Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00
Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de> Wed, 19 May 2021 06:45 UTC
Return-Path: <karsten.meyerzuselhausen@hackmanit.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13D493A2082 for <oauth@ietfa.amsl.com>; Tue, 18 May 2021 23:45:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hackmanit.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZWD57FRqUbhM for <oauth@ietfa.amsl.com>; Tue, 18 May 2021 23:45:35 -0700 (PDT)
Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 607DF3A207D for <oauth@ietf.org>; Tue, 18 May 2021 23:45:33 -0700 (PDT)
Received: by mail-wr1-x436.google.com with SMTP id r12so12732525wrp.1 for <oauth@ietf.org>; Tue, 18 May 2021 23:45:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hackmanit.de; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to; bh=gk95+NL/StjVZvB5e0TuATvOMCQA1Qn5/FYjJld4jEs=; b=rBiavcQwYT65EJJSg7C1Q53+LMfzFO5g0wkA+IVjuN0f3ja/pJt+G8uV4GWWM3FdcR zELkSqKO5iyZk6UISc6emwXKZP7q2wQUXp2fPxB148Y5Ie9X01AlUcP4bmtWjkgiFezb z8AfG9Z6eqUGMDBmiFO9EqrELQRNCDtZ3HQfY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=gk95+NL/StjVZvB5e0TuATvOMCQA1Qn5/FYjJld4jEs=; b=BoMhLd+5ZQx8SOmeCAF9xvGiz6ap1Zgea3n4OZfPde6kGMvWpLh9h7N+HteCWN9LNO UxLd5zvSKxeCfexsZyYNm2rCM8W4wmP55TaWd3Aa92LAk+7uainK9GhHy14cmL+Ndqpa 4NGkIx/OTW0AftZf0iLZo+fxFDA9zPgnO7D/Ocrf9pNdwm/oEVhu//04Wwr0F2Snvq6W a7MyFvNNp9dl2AvxFljfBlnzViroRHGC881yxAXTxe2WrJs9IPmsVegp2wBSxOwcJPjr FNNmRc7Q4e/IRM3sGkyX6ctKMuP2o3TYVtGspFZYmBuTSfx/RRwa98ZaPoeEWvgQexBn CMDA==
X-Gm-Message-State: AOAM530xlnLyLcHxtZpzvEDn2T0+D882XdsiWOqnOHjYHbVb5IHwRBAr whBIht2uWtrCaF7bHxtATYX04/hdDNhfuCYy
X-Google-Smtp-Source: ABdhPJzEaBIloAboDC40s6GZvtGAFD3ruJ1ounPE8pPmd5XsX1/mFjG5nOJrt/0O/WcLmnvXFh64oA==
X-Received: by 2002:adf:e684:: with SMTP id r4mr12235140wrm.378.1621406729901; Tue, 18 May 2021 23:45:29 -0700 (PDT)
Received: from [192.168.137.22] (b2b-37-24-87-133.unitymedia.biz. [37.24.87.133]) by smtp.gmail.com with ESMTPSA id g66sm19675795wma.11.2021.05.18.23.45.28 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 18 May 2021 23:45:28 -0700 (PDT)
To: Brian Campbell <bcampbell@pingidentity.com>, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Cc: oauth <oauth@ietf.org>
References: <634f7b10-bb26-e05c-7d79-566c893c32b6@hackmanit.de> <CADNypP_P=bdtSHmX0aM4eK4yw+8n9HYnnS6ERVdOC_x7U3spZw@mail.gmail.com> <CA+k3eCQboyohxe=u8wxtA9RyVhy=E4sMDkdsn76x3Xk19asVMA@mail.gmail.com>
From: Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de>
Message-ID: <b70f1d84-f395-9272-754d-61becb8e9aec@hackmanit.de>
Date: Wed, 19 May 2021 08:45:27 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.1
MIME-Version: 1.0
In-Reply-To: <CA+k3eCQboyohxe=u8wxtA9RyVhy=E4sMDkdsn76x3Xk19asVMA@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="gEerWBGmLd406EODtbtHr5yWOUDcmCDCy"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/IMZlUvdLHXsmGmAm6f-_ZD6xzkU>
Subject: Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 May 2021 06:45:40 -0000
Hi Brian, thank you for your feedback. I agree that the language is too strong here. What do you think about this new note? > Note: The "JWT Secured Authorization Response Mode for OAuth 2.0 > (JARM)" [JARM] defines a mechanism that conveys all authorization > response parameters in a JWT. This JWT contains an iss claim that > provides the same protection if it is validated as described in > Section 2.4. Therefore, an additional iss authorization response > parameter as defined by this document MUST NOT be used when JARM is used. Best regards, Karsten On 15.05.2021 00:35, Brian Campbell wrote: > Overall it looks pretty good to me. > One little nit is that I don't love this text from the end of sec 2.4 > that talks about JARM: > > 'Note: The "JWT Secured Authorization Response Mode for OAuth 2.0 > (JARM)" [JARM] forbids the use of additional parameters in the > authorization response. Therefore, the iss parameter MUST NOT be used > when JARM is used. However, JARM responses contain an iss claim that > provides the same protection if it is validated as described in > Section 2.4.' > > JARM doesn't exactly forbid additional parameters