Re: [OAUTH-WG] Follow up on draft-ietf-oauth-device-flow-08

Mike Jones <Michael.Jones@microsoft.com> Mon, 23 April 2018 19:20 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09A4A126B6E for <oauth@ietfa.amsl.com>; Mon, 23 Apr 2018 12:20:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tocj3e7CDji8 for <oauth@ietfa.amsl.com>; Mon, 23 Apr 2018 12:20:22 -0700 (PDT)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0103.outbound.protection.outlook.com [104.47.34.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7631912D93F for <oauth@ietf.org>; Mon, 23 Apr 2018 12:20:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Qfi7mW8WdR4fP4IeW3kmpSYzi7SHJed9NwlOYQtYwZg=; b=SrI2kfkxcga6+4o4tzCIKzFv5dM6Xr7QmXfrAqhwJ+CUdzBzTdOMS6ROvtkAdCCVvNLOZv24F7hOd4FbQ5eGHY8ElBEEBW9d0CPSdn8x2wggXTcIHQXNOIIBugjykFM9lt6wSZem0wM0FIRuMUbFfROsAtKL1i7/Kgn8lzUyNkE=
Received: from DM5PR00MB0296.namprd00.prod.outlook.com (2603:10b6:4:9e::37) by DM5PR00MB0296.namprd00.prod.outlook.com (2603:10b6:4:9e::37) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.747.0; Mon, 23 Apr 2018 19:20:09 +0000
Received: from DM5PR00MB0296.namprd00.prod.outlook.com ([fe80::e0eb:d2f7:29c5:1a1b]) by DM5PR00MB0296.namprd00.prod.outlook.com ([fe80::e0eb:d2f7:29c5:1a1b%2]) with mapi id 15.20.0747.000; Mon, 23 Apr 2018 19:20:09 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Eric Rescorla <ekr@rtfm.com>
CC: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Follow up on draft-ietf-oauth-device-flow-08
Thread-Index: AQHT04wCwx4Q8pxqD0CRb2HM3g16k6P/coIwgAAZcACADzzMwA==
Date: Mon, 23 Apr 2018 19:20:09 +0000
Message-ID: <DM5PR00MB0296F09166551B8D649225AEF5890@DM5PR00MB0296.namprd00.prod.outlook.com>
References: <CABcZeBMWdZ4q8N0X4QrGQhkEVs8_38Tqa8Fou+oVP1tYoJ0aXg@mail.gmail.com> <BL0PR00MB0292EB90294DE62DEF6BDF43F5B20@BL0PR00MB0292.namprd00.prod.outlook.com> <CABcZeBP1JvFiMsx4ipR6bGCu219WHN+fFbufF3F_fhYFsP_WJA@mail.gmail.com>
In-Reply-To: <CABcZeBP1JvFiMsx4ipR6bGCu219WHN+fFbufF3F_fhYFsP_WJA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=mbj@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2018-04-23T19:20:08.3269252Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
x-originating-ip: [2001:4898:80e8:6::36]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR00MB0296; 7:XQB1n2zmsnh4rMXEjihkWrh1CSGzp1S+6EiB/OKxlmR7VS5nBkeeU5pOEM4t0bTXs+U15VNH8nYcSWAUMQp/9FXOCW9i44fBi3OenrzivGM32vcLTdjoqxDHxeL2qJ8etmYpdS7z2QBfmTduY8eL2zDlLnexe5tTjcHyDp9sxG7BsTS0JYME1VhPIdkJc+apZPH4VrtjeSSS6oNuMkWlBFqkReyD82BIXNvtO70/Hkzc8paM9e3eBzJHScUkr6r0; 20:CRBDA80RoBhJniF7gz+SqAD3H0A3myIHl8GuMSlqICSPwtuOmfXrJIBq7a6x2BihprO9gMCagAdAm0rah6nbOKoPBLKzd419UIr47MegsVHSED2hPDDRD5etTq6Bsx/1c9rECyjDhBLgDfASfjxIHXI+4hqmGTlvfi31DfFByHY=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7193020); SRVR:DM5PR00MB0296;
x-ms-traffictypediagnostic: DM5PR00MB0296:
authentication-results: outbound.protection.outlook.com; spf=skipped (originating message); dkim=none (message not signed) header.d=none; dmarc=none action=none header.from=microsoft.com;
