[OAUTH-WG] Re: Call for adoption - PIKA

Giuseppe De Marco <demarcog83@gmail.com> Thu, 27 June 2024 22:47 UTC

Return-Path: <demarcog83@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 310DEC14F6E1 for <oauth@ietfa.amsl.com>; Thu, 27 Jun 2024 15:47:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.854
X-Spam-Level:
X-Spam-Status: No, score=-1.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id maoewG4w3e_X for <oauth@ietfa.amsl.com>; Thu, 27 Jun 2024 15:46:58 -0700 (PDT)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F333C14F680 for <oauth@ietf.org>; Thu, 27 Jun 2024 15:46:58 -0700 (PDT)
Received: by mail-ed1-x52c.google.com with SMTP id 4fb4d7f45d1cf-57d1782679fso22426a12.0 for <oauth@ietf.org>; Thu, 27 Jun 2024 15:46:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1719528416; x=1720133216; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=gPt3p+Udq8eK//TleAqhSokTflMuS14Pu/xJhVWCQyU=; b=lvv+qp4LEFK/ljZOMW4z5cxS86q98H1IIl6NdT6f5NjLe6OgTGDFTlHiDD+/l2skCd zjzHPizIH+IVufXhKLvEuNN9bWCAfmuBxY9YBrje3a5wIFrulOxLe9ikNtlcUbGQT5hy 67SD/3VNn6v3iiL18VNKy1Yh9qn3M5Yp7AQYphMl/AVDCd/bUElyot41VvlDRNafG+In VM7uDkal4ZWcBZszgkfwe+Tm3f0xz0vSAORVgKErhUffcZFOm/XoCov+SDr3xW+sUEqo g77q6NvtnaTGbU/QqfGgc/qfeG+8Ufmo/C+9vaZHdQEY/Sk6upLpiTww08lTv5W/vVA3 Nyww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719528416; x=1720133216; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=gPt3p+Udq8eK//TleAqhSokTflMuS14Pu/xJhVWCQyU=; b=JSIjdcB8D/gHGw9mLgZZ4/xJCJYrifrz0Gyssk4nF3vSCD/eCH9qyh3L1uc5oCejWl MFi9OS72xpghae3YuVg8FDsTG8pElT7qH6KiJ8EO3XELF1U46HS4hZOGfcxL5WAUTV7e vWMqq7KXGfKZDtNAqsrLwgxZGklI4gVNlD1Ft/yrKlq9DBXOfOQ4bi0fODYm3dX3jCZi khmiAa4Rn3nikRguLTUefMdU1/UK1Es5xTeqrXjrJAQRhygYY3J0urRmkI/k4C+fTt70 Lsw/FpXuC4XW0D7riXAYqy3sVA8Xhv7Y/+RQqhp7NzL79MY6nZa4307iFkEQRdiG1rOZ 59jg==
X-Forwarded-Encrypted: i=1; AJvYcCVvRCSnJwl9wM5D5Voh8QWObHGIBa9sPECKHyDZ9uLSqizGNRvyeR0b4wXHOHeOMPWmyBd4+v9btWFcleO3Hg==
X-Gm-Message-State: AOJu0Yxi/57LOPg2URfiNIPWdKjywTrejrWMD+0NosZXrChL9xLO8Tls 2X2j2juJr4+Hp/akZHUr7Unr1hVHAM/jBxK/9228r0orvvHWOw88S2+dTH+zo9at/tsW1ti50ft 8tD0li3F2MrzHSdTiiWGw/2e80hU=
X-Google-Smtp-Source: AGHT+IHKp1XbZIl+DXF7sEkynGvdo4XdF07DBOlbisqHYb1nKjg5y+E2E/PBiDkDlICh0dN7IGGYHLOSpJI8oKE61ZI=
X-Received: by 2002:a50:d619:0:b0:57c:bd49:9969 with SMTP id 4fb4d7f45d1cf-57d4bde2850mr10408262a12.39.1719528415892; Thu, 27 Jun 2024 15:46:55 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9GmF4vp1uzLXK0YYZAHUDjK7RHbhEb4MCXkB7N3Oq4+w@mail.gmail.com> <CAL02cgQYom9P+yGMODkHNE125mZnQxRdUTNQbP4ck4y48cgGTA@mail.gmail.com> <SJ0PR02MB7439E4391F43BC7D045859F2B7D52@SJ0PR02MB7439.namprd02.prod.outlook.com> <CACsn0cnW-N984ErjkLiqGx014GikupYWEJ-VPhOg7oD3Vaa=bQ@mail.gmail.com> <CAOgPGoCZ95hhj5KNQVpAB8d4nfOEXY=ozwNmj690k9iepXjcfA@mail.gmail.com> <CAFje9PhELRPFQux6ffaOtyXDw0xnqF=ijZo74UwTXTZ3E8ECOw@mail.gmail.com> <CAEM=y+VuRjXY0xt3R3HsmZJamg=r=+qhyoO2vqRog=ta_8u+ow@mail.gmail.com> <CAP_qYy=WiSfZ8Bh=eUU_8FR816+SY2ziA9zEdaocZp0qhAyhcg@mail.gmail.com> <CAL02cgSx062MXEZG1a8kfpnur2K4eWAV_jH-7mgkYnhMhLqqiw@mail.gmail.com>
In-Reply-To: <CAL02cgSx062MXEZG1a8kfpnur2K4eWAV_jH-7mgkYnhMhLqqiw@mail.gmail.com>
From: Giuseppe De Marco <demarcog83@gmail.com>
Date: Fri, 28 Jun 2024 00:46:44 +0200
Message-ID: <CAP_qYykLKAj65krgGqPAcdaFX0X--fwfZZaYmDcTEyO5Nzd2hw@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Content-Type: multipart/alternative; boundary="000000000000691a26061be6e8f3"
Message-ID-Hash: QZBTOJZLHUB2YJSFPINV6YQG3EYLJGYG
X-Message-ID-Hash: QZBTOJZLHUB2YJSFPINV6YQG3EYLJGYG
X-MailFrom: demarcog83@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - PIKA
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Jd5KZerdReAY0oxAuJusgpH6gjM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hey Richard,