but rather just > wraps up all the authorization response parameters as claims in a JWT > which is itself sent as a single form/query/fragment parameter. So > really the iss authorization response parameter of this draft is still > sent as a claim of the JARM JWT. It just happens to be the same as the > iss claim value that JARM is already including. > > On Sat, May 1, 2021 at 2:47 PM Rifaat Shekh-Yusef > <rifaat.s.ietf@gmail.com <mailto:rifaat.s.ietf@gmail.com>> wrote: > > All, > > We have not seen any comments on this document. > Can you please review the document and provide feedback, or > indicate that you have reviewed the document and have no concerns. > > Regards, > Rifaat & Hannes > > > On Thu, Apr 15, 2021 at 3:04 AM Karsten Meyer zu Selhausen > <karsten.meyerzuselhausen@hackmanit.de > <mailto:karsten.meyerzuselhausen@hackmanit.de>> wrote: > > Hi all, > > the latest version of the security BCP references > draft-ietf-oauth-iss-auth-resp-00 as a countermeasures to > mix-up attacks. > > There have not been any concerns with the first WG draft > version so far: > https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/ > <https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/> > > I would like to ask the WG if there are any comments on or > concerns with the current draft version. > > Otherwise I hope we can move forward with the next steps and > hopefully finish the draft before/with the security BCP. > > Best regards, > Karsten > > -- > Karsten Meyer zu Selhausen > Senior IT Security Consultant > Phone: +49 (0)234 / 54456499 > Web: https://hackmanit.de <https://hackmanit.de> | IT Security Consulting, Penetration Testing, Security Training > > Is your OAuth or OpenID Connect client vulnerable to the severe impacts of mix-up attacks? Learn how to protect your client in our latest blog post on single sign-on: > https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks <https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks> > > Hackmanit GmbH > Universitätsstraße 60 (Exzenterhaus) > 44789 Bochum > > Registergericht: Amtsgericht Bochum, HRB 14896 > Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Dr. Marcus Niemietz > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > > > /CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly > prohibited. If you have received this communication in error, please > notify the sender immediately by e-mail and delete the message and any > file attachments from your computer. Thank you./ -- Karsten Meyer zu Selhausen Senior IT Security Consultant Phone: +49 (0)234 / 54456499 Web: https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training Möchten Sie sich für ein Projekt mit dem Thema Single Sign-On oder den Standards OAuth und OpenID Connect vertraut machen? Dann melden Sie sich jetzt an für Ihre Einführung in Single Sign-On, OAuth und OpenID Connect am Mittwoch, 09.06.2021, von 10:00 - 14:30 Uhr! https://www.hackmanit.de/de/schulungen/uebersicht/139-einfuehrung-in-single-sign-on-oauth-und-openid-connect Hackmanit GmbH Universitätsstraße 60 (Exzenterhaus) 44789 Bochum Registergericht: Amtsgericht Bochum, HRB 14896 Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Dr. Marcus Niemietz
- [OAUTH-WG] Call for Feedback on draft-ietf-oauth-… Karsten Meyer zu Selhausen
- Re: [OAUTH-WG] Call for Feedback on draft-ietf-oa… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Call for Feedback on draft-ietf-oa… Torsten Lodderstedt
- Re: [OAUTH-WG] Call for Feedback on draft-ietf-oa… Christian Mainka
- Re: [OAUTH-WG] Call for Feedback on draft-ietf-oa… Vladislav Mladenov
- Re: [OAUTH-WG] Call for Feedback on draft-ietf-oa… Neil Madden
- Re: [OAUTH-WG] Call for Feedback on draft-ietf-oa… Daniel Fett
- Re: [OAUTH-WG] Call for Feedback on draft-ietf-oa… Brian Campbell
- Re: [OAUTH-WG] Call for Feedback on draft-ietf-oa… Brian Campbell
- Re: [OAUTH-WG] Call for Feedback on draft-ietf-oa… Karsten Meyer zu Selhausen
- Re: [OAUTH-WG] Call for Feedback on draft-ietf-oa… Takahiko Kawasaki
- Re: [OAUTH-WG] Call for Feedback on draft-ietf-oa… Brian Campbell
- Re: [OAUTH-WG] Call for Feedback on draft-ietf-oa… Vladimir Dzhuvinov