Re: [OAUTH-WG] secdir review of draft-ietf-oauth-v2
William Mills <wmills@yahoo-inc.com> Sat, 07 January 2012 07:22 UTC
Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C17E621F8516 for <oauth@ietfa.amsl.com>; Fri, 6 Jan 2012 23:22:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.266
X-Spam-Level:
X-Spam-Status: No, score=-17.266 tagged_above=-999 required=5 tests=[AWL=0.332, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wvkEy8SMQ8ee for <oauth@ietfa.amsl.com>; Fri, 6 Jan 2012 23:22:21 -0800 (PST)
Received: from nm1.bullet.mail.sp2.yahoo.com (nm1.bullet.mail.sp2.yahoo.com [98.139.91.71]) by ietfa.amsl.com (Postfix) with SMTP id 289D121F850F for <oauth@ietf.org>; Fri, 6 Jan 2012 23:22:20 -0800 (PST)
Received: from [98.139.91.65] by nm1.bullet.mail.sp2.yahoo.com with NNFMP; 07 Jan 2012 07:22:13 -0000
Received: from [98.139.91.31] by tm5.bullet.mail.sp2.yahoo.com with NNFMP; 07 Jan 2012 07:22:13 -0000
Received: from [127.0.0.1] by omp1031.mail.sp2.yahoo.com with NNFMP; 07 Jan 2012 07:22:13 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 940096.26433.bm@omp1031.mail.sp2.yahoo.com
Received: (qmail 46217 invoked by uid 60001); 7 Jan 2012 07:22:13 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1325920933; bh=V55S2marW7ULWcP5dT4seUFjGy8xy7lj3BQN738r6Y0=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=mmeM8nIytk2VZZ8AWkLu/B7xeFMqzogomgHOxsH+aJEClFXciSvEmCACpHjADekt2F+RO6lZrLI9qqAuLKWgD/i/KQlal4c/T0ZgzSQmpl24SLoGJNExM3bL7oPXDT8bWZUvNzAnbK1x/J7sE7Id9S3bdcHEDTecQFhcp/IXuVY=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=GSB+gJqsvhvQaRMUrLzVQhWFwNDJOMOxmePQ7ER4bye0OXYRhbUa1gZI/eURit6DH8D1IZyiO6b9EJaBmk5lDHhI0vBNx/5OXyLjhxDZErDFaes053toUh5gwOYpBVW5mWaAQUZIYLLYdmwwzQ0FE0Rey/2OC0W3qk1fhAOxyuk=;
X-YMail-OSG: UjEEK98VM1kvqLg3a_wwxiqb3dzHI7DYFGR4H7WikgWSZrS aArOLhZbHt06i5FxWvXN4Q86Cfcn0Ly9mU2fiOL7Tsa_rkH8u2cMQ02Q3W78 LwPZLZRqysTOqcGPwNaNl6qWDUp0sw0Zbf8fBu8AflLkncnFvb8t04w30QQG B.xpmXCfci._s7JvOW2wCkC3TcWKdiz8LVoUGiCz7Ru8gl7uK8KwqY01Oa_s lG68Uwe3mUH4fiZDhxjpCxuNrO1xuMuek5s8z2yxPMPsKHPUOa.PqUT7GNny qLvsMuob9L3ri1svN9WUVWV4UXxszwnjYhjMwJEq9gls7jqlB8vY4CIs4cuL i0vSsPzEsJbGyF1J6Y3hViMweg1_3p1gu3ERAKcah.j6Qgb2X9TemeJV_09r II7kpV_kWDf_97XGs6hy.Q529xQ--
Received: from [209.131.62.115] by web31804.mail.mud.yahoo.com via HTTP; Fri, 06 Jan 2012 23:22:13 PST
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.116.331537
References: <4E6E4FEA.7090100@sunet.se> <90C41DD21FB7C64BB94121FBBC2E72345213D92D5A@P3PW5EX1MB01.EX1.SECURESERVER.NET> <90C41DD21FB7C64BB94121FBBC2E723453A72D0C2B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Message-ID: <1325920933.19255.YahooMailNeo@web31804.mail.mud.yahoo.com>
Date: Fri, 06 Jan 2012 23:22:13 -0800
From: William Mills <wmills@yahoo-inc.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>, "eran@sled.com" <eran@sled.com>, Leif Johansson <leifj@sunet.se>, OAuth WG <oauth@ietf.org>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723453A72D0C2B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="835683298-1501530307-1325920933=:19255"
Subject: Re: [OAUTH-WG] secdir review of draft-ietf-oauth-v2
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Jan 2012 07:22:23 -0000
I think the only thing there I'd say might still want to get done is: > > 10.10 Credentials Guessing Attack > > > > I found myself wanting implementation advice for how to generate good > > tokens at this point. This has been raised on the list too. The same > > goes for how to generate good CSRF cookies where the "(eg a hash of > > the session cookie..." feels like it is implementation advice yearning > > to come out of the closet. > > Need someone to suggest text. Didn't we get CSRF text in there? ________________________________ From: Eran Hammer-Lahav <eran@hueniverse.com> To: "eran@sled.com" <eran@sled.com>; Leif Johansson <leifj@sunet.se>; OAuth WG <oauth@ietf.org> Sent: Friday, January 6, 2012 10:57 PM Subject: Re: [OAUTH-WG] secdir review of draft-ietf-oauth-v2 I have not seen any follow up to the open issues and will be closing them on my editor's list. This doesn't mean they are closed, just that I will not be addressing them without someone raising them again on the list. Since none of them are in the tracker, this email is the only record I know of listing them (and their status/response). EHL > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of Eran Hammer-Lahav > Sent: Tuesday, September 20, 2011 3:13 PM > To: Leif