[OAUTH-WG] CISA Cyber Safety Review Board Report recommendations to IETF
Joseph Heenan <joseph@authlete.com> Sun, 21 July 2024 11:01 UTC
Return-Path: <joseph@authlete.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B485BC15108E for <oauth@ietfa.amsl.com>; Sun, 21 Jul 2024 04:01:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=authlete-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fBnXWSJkAitK for <oauth@ietfa.amsl.com>; Sun, 21 Jul 2024 04:01:03 -0700 (PDT)
Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0D62C151063 for <oauth@ietf.org>; Sun, 21 Jul 2024 04:00:58 -0700 (PDT)
Received: by mail-wr1-x42e.google.com with SMTP id ffacd0b85a97d-368557c9e93so1574797f8f.2 for <oauth@ietf.org>; Sun, 21 Jul 2024 04:00:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=authlete-com.20230601.gappssmtp.com; s=20230601; t=1721559656; x=1722164456; darn=ietf.org; h=to:date:message-id:subject:mime-version:from:from:to:cc:subject :date:message-id:reply-to; bh=tnwNqaRBlSbP0UC1G0hE+GFEfmQqtKW/U/2vmcYQNqc=; b=KLhRFai+U0GwDV+gzzt8X9WqQhgpDZSgjStvlxQl2puDEbk42Qj0iIOBAEp2WwLWWy Vs81EKQ9PHlBTwdB9SHpRXavTyGXqL0lhBx9+4u4B5TeIHWQcVlioN9F7Iv8/sIn0mHu 5wH8Y2A5lOKxTo7VQq/FxPLEJdvXFEiDKtCuDQtmsaWctyFeF1kgYmkrgNBW0I4u9HGq igvg3j+9upTCoq5FhcdzImGoI0Al9fMiMa+PdBbC87LHURhdxSx1a+Yb/7Syu30Zq6Jb 2IU6IQb1PYcRc3+L88LYdA3gzy+PSmd6gDfjB6HRHrEqwWE8px5aysK6Md/Iv8OM5nON i0FA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721559656; x=1722164456; h=to:date:message-id:subject:mime-version:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=tnwNqaRBlSbP0UC1G0hE+GFEfmQqtKW/U/2vmcYQNqc=; b=nkrOoH2GZ6HNv7MzRG+t7XcEWPVGPuPeyNt/L4mgCTbvZmFBQ3PE4W8M1yoATITcms XLlu8tyXTY5KVdyBpROQo0NePRdhCL2luzaWQgTy77R7mli8bUEc5Rv0r6Wc7uz5XCUW 6DrThsyGSkpqk5soDRUxbVwqc6jd1hxdbsAyvlFBU4StLaYgbM2IAR9CPNf1OXaPAw/l zNy+MqbAMnMPhhWbDgdHZyO15JVToH5FjE9kymKJxMi2ixAlMCm/jAPaZj6ljbY2gKcj d3Ttu2LLBOmqAxfuaK+I/FaA6Qz15H/plxgBHB9ogIjfE7k3hmOL9RYpQFP0U1Up/Iv6 X1VQ==
X-Gm-Message-State: AOJu0YxpjbgNBzPgm2aPNSNHy/a4iXSvDhmh+GLvvfX4czJjCotLoEwW kBZtPisKVGi2bpHlHdcMFQznAtqFm0xqcG1EVL5uExf+aQdPGwDVXn6J0MbguyuUaGVQmRv5wU8 3
X-Google-Smtp-Source: AGHT+IEN+iXbNtXnCnDJV8Jkjg/iHwmak6sHngTbixK0QS6xaO8Q4bs1vea1WfD81C7x/pAV5bWLDA==
X-Received: by 2002:a5d:51cb:0:b0:368:7f8c:1b38 with SMTP id ffacd0b85a97d-369bae248e1mr1987950f8f.30.1721559656088; Sun, 21 Jul 2024 04:00:56 -0700 (PDT)
Received: from smtpclient.apple (cust211-dsl93-89-133.idnet.net. [93.89.133.211]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-368786949f5sm5720924f8f.57.2024.07.21.04.00.55 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 21 Jul 2024 04:00:55 -0700 (PDT)
From: Joseph Heenan <joseph@authlete.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1345B6E0-DBCC-4DBE-AFD3-80FE9D01FBB4"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.600.62\))
Message-Id: <3DA347E7-BE94-4296-9C6D-69CBCCFF40A5@authlete.com>
Date: Sun, 21 Jul 2024 12:00:44 +0100
To: "<oauth@ietf.org>" <oauth@ietf.org>
X-Mailer: Apple Mail (2.3774.600.62)
Message-ID-Hash: FD6MR6AGV2MCYRPVWGTJ2PSZTILNZWVR
X-Message-ID-Hash: FD6MR6AGV2MCYRPVWGTJ2PSZTILNZWVR
X-MailFrom: joseph@authlete.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] CISA Cyber Safety Review Board Report recommendations to IETF
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/JD5bZMwDbDD4wPj9uCshOIeDHjg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Hi all I don’t believe the CISA report linked from this page has been discussed in the OAuth group yet: https://www.cisa.gov/resources-tools/resources/cyber-safety-review-board-releases-report-microsoft-online-exchange-incident-summer-2023 Of particular note is that IETF and I think implicitly (as OIDC is built on top of OAuth) the OAuth WG is called out: "CSPs and relevant standards bodies, such as OpenID Foundation (OIDF), Organization for the Advancement of Structured Information Standards (OASIS), and The Internet Engineering Task Force (IETF), should develop or update profiles for core digital identity standards such as OIDC and Security Assertion Markup Language (SAML) to include requirements and/or security considerations around key rotation, stateful credentials, credential linking, and key scope.” From Page 22, 2.1.4, "DIGITAL IDENTITY STANDARDS AND GUIDANCE”, recommendation 13. (Bold emphasis added by myself.) Recommendation 11 explicitly recommends DPoP which is nice. Recommendation 12 is also perhaps in scope for this group, though I can’t say I understand how to action it: "Relevant standards bodies should refine and update these standards to account for a threat model of advanced nation-state attackers targeting core CSP identity systems." Thanks Joseph
- [OAUTH-WG] CISA Cyber Safety Review Board Report … Joseph Heenan