Re: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-security-topics-04.txt
Nat Sakimura <sakimura@gmail.com> Tue, 14 November 2017 16:44 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BD011293D8 for <oauth@ietfa.amsl.com>; Tue, 14 Nov 2017 08:44:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fC595t-SAX0H for <oauth@ietfa.amsl.com>; Tue, 14 Nov 2017 08:44:47 -0800 (PST)
Received: from mail-it0-x22d.google.com (mail-it0-x22d.google.com [IPv6:2607:f8b0:4001:c0b::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC59A128D44 for <oauth@ietf.org>; Tue, 14 Nov 2017 08:44:47 -0800 (PST)
Received: by mail-it0-x22d.google.com with SMTP id n134so5767725itg.3 for <oauth@ietf.org>; Tue, 14 Nov 2017 08:44:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NGaGv7tSIk0MmEA8E97+WDTGaHHg7qXG4uJxNeh3908=; b=OALFNNDvXOWyvWq1W1pXC9Qb0hba/FYajHxZXZR9C0duy4a0FDTzm+kLpMTraswlS/ mZhB3gQTBmiEDLxpWyIg4R+8v1BgG0YbDcKD5pSQAqbJcBO+FLE51ycYV0XWNVqcT5G8 iomjY0BRZeEspuWHHhaMg6Pu29tbn9eKr41pXDrfmsLGF2a6SBMxTAOOUHFJ5tIawL+N 1g1QL5m5PvwQNj2B2z6uoueIL6kVByQUl0uBc3Rs6/BDKxObLHvCgar/mJ3m/Fn6TtK9 JDFFPAUdyq5b/Ib0DP76Wqbq6KY3D8CkRNRpFZL/F6UP9FYYFGsTn/kgSM/WrrU4Wj4q Z0cQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NGaGv7tSIk0MmEA8E97+WDTGaHHg7qXG4uJxNeh3908=; b=lTrx5GZmpXq6CUo77RLwWzxLQ1uKILmszB/6Upfc7JOoh+INFQLu2mbzbi53fsyixS xlCwBlL/gkIiUN75LWOl5DTrS3+FchkPsNGl8MEnU/vab4yraAGDQ/XawjihGPyPFlPC 4ztwVRvP20zL3ZM92Xe+/cQ/p7JAOwKGt4wfcm4BZ2mqGLkfnCO63+YksO21qFGeY9Zi 5/7kv7zZDwAu0XX0tk/o2Xqs4tmNrKmg672DZ67m7ucUfBHEy8IYYutiXehHls7OgivR bfjzgb1kr4mV3vv4+LQo+qauxYwwNlI5OmzoIa33EGS5cbSx06Q3E2fX9cEAWIPn4NgQ 8vdw==
X-Gm-Message-State: AJaThX6yBwbnqYZSXa/vda/T7hB/Y71gcDyDBUfLFIGjveapv7U3vN7y 74lOmxm6rWomqEUUD2/EKvYkbVYkYhMHrrlEq1BFwg==
X-Google-Smtp-Source: AGs4zMagMa3FJdU5XZidFEYQ92x/tHfSI087tt6SHvEaZQX18iI29DOIP6xzwJQYA3vAi9W9uqsv0g4Y15SpIA5mpHg=
X-Received: by 10.36.129.136 with SMTP id q130mr15754714itd.60.1510677886822; Tue, 14 Nov 2017 08:44:46 -0800 (PST)
MIME-Version: 1.0
References: <151066014057.5874.14995601908173317919@ietfa.amsl.com> <9DE970FE-DE6D-4779-A32C-3AC0FDB569BF@lodderstedt.net>
In-Reply-To: <9DE970FE-DE6D-4779-A32C-3AC0FDB569BF@lodderstedt.net>
From: Nat Sakimura <sakimura@gmail.com>
Date: Tue, 14 Nov 2017 16:44:34 +0000
Message-ID: <CABzCy2A=K9juz7=J+Na=XbjuBuDvo7M1UXp_p-_5TRd1MK1wAQ@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c058c58d06f4f055df41ae9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Jiig9o5KZjxFeoeZyoFsYlb8kUE>
Subject: Re: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-security-topics-04.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Nov 2017 16:44:50 -0000
Thanks, Torsten. In 4.11, you can probably add client_secret and code phishing explained in https://nat.sakimura.org/2016/01/22/code-phishing-attack-on-oauth-2-0-rfc6749/ . I do not like the mitigation strategy there at all, though. Now that we have MTLS draft, using that is much better. The current document is based on the known threat analysis. As Andrey pointed out in the Trier seminar, most problems actually arise from the failure of 1) Source authentication, 2) Destination authentication, and 3) Message authentication. This, I think, is a good viewpoint. The [BCM] paper further recommends to have 4) protocol version and message identifier, 5) full list of actor/roles in addition. It will probably make the protocol provably secure as well. Perhaps we can add these as a consideration to mitigating unknown attacks. Also, analysing each known attacks in light of 1) to 5) above will provide a uniform viewpoint to each attack, so it may be worthwhile to do. Nat [BCM] Basin, D., Cremers, C., Meier, S.: Provably Repairing the ISO/IEC 9798 Standard for Entity Authentication. Journal of Computer Security - Security and Trust Principles archive Volume 21 Issue 6, 817-846 (2013) On Tue, Nov 14, 2017 at 10:28 PM Torsten Lodderstedt < torsten@lodderstedt.net> wrote: > Hi all, > > I just published revision -04. > > Changes: > > - Added best practices on Token Leakage prevention > > > - Restructured document for better readability > > > kind regards, > Torsten. > > Anfang der weitergeleiteten Nachricht: > > *Von: *internet-drafts@ietf.org > *Betreff: **[OAUTH-WG] I-D Action: > draft-ietf-oauth-security-topics-04.txt* > *Datum: *14. November 2017 um 19:49:00 GMT+8 > *An: *<i-d-announce@ietf.org> > *Kopie: *oauth@ietf.org > > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Web Authorization Protocol WG of the IETF. > > Title : OAuth Security Topics > Authors : Torsten Lodderstedt > John Bradley > Andrey Labunets > Filename : draft-ietf-oauth-security-topics-04.txt > Pages : 26 > Date : 2017-11-14 > > Abstract: > This draft gives a comprehensive overview on open OAuth security > topics. It is intended to serve as a working document for the OAuth > working group to systematically capture and discuss these security > topics and respective mitigations and eventually recommend best > current practice and also OAuth extensions needed to cope with the > respective security threats. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-04 > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-04 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-security-topics-04 > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Nat Sakimura Chairman of the Board, OpenID Foundation
- [OAUTH-WG] I-D Action: draft-ietf-oauth-security-… internet-drafts
- [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-secu… Torsten Lodderstedt
- Re: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-… Nat Sakimura
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Denis