x-microsoft-antispam-prvs: <DM5PR00MB02965DDE49366FA3EBDBFEEBF5890@DM5PR00MB0296.namprd00.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(89211679590171)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(2017102700009)(2017102701064)(6040522)(2401047)(8121501046)(5005006)(2017102702064)(20171027021009)(20171027022009)(20171027023009)(20171027024009)(20171027025009)(20171027026009)(2017102703076)(10201501046)(3002001)(3231232)(944501410)(52105095)(93006095)(93001095)(6055026)(6041310)(20161123558120)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(6072148)(201708071742011); SRVR:DM5PR00MB0296; BCL:0; PCL:0; RULEID:; SRVR:DM5PR00MB0296;
x-forefront-prvs: 06515DA04B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(39380400002)(396003)(346002)(39860400002)(366004)(51914003)(25786009)(19609705001)(606006)(966005)(72206003)(3660700001)(3280700002)(478600001)(8676002)(2906002)(6916009)(8936002)(86612001)(33656002)(6116002)(790700001)(10290500003)(7736002)(81166006)(55016002)(6306002)(6506007)(9686003)(7696005)(54896002)(76176011)(236005)(52396003)(5660300001)(476003)(4326008)(11346002)(446003)(53936002)(22452003)(316002)(6246003)(74316002)(53546011)(102836004)(5250100002)(46003)(186003)(6436002)(86362001)(2900100001)(229853002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR00MB0296; H:DM5PR00MB0296.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; MLV:sfv;
x-microsoft-antispam-message-info: AI6HUSCths8S93sT7+qKcmt1hajGnBMiRyYmNChZbout36du7hBcZapFNkNFZVs9uRxRx9VZwz9B9rg/tvCZ/W2HJhwRdGA3+Law3tI/zaPis6Vu0ExzFC1R//CzqWXVtkpUO/Z4UhKmiMD6wqdb0ULOfHAZLSs8JMMRUbHmZQnoQ8eCTpkcnNcFG59JbBQD
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM5PR00MB0296F09166551B8D649225AEF5890DM5PR00MB0296namp_"
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: f04ad6e0-6556-45ed-f56c-08d5a94f3af2
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f04ad6e0-6556-45ed-f56c-08d5a94f3af2
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Apr 2018 19:20:09.8174 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR00MB0296
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/OOrDUSH8mEbD3xD8HRnnxQTDhzM>
Subject: Re: [OAUTH-WG] Follow up on draft-ietf-oauth-device-flow-08
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Apr 2018 19:20:29 -0000

https://tools.ietf.org/html/draft-ietf-oauth-device-flow-09  Sections 5.2 and 5.3 contain the confused deputy attack updates described in John’s response during London.

                                                                -- Mike

From: Eric Rescorla <ekr@rtfm.com>
Sent: Friday, April 13, 2018 7:37 PM
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Follow up on draft-ietf-oauth-device-flow-08

Thanks for the quick followup. I will take a look at the next version

-Ekr


On Fri, Apr 13, 2018 at 6:06 PM, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
We still need to add the text addressing the points described in John Bradley’s reply to you sent while in London.

                                                       -- Mike

From: OAuth <oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org>> On Behalf Of Eric Rescorla
Sent: Friday, April 13, 2018 6:00 PM
To: oauth@ietf.org<mailto:oauth@ietf.org>
Subject: [OAUTH-WG] Follow up on draft-ietf-oauth-device-flow-08

Hi folks,

I just looked at the -08 diffs and I see a new section on brute forcing the token
but not describing the confused deputy attack. Did I miss something, or were you
still planning to add more text?

Thanks
-Ekr