Johansson; OAuth WG > Subject: Re: [OAUTH-WG] secdir review of draft-ietf-oauth-v2 > > (+OAuth WG, -everyone else) > > Thanks Leif. > > See comments inline. Whatever issues are still open will be addressed along > with the rest of the IETF LC feedback. > > EHL > > > > -----Original Message----- > > From: Leif Johansson [mailto:leifj@sunet.se] > > Sent: Monday, September 12, 2011 11:31 AM > > > ** General observations: > > > > POST and/or GET > > > > Examples are sometimes POST and sometimes GET. In many cases it is not > > clear to me from the surrounding text if both POST and GET are allowed > > or if only one is mandated. Illustrating with both a GET _and_ POST > > example in the cases where both are supported would help or make the > > method explicit in the text before the example. > > > > The P-word > > > > The term 'password' is sprinkled throughout the document, sometimes as > > in "client password" or "resource owner password credentials" and I > > suspect that sometimes it is password as in 'an example of a > > credential type' and in other cases it is password as in 'plain old > > password'. This needs to be cleared up throughout (I've included some > examples below). > > > > Normative Language > > > > I've often found myself wanting more normative language often to > > replace existing but less precise text. I've called out some important cases > below. > > > > Unknown parameters > > > > The sentence "The client SHOULD ignore unrecognized response > > parameters" > > occurs in several places. First of all I would argue that this has to > > be a MUST if you want to be able to guarantee extensibility. Secondly > > there are some error responses that are triggered by unsupported > > request parameters. This seems like an inconsistency. > > > > ** Specifics > > > > 1.1 Roles > > > > Forward references to the sections where the roles are defined would > > improve readability. > > What sections? That's the only place these roles are defined. > > > As an illustration of an alternative model for the authorization > > server maybe an informative reference to UMA would be illustrative here. > > A reference to UMA would be confusing in this document. > > > 1.2 Protocol Flow > > > > (A) talks about 'an intermediary such as an authorization server.' it > > isn't clear it me if this refers to a separate authorization server or > > if it is the same authorization server that is referenced in (B). > > Changed to: > > (A) The client requests authorization from the resource owner. The > authorization request > can be made directly to the resource owner (as shown), or preferably > indirectly via > the authorization server as an intermediary. > > > 1.3.3 Resource Owner Password Credentials > > > > When I first read this I thought - why not talk about Resource Owner > > Credentials - in fact there is a parenthesis there "(e.g a username > > and password)" that seems to indicate that other credentials could be > supported. > > > > This needs to be cleared up. Either its username and password and > > nothing else or there is a way to support things like Negotiate or > > X.509-based credentials in which case it should really be Resource > > Owner Credentials with no reference to passwords other than as as an > > example of one possible credential type. > > Changed to: > > (i.e. username and password) > > This is explicitly just for username and password. Other types require an > extension. > > > 1.4 Access Token > > > > first paragraph: "The string is usually opaque". This should be > > reformulated as normative language. In fact I would have liked > > guidance on generating those tokens (which has been brought up on the > > list) possibly as part of an implementation-guide. > > There is not requirement for the string to be opaque, but the general > architecture assumes it is. Otherwise, please suggest language. > > > 1.5 Refresh Token > > > > Why is the refresh token not simply treated as an access token for the > > access token resource in the authorization server? This would seem to > > simplify the model a bit by removing a type of token whose semantic > > (at least to this > > reviewer) is a duplication of a normal access token for a particular > > type of resource. > > Simpler architecture but probably more confusing to many developers. > > > Also in the first paragraph: "(access tokens may have a shorter > > lifetime and fewer permissions". Why not try to write