[OAUTH-WG] Re: Call for adoption - First Party Apps

David Waite <david@alkaline-solutions.com> Thu, 05 September 2024 04:45 UTC

Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D98A5C180B79 for <oauth@ietfa.amsl.com>; Wed, 4 Sep 2024 21:45:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=alkaline-solutions.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Z9-VjY9UBe1 for <oauth@ietfa.amsl.com>; Wed, 4 Sep 2024 21:45:02 -0700 (PDT)
Received: from mail.alkaline-solutions.com (caesium6.alkaline.solutions [157.230.133.164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE13FC180B65 for <oauth@ietf.org>; Wed, 4 Sep 2024 21:45:02 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alkaline-solutions.com; s=dkim; t=1725511501; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SiiVpZBnH/3pAM7Q5vULvCCu0UGULsu1ufhZ0NJFDOY=; b=Oy4YT3XxEakLYHt0HjTX8FnHfHJLfUV8nJAmc7U1FSlyscjmSf7E2ZKkLvmMW7PX4ZA2r1 VhtFXnfjWfC0/jYgVbKZPo2CAa39nxB1pVM/nDUiwo3o14ZHcLO0dOEF39d/tOBbPNlF4T 0bxLQkQWt8qJR8RWvSuBJtZDOyM7gYXpXdqIqoVFj3DsT4i/JU7PsD+SYxPnbT1QOxGeSX vQRQDlgqeYvknwThLbc2/T0IhBIScNhMBYyf8h5wHWvIJygI94ooabPDkRuSH7JjEtj14p OSVnw/F/YSXliU3ESO77jqcfjukSRe4KOkcG7ObUQrUaG7cdlj+dtnynTFW1WA==
Authentication-Results: mail.alkaline-solutions.com; auth=pass smtp.mailfrom=david@alkaline-solutions.com
Mime-Version: 1.0
From: David Waite <david@alkaline-solutions.com>
In-Reply-To: <A454CC94-115D-470B-A1B1-34E03EE15E41@gmail.com>
Date: Wed, 04 Sep 2024 22:44:50 -0600
Content-Transfer-Encoding: quoted-printable
Message-Id: <484F176F-7C7E-41CC-9BB5-E2487B927E2F@alkaline-solutions.com>
References: <CACsn0cnBjvEZrxFrfa2TBwRo5uwqz=Pd3zph98PjBos6k+Y5xw@mail.gmail.com> <A454CC94-115D-470B-A1B1-34E03EE15E41@gmail.com>
To: Neil Madden <neil.e.madden@gmail.com>
X-Spamd-Bar: /
Message-ID-Hash: ZKQ4A4TOKOZ5KQB7YBJAHPQFY4UHQZPT
X-Message-ID-Hash: ZKQ4A4TOKOZ5KQB7YBJAHPQFY4UHQZPT
X-MailFrom: david@alkaline-solutions.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - First Party Apps
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Jl4aJ3gVWijwx24GeppuaDlS3Co>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>


> On Sep 4, 2024, at 4:27 PM, Neil Madden <neil.e.madden@gmail.com> wrote:
> 
> On 4 Sep 2024, at 22:48, Watson Ladd <watsonbladd@gmail.com> wrote:
>> 
>> I can always grab the cookie jar off the user browser if I have that
>> level of access.
> 
> USB access is not privileged, but that’s beside the point.

> 
> Put another way, the phishing-resistance of WebAuthn only really makes sense in a world of sandboxed apps: web apps, mobile apps. Any spec that encourages the use of OAuth auth flows outside of such sandboxed environments, as this one potentially does, is going to make defending against phishing harder.

The client is not an identified/authenticated component in the architecture, so there is a user trust required in using a client - that the client actually is an agent acting in the user’s interest rather than acting maliciously.

Platforms have the ability to provide specific API for these interactions to become a trustworthy client, and to block privileged access (including access to speak directly to hardware) behind audited entitlements to prevent from installed software acting as a malicious client.

Note that some platforms also provide entitlements and heuristics for password manager access - however, as a knowledge-based system the platform cannot really prevent malicious applications from still attempting to manipulate their way to credential phishing.

> 
> (I’d also question why first-party apps need a standardised API for this anyway: they can do whatever they like using proprietary APIs already).

I would struggle to come up with standards-track RFCs which would not be able to instead be accomplished with proprietary APIs. The editors and working groups found value in peer review and in interoperability.

I have seen the pitfalls of a proprietary approach to this and would say peer review is important. My primary concern is whether we can have a clients that authenticate against multiple implementing ASes based solely on this work. Profiling authentication methods like passkey-based authentication would go a long way toward alleviating that concern.

-DW