IETF Logo Mail Archive

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

Aaron Parecki <aaron@parecki.com> Sat, 26 August 2023 01:33 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9397C151700 for <oauth@ietfa.amsl.com>; Fri, 25 Aug 2023 18:33:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9QCoYC3d7lVx for <oauth@ietfa.amsl.com>; Fri, 25 Aug 2023 18:33:12 -0700 (PDT)
Received: from mail-qk1-x732.google.com (mail-qk1-x732.google.com [IPv6:2607:f8b0:4864:20::732]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83C8AC15155A for <oauth@ietf.org>; Fri, 25 Aug 2023 18:33:12 -0700 (PDT)
Received: by mail-qk1-x732.google.com with SMTP id af79cd13be357-76ef80a503fso90236385a.1 for <oauth@ietf.org>; Fri, 25 Aug 2023 18:33:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; t=1693013591; x=1693618391; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=0hLEvuDt2gS8QCJffEm2FN8jZHAdKLpivdG0RZhTI48=; b=Q1lIPdrL/yXtAQRadxAhnFysZhSAJv1WvVDMoisl0SYvKVNv4/lOw+DU6jneIWrUaD /v7Nb0i5/snm2gzhBLmefzpXVI9jDiM99R0MoyqF8KG/K13RtGaLVdG7Ra9bCckb2AGv IUG9LUDhV3yWhFoDmcq40hnaoznhxT0iHvu573OPgd3m/YwDn8tOLD/1yxQFyGTuwZyc 2h4O4T3KK1CG5ki/4iCaZuoiezn/Oo09pyJr3v6DH5eUuv6pI/2FiWoyDkWKJGBszvvu a8IeJtKn9ix48g8BVCOXGgrSDgN4V81L98qsB4Q7dvbJS2RvcQ4pv3CsnXROGfWTUoSq TEsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693013591; x=1693618391; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=0hLEvuDt2gS8QCJffEm2FN8jZHAdKLpivdG0RZhTI48=; b=iVRU5km9tFdhdLLHAOHa6I4YLj/Bl1OAIHOPzYMc0ez7vLS9antT2dCkURY971O7Qi 0pb2o14uTr879UBScXJ28LU+0jos67bge1/rr/xELG4XvV4mhm/UUCupH29kukACMSYS 9pO/Sjfck2pJLZDwfli/zLQknCurdS/8y82r5yyImnwuZGQ8GD8ZEFibGhJ2nkvM9PE+ X17MFcXa09pa7VtluSUIcft4e7N+8tHnkNJG38NcH1aP7Kjf1FUs35GfccXIZ2c1PvL3 QxIfZu2eGGiqfeKDp0pq9d9LdupAwHRL6wSv90iAPawEO6zWy1xwvb7DMEXwO+yEvFNJ oU3g==
X-Gm-Message-State: AOJu0YzlgabBxbfEYzOYfG48COwZuG7q5lX4fBaJ/ckgnG7AhTlS1OmU hqEsw+tZRoF9pa78jJFGyZ1Aj7kobAcC8SGFYbA/+SGN
X-Google-Smtp-Source: AGHT+IFeAwO3ET8bHpwjOqULcxNX8p/0Q6DE4PZGlCcogxPA8cXbH/wC8s+FNOIXwCz2AznMeSCwYw==
X-Received: by 2002:ae9:f70e:0:b0:76d:7ae4:f708 with SMTP id s14-20020ae9f70e000000b0076d7ae4f708mr19935122qkg.74.1693013590956; Fri, 25 Aug 2023 18:33:10 -0700 (PDT)
Received: from mail-vk1-f180.google.com (mail-vk1-f180.google.com. [209.85.221.180]) by smtp.gmail.com with ESMTPSA id d30-20020ab007de000000b0068faf73a2a1sm433422uaf.7.2023.08.25.18.33.10 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 25 Aug 2023 18:33:10 -0700 (PDT)
Received: by mail-vk1-f180.google.com with SMTP id 71dfb90a1353d-48faba23f51so693831e0c.1 for <oauth@ietf.org>; Fri, 25 Aug 2023 18:33:10 -0700 (PDT)
X-Received: by 2002:a1f:dd44:0:b0:48d:2bcf:f959 with SMTP id u65-20020a1fdd44000000b0048d2bcff959mr16140764vkg.3.1693013590115; Fri, 25 Aug 2023 18:33:10 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP_ve-rMFrioC0LS=NowESnTn1LSOU0pV4=K8hht4zy+Nw@mail.gmail.com> <CAODMz5FsmR7mxGuZk5=bOg4zP9PEAHhsWbnK7uvU_Q3ATKuc8g@mail.gmail.com>
In-Reply-To: <CAODMz5FsmR7mxGuZk5=bOg4zP9PEAHhsWbnK7uvU_Q3ATKuc8g@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Sat, 26 Aug 2023 02:32:59 +0100
X-Gmail-Original-Message-ID: <CAGBSGjpWB5ynNQM5fLUwd9SoaN8hs-87aiMxPk4km9jVrfLHqw@mail.gmail.com>
Message-ID: <CAGBSGjpWB5ynNQM5fLUwd9SoaN8hs-87aiMxPk4km9jVrfLHqw@mail.gmail.com>
To: Jaimandeep Singh <jaimandeep.phdcs21=40nfsu.ac.in@dmarc.ietf.org>
Cc: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a38e1e0603c9713f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/IMXs-zhrORh_03jbErTt9S_j7Ik>
Subject: Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Aug 2023 01:33:17 -0000