Openid Discovery apparently doesn't get popular in the gov field, or at
least not alone and without some sort of trusted registries.
Openid Connect didn't get wide adoption in the R&E field that is still
using SAML2 with x.509 certificates mixed with a secured metadata exchange
mechanism mediate by trusted third parties, where the X.509 certificates
are distributed within the metadata and without any revocation mechanism
based on CRL/OCSP.

The previous two examples represent two important real-world large scale
deployment domains.

PIKA is a trust framework aiming to support the main trust model categories
we may have in mind, that we can categorize as follows:

Direct Trust: Trust is established directly between two parties without
intermediaries (bilateral relationship).
Third-Party Trust: Trust is facilitated by a trusted third party (Trust
Anchor, mechanisms of transitive trusts included).
Web of Trust: Each participant makes individual decisions about whom to
trust (end to end or multiple Trust Anchors)

DNS+TLS attests entities identity and cryptographic material for
confidentiality of the transport, using encryption; and proof of
ownership/authority for non repudiation, using signatures.

This is a basic requirement that we need. We need it also with any other
trust framework, be this based on DID resolution web methods or openid
federation or anything else RESTful or SOAP, if web endpoint based.

The next level is represented by all the requirements related to the
mitigation about the following issues:

- spoofing attacks based on slightly modified FQDNs, the end user trusts
the FQDN and no other additional checks would block the attack
- spoofing attacks using open url injected during the transaction (the
example shared in my previous email)
- lack of control about entities behaviour (LoA of the issued data,
accountability, rp overasking, categories of audiences, categories of
services offered ...)
  - early prevention of protocol/cryptography misues (disable a weka
algorith automatically in a multilateral federation)
- proof of realiability about specific compliances (security, regulations,
frameworks, other industrial ...)

metadata are crucial for this, since these forces the entity configurations
and provide mitigations to the issues. The trust framework should offer at
least a way to achieve this, because it should aim to be a framework
allowing the impl to use its tools to solve the common problems.

we may have different metadata for different scopes: administrative,
protocol specific.
we should have multiple cryptographic keys for different scopes: trust,
application protocols such as particular roles or features (key for AS, RP,
RS)

I am interested expanding the scopes of PIKA to offer in its framework one
or more solutions to the issues listed above if PIKA aims to provide
solutions to common problems.
In PIKA I read that its sole scope is "define a format for Proofs of Issuer
Key Authority", if confirmed no pain, it's legitimate (apologies for having
forced you in useless conversations).

