMIIp7y5olq4WTAdDQWohIml+dGstVQkCvNFuHL dZ2fknLi/OLE652dHt43lT1dk+3J5gtHX10yc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GNRMwpV//Tb13dbJi2OFiZ8eJLWTNLpKL9EBCo+4BIc=; b=DReqVBezCz4OPYYimHLcbWSJYtVwdjiOwYRy+yNwiW2g/DF87aIRo9ZEhGwch6pw3H 4sWVdhvPvvk3rq3Lr9gfwi3lxi381S5rIW2SJG6fUyJ1X0A0vdB6vsMU8AsO8ip2jjc5 yvb9Nk9Xjtzb8aJkzEy8cNhgAbGlup1KgBNbPwszdpQyiyMd5q7uq2XFAnP3ua1x6ECg SqO6RE1do6yII5GX/qB1rI1TB9SzpWRJU0BzgqYOSNNgFB5m6g7TgikwL89GZxx9v5Ub WPfWZDNYP1+wHeyoa/9jseU1rBYBJqcpYuIwHkVpHBXMPQskIb3qf7BipUVtYDKltK9d M9qA==
X-Gm-Message-State: AGRZ1gJtRvRR7uBUAaYfhAd+HliXV/doHJrZTKCZtnVlrDqIV6/jWsSl fi3oS6mjnlupY0Jk8yR1rSMb/0CJcjb5hgLC9AaWHrXpWntxJR7htI32yjFaiuHeuBYyUISwK0w zUEA1faD4aC4hHw==
X-Google-Smtp-Source: AJdET5eSK3WzV9SWa8cFOF9HZlg1/pSeqz5J775eXQoUFZoeyiuwxS2o67Z0K9NT1vKE8MeTGekpWLn0JzJh+SykPOM=
X-Received: by 2002:a6b:b750:: with SMTP id h77-v6mr13466410iof.59.1541290402851; Sat, 03 Nov 2018 17:13:22 -0700 (PDT)
MIME-Version: 1.0
References: <CALgdmdsoj9uaVyha5x7anxt4iU_0f8FqyfjNH00Syd-MKSQ_UQ@mail.gmail.com> <CA+k3eCT78Vszyh4Ue+yZ+5pK22yxrhHMwEGty=sXTDs5ttOvVg@mail.gmail.com> <CALgdmdtE3P30v=8gsSqPJXW54jpVR1JXLVWRj7+SZudWg4YaPA@mail.gmail.com>
In-Reply-To: <CALgdmdtE3P30v=8gsSqPJXW54jpVR1JXLVWRj7+SZudWg4YaPA@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Sun, 04 Nov 2018 08:13:10 +0800
Message-ID: <CA+k3eCTxrheb8x23H8oYf843wv7irMbjfuYHbY6J8GEBaHdSgQ@mail.gmail.com>
To: John-Mark Gurney <jmg@newcontext.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f545bc0579cba267"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/D_fw_ew7ol15xdcSpDT2zaO03lg>
Subject: Re: [OAUTH-WG] security considerations for draft-ietf-oauth-mtls-12
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Nov 2018 00:13:26 -0000

That's fair. I'll see if maybe I can piece together some reasonable text
about it and/or will also try to discuss it with the WG this week in
Bangkok.

On Fri, Nov 2, 2018, 3:18 AM John-Mark Gurney <jmg@newcontext.com wrote:

> I do not have a good enough understanding of OAuth nor how it is used
> in this draft to be able to write a proper security considerations
> section about it.  You mention that the OAuth certification is
> different than one for client cert authentication, but as I don't know
> the standard well enough, I do not know the implications of it.
>
> Even if the paragraph reads something like: Though client certs are
> public in TLS versions 1.2 and before, they are not a privacy concern
> because of x, y and z.  This would allow people who are reviewing it
> to understand why it is not a privacy issue.
>
> I only briefly reviewed this document because a coworker asked about
> it, but I raised this concern because it was not mentioned in the
> security considerations section.
>
> On Thu, Nov 1, 2018 at 7:37 AM Brian Campbell
> <bcampbell@pingidentity.com> wrote:
> >
> > To be honest, I thought that was a relatively well known aspect of TLS
> 1.2 (and prior) and a noted difference of the new features in TLS 1.3.
> Also, I'd note that we're well past WGCL for this document. But, with that
> said, I suppose adding some privacy considerations text on the subject is
> worthwhile. Would you propose some text for the WG to consider, John-Mark?
> Bearing in mind that the implications of a certificate presented by, and
> representing, an OAuth client are somewhat different than for an end-user
> doing client cert authentication.
> >
> >
> >
> >
> > On Wed, Oct 31, 2018 at 4:12 PM John-Mark Gurney <
> jmg+oauth@newcontext.com> wrote:
> >>
> >> I would suggest that the security considerations section of
> >> draft-ietf-oauth-mtls-12 be expanded to include the privacy
> >> implications of using this on versions of TLS before 1.3.  On all
> >> versions of TLS before 1.3, the client cert is not encrypted and can
> >> be used by third parties to monitor and track users.  I recently
> >> posted a blog entry about this:
> >>
> https://blog.funkthat.com/2018/10/tls-client-authentication-leaks-user.html
> >>
> >> Thanks.
> >>
> >> John-Mark Gurney
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >
> >
> > CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.
>
>
>
> --
> John-Mark Gurney
> Principal Security Architect
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email