Hi Jaimandeep,

As with many OAuth extensions, this is not obligatory to implement unless
you need the functionality it provides. Many of the concerns you mention
are referenced in the security considerations section of the draft already,
and we would of course be happy to further expand that section as
appropriate.

As we presented during the last two IETF meetings, there are many use cases
that would benefit from this draft that currently don't have an
interoperable solution. I would suggest you review those presentation
recordings so better understand the use cases.

Aaron




On Fri, Aug 25, 2023 at 12:31 PM Jaimandeep Singh <jaimandeep.phdcs21=
40nfsu.ac.in@dmarc.ietf.org> wrote:

> I do not support the adoption because of following:
>
> 1. Increased Attack Surface and Information Disclosure: The proposed draft
> inherently expands the attack surface by allowing the retrieval of detailed
> information about the protected resources held with a particular resource
> server, as outlined in section 3.1. We are inadvertently exposing the
> resources supported by the protected resource server. The secondary URIs
> which correspond to each of the protected resources further expands the
> potential attack vectors. To illustrate, if a protected resource server
> supports resources from 1 to 10, and a client requests metadata for all
> these resources, it leads to 11 requests (1 + 10). This exposes a total
> of 11 URIs to potential attackers with information disclosure.
>
> 2. Lack of Client Verification and Potential DDoS Vulnerability: There is
> absence of client application verification before it accesses the APIs.
> This can lead to the possibility of malicious client applications
> initiating Distributed Denial of Service (DDoS) attacks.
>
> 3. Impact on Processing Time due to Multiple Resources: The need to
> wildcard match/support numerous secondary URIs based on the number of
> protected resources could lead to increased processing time.
>
> 4. Strengthening the Existing System with Adequate Error Codes: Our
> existing OAuth RFC, can handle this issue gracefully by incorporating error
> codes. This ensures that, at the very least, access tokens are verified
> before any specific information is disclosed.
>
> Thanks
> Jaimandeep Singh
>
> On Thu, Aug 24, 2023 at 12:32 AM Rifaat Shekh-Yusef <
> rifaat.s.ietf@gmail.com> wrote:
>
>> All,
>>
>> This is an official call for adoption for the *Protected Resource
>> Metadata* draft:
>> https://datatracker.ietf.org/doc/draft-jones-oauth-resource-metadata/
>>
>> Please, reply on the mailing list and let us know if you are in favor of
>> adopting this draft as WG document, by *Sep 6th.*
>>
>> Regards,
>>  Rifaat & Hannes
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
>
> --
> Regards and Best Wishes
> Jaimandeep Singh
> LinkedIn <http://www.linkedin.com/in/jaimandeep-singh-07834b1b7>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email