[OAUTH-WG] Re: Call for adoption - PIKA

Joseph Salowey <joe@salowey.net> Tue, 25 June 2024 22:49 UTC

Return-Path: <joe@salowey.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 783A5C1840F6 for <oauth@ietfa.amsl.com>; Tue, 25 Jun 2024 15:49:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qNEh0CYINRdg for <oauth@ietfa.amsl.com>; Tue, 25 Jun 2024 15:49:04 -0700 (PDT)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E088FC1840F4 for <oauth@ietf.org>; Tue, 25 Jun 2024 15:49:04 -0700 (PDT)
Received: by mail-lj1-x234.google.com with SMTP id 38308e7fff4ca-2ebed33cb65so67930121fa.2 for <oauth@ietf.org>; Tue, 25 Jun 2024 15:49:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20230601.gappssmtp.com; s=20230601; t=1719355741; x=1719960541; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=3bJYZAXEjCqsd9L/S2EOzxuzXED37EiDLS5IsCVQG5o=; b=EwR0efCq7MmYBQLjTdlu91qLQEjiaUPW0r7g9ew5McoQMBoNmvwxDdni0NKxPLHQBz 99PG8rR9r/bI2grASQxIusS5LAKN0mpB6o2YY3J+Z0Nq8guqohuDxA66hIqGhlPkKhMB jSFdFYNgjViDQBKBzycWB9KJ2OADiI9hWdEOlRtx9ENJHokTheiKvhl2Eh1bH/tHq1r7 ZeMWQKni9ngbhpwnLi9pfp3XiF3fPMGKtQAzB4nbB3PCgVFnhZAHT+5l19MYeYad+I0p OYrzeXIwsuP5DiZ0cu8jfvbu0CwrvFuu7/7WxQHRv8XVnsDsoCDBAeoZ/oq1mfvHtuUr zbMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719355741; x=1719960541; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=3bJYZAXEjCqsd9L/S2EOzxuzXED37EiDLS5IsCVQG5o=; b=SykPGZXqEOU294ipeJlFLHZSXwnGdvCS+iZGyN9ZKovwex/FmmC4AmbVe1pNDBh/dd Gr0RRfPXfGmhsVIME9l/AzlFNmjRG6peO+HIt9V4AaWfcFAemU2ieY+rSUs0ZIl8JB9U 2w6bMb/k6mr976OB5Nkq/lK0gcIK5ww26WDya0XFgXgVqP+noBk5HY1gLXYbT/OYcyNr ORgipNbVsgA/p9G1RNAM3nCOsIMv8EwNep6UnA3WAapY1kCER0UTVJb2bKCN3aptiw/X RGn7XweczxSIDQV+FXyeHzXpIPfXiTrmSmx2ebjtanSCk7f8uBLV5Ub3yvuFFuM4y+1G L6bg==
X-Gm-Message-State: AOJu0YwppMl/4gBRdQXgnw0jBt7FwppukoIsomq0eL5/TIOvAEHLQ4Lz Htr0rRpPFbBf7TB2TkDA/N0KvDpVlLhPvd1nHfCfrb35yNLEOUUYqW+TEyGoDlaH4BXf9s3xhbc J9YWABefJJdwTYVg5DGLVXO67uWtAwHHPUF4ssw9+RWwQzlQR114=
X-Google-Smtp-Source: AGHT+IFWI4mlAQs+OSSQJQFo2Tdz2SJfXy7ifie6kbD3w0ncqBanaJ/domJgde+NwkZ1nB25rLNyXN7YU/DERMUVwVY=
X-Received: by 2002:a2e:bc04:0:b0:2ec:5964:9c0d with SMTP id 38308e7fff4ca-2ec5964a0f6mr95710241fa.0.1719355741410; Tue, 25 Jun 2024 15:49:01 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9GmF4vp1uzLXK0YYZAHUDjK7RHbhEb4MCXkB7N3Oq4+w@mail.gmail.com> <CAL02cgQYom9P+yGMODkHNE125mZnQxRdUTNQbP4ck4y48cgGTA@mail.gmail.com> <SJ0PR02MB7439E4391F43BC7D045859F2B7D52@SJ0PR02MB7439.namprd02.prod.outlook.com> <CACsn0cnW-N984ErjkLiqGx014GikupYWEJ-VPhOg7oD3Vaa=bQ@mail.gmail.com>
In-Reply-To: <CACsn0cnW-N984ErjkLiqGx014GikupYWEJ-VPhOg7oD3Vaa=bQ@mail.gmail.com>
From: Joseph Salowey <joe@salowey.net>
Date: Tue, 25 Jun 2024 15:48:48 -0700
Message-ID: <CAOgPGoCZ95hhj5KNQVpAB8d4nfOEXY=ozwNmj690k9iepXjcfA@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000035b0c6061bbeb42e"
Message-ID-Hash: OEPSOLUUFQTHCZJHLCBMPBDGR536C5PG
X-Message-ID-Hash: OEPSOLUUFQTHCZJHLCBMPBDGR536C5PG
X-MailFrom: joe@salowey.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - PIKA
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/JRJQVjaEJDQCx5UbW8gBqaHWGtI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Sorry to chime in late here. I'm in favor of adopting this draft.  While I
realize that X.509 isn't for everyone, there is an established community of
users out there that overlaps with OAUTH users.  I think there are needs to
both separate the distribution of the keys from the establishment of trust
in those keys and in the auditability of the process of distribution.  I
think this draft establishes a deployable mechanism based on existing
technology.  X.509 is a good starting point and additional mechanisms can
be added as needed.

Cheers,

Joe

On Tue, Jun 25, 2024 at 3:12 PM Watson Ladd <watsonbladd@gmail.com> wrote:

> On Tue, Jun 25, 2024 at 2:56 PM Michael Jones
> <michael_b_jones@hotmail.com> wrote:
> >
> > The other critique I voiced of the approach is that the
> application-level X.509 certificate can be used to secure the HOST part of
> the issuer, but not the entire issuer, since in general, the issuer will
> contain a PATH.  Yes, the service hosting the issuers controls all the
> paths, as Richard replied earlier, but it’s not the service who is the
> attacker that this enables.  The attackers that not securing the PATH
> enables are the tenants themselves.
> >
> >
> >
> > An attacker could host a tenant at the service and get an X.509
> certificate securing the HOST part of its issuer.  However, because a
> legitimate tenant at another path shares the same HOST, the attacker can
> copy its X.509 certificate chain and utilize a substitution attack to make
> unauthorized statements about the victim tenant – statements that were not
> made by the hosting service.
> >
> >
> >
> > This attack was not addressed, and I believe is intrinsic to the
> decision not to protect the entire issuer value.
> >
> >
> >
> > I believe that adopting this draft would result in this attack occurring
> in practice.
>
> To be clear, drafts get modified by the WG after adoption so adoption
> is not the same thing as WGLC.
>
> However, I'm not sure I understand your attack scenario. If we have a
> "tenant" distinguished by a path, there is already a security issue
> with giving it the X509 certificate. It could then imitate any other
> tenant on that server already. That's why we use reverse proxies and
> put the certificate only on the proxying machines.
>
> Sincerely,
> Watson
>
>
>
> --
> Astra mortemque praestare gradatim
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>