normative > > language here - there are security implications of allowing a refresh > > token to get more permissions > > (say) than the original access token. > > This was discussed before and we could not reach consensus. > > > 2.1 Client types > > > > I find the terminology public/confidential somewhat counter-intuitive. > > An app you have on your personal device is 'public' while a shared > > cloud service is 'confidential'...hmm... > > These are the best terms we could come up with. Not intuitive but well > defined. > > > This section also lacks normative language which isn't good. There > > should be language defining the behavior of public and confidential > > client aswell as the three profiles. > > > > For instance under native application we have "It is assumed that any > > client authentication credentials included in the application can be > > extracted". This should really be normative language. Some of what I > > am looking for can be found in section 2.3 but it isn't clear to me > > that it covers the definition of the profiles. > > Please suggest text. > > > 2.3.1 Client Password > > > > There is also some confusion here about what the client must implement > > and what the server must implement wrt the use of client_id. I read > > the text as trying to say that Servers SHOULD support both and clients > > SHOULD only do Basic. > > We could not reach consensus beyond this. This language was carefully > crafted to work around the disagreements about what is required and what > is not. > > > This section also seems to have been the product of a partial > > s/password/credential/g operation. Either OAUTH is only meant to use > > Basic and passwords or we want to cover all/most HTTP authentication > > methods and credentials and then section 2.3.2 (which feels like an > > afterthought) needs to get folded into 2.3.1 and the normative > > language (and examples!) need some work to cover at least X.509s and > > perhaps even Negotiate. > > When we say password we mean 'plain old password'. Any other types of > credentials are not covered by design. > > > Personally I would try to fold 2.3.1 and 2.3.2 into one section and > > say that servers MUST support Basic and client_id+client_password. > > Servers MAY support any HTTP authentication method with a mapping to > client_id. > > If a client supports username+passwords it SHOULD do Basic and if it > > supports other HTTP authentication methods it MUST NOT use > > client_password for anything and MUST follow normal HTTP > > authentication method negotiation. > > > > Finally, everywhere there is negotiation there must imho be some > > mention/discussion/protection of downgrade attacks. > > Downgrade attacks security section sounds useful. Text? > > > 3.1 Authorization Endpoints > > > > 6th paragraph: "The authorization server SHOULD ignore unrecognized > > request parameters". This formulation returns in several places in the > > document and I don't understand why it isn't a MUST - after all > > doesn't extensibility depend on this? > > I don't have an objection, but extensibility isn't currently required. > > > 3.1.1 Response Type > > > > The response_type parameter is REQURED but its absence SHOULD result > > in an error. Why not MUST? > > This is an OAuth 1.0 legacy of not mandating a particular error behavior. > MUST seems like the right language - any objections? > > > 3.1.2 Redirection Endpoint > > > > There should be a clear normative specification for how to match > endpoints. > > There are traces of this in various parts of the document when > > matching is discussed. I recommend making a concise definition in one > > place (namely > > here) and referencing this throughout. Since this comparison has > > security implications it should be a priority for the specification to be air- > tight. > > This has been discussed by the WG and no consensus was reached. We can > reconsider if someone submits proposed text. > > > 3.1.2.2 Registration Requirements > > > > "(the client MAY use the state request parameter to achieve > > per-request customization)". Doesn't this overload its use for CSRF- > protection? > > Yep. That's intentional. > > > 3.1.2.4 Invalid Endpoint > > > > "The authorization server SHOULD NOT redirect...". Why isn't this a > > MUST NOT? > > I'm ok with MUST NOT - any objections? > > > 3.1.2.5 Endpoint Content > > > > This section basically seems to say "Serve with server-side code