According to the current PIKA draft, here my revision points:

- OpenID Federation (remove Connect)
- the revocation reasons in draft 35 was changed and simplified, please
update them accordingly or specify that for the scopes of PIKA other are
defined (in particular if expired to RFC 5280, as they was in openid
federation before the latest changes)
- the openid federation historical keys endpoint response contains only
public keys not valid anymore

good work, never stop


Il gio 27 giu 2024, 17:07 Richard Barnes <rlb@ipv.sx> ha scritto:

> Hi Giuseppe,
>
> Asking whether a technology addresses real-world challenges is a fair
> question.  The point of the current draft is that we have empirical
> evidence that X.509-based authentication works well for many cases, given
> the very wide usage of things like OpenID Connect Discovery.  PIKA seeks to
> address some operational deficiencies in those models, without changing the
> trust model.
>
> --Richard
>
> On Wed, Jun 26, 2024 at 8:21 PM Giuseppe De Marco <demarcog83@gmail.com>
> wrote:
>
>> Hi Ethan,
>>
>> I have experience implementing LDAP clients with SASL and SSL, SAML2 SP,
>> IDP, MDQ, as well as OpenID Connect RP, OP, and RS. It's clear that X.509
>> is foundational to our digital infrastructure, making implementation
>> straightforward due to the widespread availability of supporting libraries.
>>
>> However, X.509 has not addressed all issues; it would be unwise to ignore
>> its limitations and pretend it fits all needs perfectly.
>>
>> I can be an advocate for PIKA and am eager to delve deeper into the
>> technical trust requirements envisioned by the PIKA working group
>> participants. A new specification should aim to tackle the unresolved
>> issues.
>>
>> Consider this real-world example to illustrate a point: Space Attack
>> Spoofing eIDs [1]. The article highlights a vulnerability due to the lack
>> of mechanisms for validating endpoints, which opens the door to
>> Man-in-the-Middle (MITM) attacks through spoofing.
>>
>> From my perspective, part of the solution lies in the trust framework
>> employed. Even with a vulnerability at one point, having trusted endpoints
>> could prevent the attack's success. If endpoints were cryptographically
>> attested through verifiable metadata certified by a trusted third party, or
>> through a trusted distribution method or trusted policy processing, the
>> attack would likely fail. The attacker would not be able to redirect data
>> to fraudulent endpoints.
>>
>> Regardless of the technology, data format, or other elements used, these
>> may not align with our personal preferences or comfort levels, I am
>> interested in discussing the level of technical trust evaluation we aim to
>> incorporate into PIKA. Specifically, which problems are we aiming to solve,
>> and which are we deliberately excluding from the scope of this new
>> specification.
>>
>> When selecting a technology for implementation, it is essential to assess
>> whether it addresses real-world challenges effectively. I am here to
>> investigate if PIKA meets these criteria currently or in the foreseeable
>> future, and to understand the roadmap for its development, if available.
>> This evaluation is vital for trusting a specification.
>>
>> I was too verbose, I am sorry.
>> Giuseppe
>>
>> [1]
>> https://ctrlalt.medium.com/space-attack-spoofing-eids-password-authenticated-connection-establishment-11561e5657b1
>>
>> Il giorno mer 26 giu 2024 alle ore 19:08 Ethan Heilman <eth3rs@gmail.com>
>> ha scritto:
>>
>>> I strongly support this draft and would have immediate uses for PIKA
>>> if standardized.
>>>
>>> As someone who builds OIDC relying party software I am not worried
>>> about the X.509 certificate requirement, nor do I consider dependence
>>> on X.509s or the Web PKI to be an onerous requirement. I already have
>>> to deal with parsing and creating X.509 certificates in my relying
>>> party software.
>>>
>>> Given that JWK Set URI's use the Web PKI to authenticate the JWKs they
>>> serve via HTTPS, it only seems natural we would use that very same
