Re: [OAUTH-WG] Security considerations in draft-sakimura-oauth-tcse-03
George Fletcher <gffletch@aol.com> Thu, 15 May 2014 13:23 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F9F71A04C2 for <oauth@ietfa.amsl.com>; Thu, 15 May 2014 06:23:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.651
X-Spam-Level:
X-Spam-Status: No, score=-0.651 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oEb3pK5PjY-W for <oauth@ietfa.amsl.com>; Thu, 15 May 2014 06:23:32 -0700 (PDT)
Received: from omr-d02.mx.aol.com (omr-d02.mx.aol.com [205.188.109.194]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BD7B1A04F8 for <oauth@ietf.org>; Thu, 15 May 2014 06:23:30 -0700 (PDT)
Received: from mtaout-mae01.mx.aol.com (mtaout-mae01.mx.aol.com [172.26.254.141]) by omr-d02.mx.aol.com (Outbound Mail Relay) with ESMTP id D6165700000B6; Thu, 15 May 2014 09:23:22 -0400 (EDT)
Received: from [10.172.2.191] (unknown [10.172.2.191]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mtaout-mae01.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id B2A7338000094; Thu, 15 May 2014 09:23:21 -0400 (EDT)
Message-ID: <5374BFCB.5070200@aol.com>
Date: Thu, 15 May 2014 09:23:23 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Josh Mandel <jmandel@gmail.com>, "oauth@ietf.org WG" <oauth@ietf.org>
References: <CANSMLKE3io952U0gCm2PS-yLSyFDWAWdjq2J=Fz2mwd9tY8=UA@mail.gmail.com>
In-Reply-To: <CANSMLKE3io952U0gCm2PS-yLSyFDWAWdjq2J=Fz2mwd9tY8=UA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------010108050702000202020202"
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5600.1067/98035
X-AOL-VSS-CODE: clean
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1400160202; bh=9H+Z9G1DLHWjfVDS9YW6EYwqxJ2CERhv9ja2quDLwoA=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=isLKUpuuiGeIgWwDUZK4S1sk2ShcIbpoHZtr+t/kx5PfZoHe1HN0FrfDDtNvETAs0 uiLUQ9crpXrt+qkgSM0UHeVQ0m+5HLyGKyMUb0ceR1YYWTddzVV4ETgK6diFbgM5rk H2OU4oaYIEbxGJ1ePNGvEI3KPToIMaoIxjw3Fj4Y=
x-aol-sid: 3039ac1afe8d5374bfc9200f
X-AOL-IP: 10.172.2.191
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/IfDMrxEMgYrEyLYgEELzwkeByQ8
Subject: Re: [OAUTH-WG] Security considerations in draft-sakimura-oauth-tcse-03
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 May 2014 13:23:35 -0000
True... but isn't this then just a standard "phishing" attack? Even today, any app can attempt to start an authorization if it knows the client_id (which isn't protected) and the registered callback URL. The user has to determine if they think the particular app asking for authorization should be granted that authorization. Am I missing something? Thanks, George On 5/14/14, 7:43 PM, Josh Mandel wrote: > > Forgive me if this is well-trodden territory, but I would have > expected the security considerations in this proposal to include a > note to the effect of: > > "In a scenario where a mobile client is contending with malicious apps > on the same device that listen on the same custom URL scheme, it's > important to keep in mind that a malicious app can initiate its own > authorization request. Such a request would appear the same as a > legitimate request from the end-user's perspective. So in this case, a > malicious app could request its own verifier code and successfully > obtain authorization using the tcse protocol." > > Obviously this does not negate the value of the proposal, but it's > something I'd expect readers to keep in mind. > > In particular, it has very strong implications for whitelisted > authorizations, where no end user interaction is required. In such a > case, a malicious app could initiate a request at any time and the > user would not be in the loop to raise a question about its legitimacy. > > On May 9, 2014 4:51 PM, "Brian Campbell" <bcampbell@pingidentity.com > <mailto:bcampbell@pingidentity.com>> wrote: > > > > I notice that code_verifier is defined as "high entropy > cryptographic random string of length less than 128 bytes" [1], which > brought a few questions and comments to mind. So here goes: > > > > Talking about the length of a string in terms of bytes is always > potentially confusing. Maybe characters would be an easier unit for > people like me to wrap their little brains around? > > > > Why are we putting a length restriction on the code_verifier anyway? > It seems like it'd be more appropriate to restrict the length of the > code_challenge because that's the thing the AS will have to maintain > somehow (store in a DB or memory or encrypt into the code). Am I > missing something here? > > > > Let me also say that I hadn't looked at this document since its > early days in draft -00 or -01 last summer but I like the changes and > how it's been kept pretty simple for the common use-case while still > allowing for crypto agility/extension. Nice work! > > > > [1] http://tools.ietf.org/html/draft-sakimura-oauth-tcse-03#section-3.3 > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org <mailto:OAuth@ietf.org> > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- George Fletcher <http://connect.me/gffletch>
- [OAUTH-WG] Security considerations in draft-sakim… Josh Mandel
- Re: [OAUTH-WG] Security considerations in draft-s… George Fletcher
- Re: [OAUTH-WG] Security considerations in draft-s… Josh Mandel
- Re: [OAUTH-WG] Security considerations in draft-s… Nat Sakimura