not > > with html or client-side code". If this is the case then I suggest > > reformulate to say precisely that using normative language. > > > > The use of the word "script" could perhaps also be made less ambiguous > > since in this case it could refer to both server-side code aswell as > > in-browser code. > > This is only about the HTML response sent back to the user-agent. This is > about including something like 'Share on Twitter/Facebook' widget on a page > with an access token in the URI fragment (which has caused tokens to leak to > Twitter in some cases). > > > 3.2.1 Client Authentication > > > > The phrase "clients issued client credentials" could be rephrased to > > make less violence on English - perhaps "clients that have been issued > > with client credentials", unless that is not the intended meaning in > > which case I argue for something easier to understand ;-) > > Ok. > > > The second bullet: Using client credentials more often also exposes > > them more which might be worth mentioning aswell. > > Proposed text? > > > 4. Obtaining Authorization > > > > Perhaps not critical but the term 'password credentials' occurs in the > > first paragraph and this doesn't seem compatible with resource owner > > authentication being out of scope. It could just be that it should > > read 'resource owner credentials' but it could also signal an > > underlying assumption about username and password being used for > > resource owner authentication. In either case I thing its best to > > avoid the use of the word 'password' to avoid any confusion. > > Password is intentional. This is a special case for passwords. > > > 4.1 Authorization Code > > > > (C) - "using the redirection URI provided earlier" should perhaps read > > "using the redirection URI provided earlier or associated with the > > client in client registration" > > Changed to: > > Assuming the resource owner grants access, the authorization server > redirects the > user-agent back to the client using the redirection URI provided earlier > (in the > request or during client registration). The redirection URI includes an > authorization > code and any local state provided by the client earlier. > > > 4.1.1 and 4.1.2 Authorization Request/Authorization Response > > > > The redirect_uri is listed as OPTIONAL with a reference to 3.1.2 but > > there is no mention in 4.1.2 how to handle the case when the > > redirect_uri is not present. I believe the assumption is that the > > redirect_uri is either resent or part of client registration but that needs to > be made explicit in that case. > > 3.1.2 describe how to handle this parameter. > > > This may apply to other uses of the redirect_uri parameter eg in 4.2.1. > > > > Furthermore in 4.2.2 "code" I suggest the following re-formulatation > > of the last sentence: "The client MUST NOT use an authorization code > > for more than one request. If an authorization code is re-used, the > > authorization server should treat that as a replay attack and SHOULD > > revoke all tokens associated with the client." (i.e loose the "attempt" > > bit which carries no real meaning) > > Changed to server MUST not allow reuse based on previous feedback. Not > sure treating it as an attack is the right language, but the normative language > is the same either way (about revoking tokens). > > > Also note that this is potentially a DOS attack should a single authz code > leak. > > Explain? > > > 4.1.2.1 Error Response > > > > First paragraph, last sentence "and MUST NOT automatically redirect". > > In the light of how willing users normally are to click on links > > presented to them I would strengthen this to "MUST prevent the user > > from following the redirect URI" > > Not sure what you mean. > > > In the definition of the invalid_request parameter I don't understand > > how unsupported parameters can generate an error since endpoints > > should ignore unsupported parameters (in order to support extensibility). > > Good catch. Dropped 'unsupported parameter' part. > > > 4.1.3 Access Token Request > > > > "require client authentication for confidential clients or for any > > client issued client credentials (or with other authentication requirements)" > > > > This text seems unnecessarily convoluted. Isn't enough to say that if > > you have issued credentials to a client you MUST require > > authentication from that client? This applies equally to the other > > sections