>>> system, the Web PKI, to authenticate JWKs directly.
>>>
>>> Thanks,
>>> Ethan
>>>
>>>
>>> On Tue, Jun 25, 2024 at 8:46 PM Kristina Yasuda
>>> <yasudakristina@gmail.com> wrote:
>>> >
>>> > Sorry to chime in late as well…
>>> > I support adoption of this draft. I have read the thread and to me it
>>> seems like there is a mechanism being proposed that solved a concrete
>>> problem in a simple manner. Some of the discussion can happen after the
>>> draft is adopted.
>>> > Best,
>>> > Kristina
>>> >
>>> >
>>> > On Wed, Jun 26, 2024 at 7:49 AM Joseph Salowey <joe@salowey.net>
>>> wrote:
>>> >>
>>> >> Sorry to chime in late here. I'm in favor of adopting this draft.
>>> While I realize that X.509 isn't for everyone, there is an established
>>> community of users out there that overlaps with OAUTH users.  I think there
>>> are needs to both separate the distribution of the keys from the
>>> establishment of trust in those keys and in the auditability of the process
>>> of distribution.  I think this draft establishes a deployable mechanism
>>> based on existing technology.  X.509 is a good starting point and
>>> additional mechanisms can be added as needed.
>>> >>
>>> >> Cheers,
>>> >>
>>> >> Joe
>>> >>
>>> >> On Tue, Jun 25, 2024 at 3:12 PM Watson Ladd <watsonbladd@gmail.com>
>>> wrote:
>>> >>>
>>> >>> On Tue, Jun 25, 2024 at 2:56 PM Michael Jones
>>> >>> <michael_b_jones@hotmail.com> wrote:
>>> >>> >
>>> >>> > The other critique I voiced of the approach is that the
>>> application-level X.509 certificate can be used to secure the HOST part of
>>> the issuer, but not the entire issuer, since in general, the issuer will
>>> contain a PATH.  Yes, the service hosting the issuers controls all the
>>> paths, as Richard replied earlier, but it’s not the service who is the
>>> attacker that this enables.  The attackers that not securing the PATH
>>> enables are the tenants themselves.
>>> >>> >
>>> >>> >
>>> >>> >
>>> >>> > An attacker could host a tenant at the service and get an X.509
>>> certificate securing the HOST part of its issuer.  However, because a
>>> legitimate tenant at another path shares the same HOST, the attacker can
>>> copy its X.509 certificate chain and utilize a substitution attack to make
>>> unauthorized statements about the victim tenant – statements that were not
>>> made by the hosting service.
>>> >>> >
>>> >>> >
>>> >>> >
>>> >>> > This attack was not addressed, and I believe is intrinsic to the
>>> decision not to protect the entire issuer value.
>>> >>> >
>>> >>> >
>>> >>> >
>>> >>> > I believe that adopting this draft would result in this attack
>>> occurring in practice.
>>> >>>
>>> >>> To be clear, drafts get modified by the WG after adoption so adoption
>>> >>> is not the same thing as WGLC.
>>> >>>
>>> >>> However, I'm not sure I understand your attack scenario. If we have a
>>> >>> "tenant" distinguished by a path, there is already a security issue
>>> >>> with giving it the X509 certificate. It could then imitate any other
>>> >>> tenant on that server already. That's why we use reverse proxies and
>>> >>> put the certificate only on the proxying machines.
>>> >>>
>>> >>> Sincerely,
>>> >>> Watson
>>> >>>
>>> >>>
>>> >>>
>>> >>> --
>>> >>> Astra mortemque praestare gradatim
>>> >>>
>>> >>> _______________________________________________
>>> >>> OAuth mailing list -- oauth@ietf.org
>>> >>> To unsubscribe send an email to oauth-leave@ietf.org
>>> >>
>>> >> _______________________________________________
>>> >> OAuth mailing list -- oauth@ietf.org
>>> >> To unsubscribe send an email to oauth-leave@ietf.org
>>> >
>>> > _______________________________________________
>>> > OAuth mailing list -- oauth@ietf.org
>>> > To unsubscribe send an email to oauth-leave@ietf.org
>>>
>>> _______________________________________________
>>> OAuth mailing list -- oauth@ietf.org
>>> To unsubscribe send an email to oauth-leave@ietf.org
>>>
>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org
>> To unsubscribe send an email to oauth-leave@ietf.org
>>
>