where client authentication is an issue (eg 4.3.2). > > I felt it was important to call out confidential clients explicitly, but I agree that > if we require issuing credentials to such clients, this can be made simpler. > What do other think? The same end result, but different emphasis. > > > Also cf my comment on 3.1.2 for the discussion of matching > > redirect_uri in the last bullet: ".. and that their values are > > identical". Is this really meant to mean identical? > > Here yes. String comparison. > > > 4.2 Implicit Grant > > > > The parenthesis "(it does not support the issuance of refresh tokens)" > > sounds like it should really be normative language, "refresh tokens > > MUST NOT be issues for implicit grant" because afaiu you could easily > > extend "fragment-transport" to include a refresh-token, so it isn't a > > technically motivated constraint, right? > > Instead I added this to 4.2.2: > > The authorization server MUST NOT issue a refresh token. > > > In (D) I would like to have a normative reference to a document that > > specifies browser behavior for URL fragments since this is a critical > > security dependency for this grant type. > > That's RFC2616. Seems odd to reference it here. > > > 4.4 Client Credentials > > > > I think the text should note that this model effectively implies that > > the client is able to impersonate all users which has the potential > > for worse security problems than if the client has access to individual user > passwords. > > Worse how? You can't use this with resource owner password. > > > 6 Refreshing an Access Token > > > > scope - The term "lesser than" is intuitive but imprecise. I suggest > > "MUST NOT include any scope not originally granted by the resource > owner". > > Ok. > > > 7.1 and 8.1 Access Token Types > > > > The section 7.1 lists two definitions of access token types and > > provides a couple of examples but doesn't provide any constraints on > > future development of access tokens except in 8.1 where it is implied > > that not all access token types would be associated with HTTP > > authentication mechanisms. Are there really no constraints on access > > token types that should be captured? > > None suggested. > > > 10.6 Authorization Code Redirection URI Manipulation > > > > Suggest replace the word 'familiar' with 'trusted' in the first > > sentence of the second paragraph. The notion of trust opens up several > > boat loads of worm but it is the correct term here I think. > > Ok. > > > In the third paragraph "the same as" wrt redirection URIs occur and > > this needs to be defined (cf comments on 3.1.2 above). > > Changed to identical. > > > Finally "The authorization server MUST require public clients and > > SHOULD require confidential clients to register their redirection > > URI". I am missing a discussion of why the two types of client differ wrt this > attack vector. > > Public clients rely on the registration to provide a minimal level of client > identification while confidential clients are later authenticated which can > mitigate redirection URI manipulation. > > > 10.10 Credentials Guessing Attack > > > > I found myself wanting implementation advice for how to generate good > > tokens at this point. This has been raised on the list too. The same > > goes for how to generate good CSRF cookies where the "(eg a hash of > > the session cookie..." feels like it is implementation advice yearning > > to come out of the closet. > > Need someone to suggest text. > > EHL > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Fwd: secdir review of draft-ietf-oauth… Stephen Farrell
- Re: [OAUTH-WG] Fwd: secdir review of draft-ietf-o… Greg Brail
- Re: [OAUTH-WG] Fwd: secdir review of draft-ietf-o… André DeMarre
- Re: [OAUTH-WG] Fwd: secdir review of draft-ietf-o… Greg Brail
- Re: [OAUTH-WG] Fwd: secdir review of draft-ietf-o… Leif Johansson
- Re: [OAUTH-WG] secdir review of draft-ietf-oauth-… Eran Hammer-Lahav
- Re: [OAUTH-WG] Fwd: secdir review of draft-ietf-o… Eran Hammer-Lahav
- Re: [OAUTH-WG] Fwd: secdir review of draft-ietf-o… André DeMarre
- Re: [OAUTH-WG] Fwd: secdir review of draft-ietf-o… Eran Hammer-Lahav
- Re: [OAUTH-WG] secdir review of draft-ietf-oauth-… Eran Hammer-Lahav
- Re: [OAUTH-WG] secdir review of draft-ietf-oauth-… Eran Hammer-Lahav
- Re: [OAUTH-WG] secdir review of draft-ietf-oauth-… William Mills
- Re: [OAUTH-WG] Fwd: secdir review of draft-ietf-o… Eran Hammer-Lahav