[OAUTH-WG] Re: Call for adoption - PIKA

Ethan Heilman <eth3rs@gmail.com> Wed, 26 June 2024 17:08 UTC

Return-Path: <eth3rs@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9B83C1519B0 for <oauth@ietfa.amsl.com>; Wed, 26 Jun 2024 10:08:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wy1G4SmZGQeU for <oauth@ietfa.amsl.com>; Wed, 26 Jun 2024 10:08:14 -0700 (PDT)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62E3BC151545 for <oauth@ietf.org>; Wed, 26 Jun 2024 10:08:14 -0700 (PDT)
Received: by mail-lj1-x22c.google.com with SMTP id 38308e7fff4ca-2ec002caf3eso105608861fa.1 for <oauth@ietf.org>; Wed, 26 Jun 2024 10:08:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1719421692; x=1720026492; darn=ietf.org; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=f7gN4YcH5lyDgEW7GFTQ/2Q3JPU3MH1/Rtf5QRf4gyg=; b=Ppan/mZGvlE4KK5zDlCE4xTwvlFf1QurlOYvZbazeTDIxmpNAWBBgSneDFPH+tbhFx fCjI0UYvXSyNy5bLkwREEympEvYsTNAyyTFsxiv9vJ1XCRLYa3fj4tMSw6+CS5THirSH pIIZB8Jr8tuWn9TenwHZeDn9Rq8ZM+dKZh97ZF+nefd9KjM4BHB1k8McMsBjw7IMGWMe bzNSQyi+I+s0ym5QWOqydY9gro/mEpzR9mUiX5gxRcJAkS8QRGF1Jx+8scZVmEinnUWe 4vNp41EKwKWEaPt9GiDUqlx0j0IdHTsmwiM5gRmhlPDIKBhre0BSJ8UaZ7sagOLFIsgj 624A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719421692; x=1720026492; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=f7gN4YcH5lyDgEW7GFTQ/2Q3JPU3MH1/Rtf5QRf4gyg=; b=Ju5fvUdh4wnl/p5jmgFrgbohuH2wjPWmiYxHbe/QvpW/zFNZoSr8bL88qVolT1Cb7y 3NBYE+SqiVVNzeKmXyF8iCivrvxdNI6FZRj71rSltSxqpsUsbfdk/FVitkGYppw3h24M nYT5LE0yH/nDntBMucG6x2okALLyI7YAjFb+ZdoeTPSjkNHlTxDhhrxx6bL0NwowJ4mA YLLMwWpM2bUr1L+8RT5yf2pORHq6essQplaIoyoXlmxa9PPKYi9wF3u8+deKgDmrDreV 3mgT/ldO/xo4eoQIwPEBuufmUijTmIrdVc1UUo7V3gznxIfF6JbLyL7wzVfkhL/abXQ8 IU0w==
X-Gm-Message-State: AOJu0YyOISecXzD1XOXfgEflVIKdpcTJgCwhoaU2ix5yBepjpnNThX1t YiUbKPx3ZsVAeoOciWHd1hRNLulT6+uExUla4bEiFkS5VKcTgpID+Vz1jsJmRgWhsDQ0Z66roBw 5CLByEphEJpAfMq9+z2aFcmyvPNKTXcYZ
X-Google-Smtp-Source: AGHT+IEr7rEM6VoeAle7rindtUnV5tA5F3oFeOMz4ei4KrFcf9Bq/xq7G/qoxkerr6SPrN7G37kcxNNo+Jj/bV6Y2ys=
X-Received: by 2002:ac2:4c26:0:b0:52c:c9d5:b92e with SMTP id 2adb3069b0e04-52ce185d202mr7250572e87.69.1719421692072; Wed, 26 Jun 2024 10:08:12 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9GmF4vp1uzLXK0YYZAHUDjK7RHbhEb4MCXkB7N3Oq4+w@mail.gmail.com> <CAL02cgQYom9P+yGMODkHNE125mZnQxRdUTNQbP4ck4y48cgGTA@mail.gmail.com> <SJ0PR02MB7439E4391F43BC7D045859F2B7D52@SJ0PR02MB7439.namprd02.prod.outlook.com> <CACsn0cnW-N984ErjkLiqGx014GikupYWEJ-VPhOg7oD3Vaa=bQ@mail.gmail.com> <CAOgPGoCZ95hhj5KNQVpAB8d4nfOEXY=ozwNmj690k9iepXjcfA@mail.gmail.com> <CAFje9PhELRPFQux6ffaOtyXDw0xnqF=ijZo74UwTXTZ3E8ECOw@mail.gmail.com>
In-Reply-To: <CAFje9PhELRPFQux6ffaOtyXDw0xnqF=ijZo74UwTXTZ3E8ECOw@mail.gmail.com>
From: Ethan Heilman <eth3rs@gmail.com>
Date: Wed, 26 Jun 2024 13:07:35 -0400
Message-ID: <CAEM=y+VuRjXY0xt3R3HsmZJamg=r=+qhyoO2vqRog=ta_8u+ow@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: V2ZAHL6XMM5GY3FFDJUJVKUOYOQRJQVK
X-Message-ID-Hash: V2ZAHL6XMM5GY3FFDJUJVKUOYOQRJQVK
X-MailFrom: eth3rs@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - PIKA
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/JqdcnLy3CoGm68YcrODjXcEP9WU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

I strongly support this draft and would have immediate uses for PIKA
if standardized.

As someone who builds OIDC relying party software I am not worried
about the X.509 certificate requirement, nor do I consider dependence
on X.509s or the Web PKI to be an onerous requirement. I already have
to deal with parsing and creating X.509 certificates in my relying
party software.

Given that JWK Set URI's use the Web PKI to authenticate the JWKs they
serve via HTTPS, it only seems natural we would use that very same
system, the Web PKI, to authenticate JWKs directly.

Thanks,
Ethan


On Tue, Jun 25, 2024 at 8:46 PM Kristina Yasuda
<yasudakristina@gmail.com> wrote:
>
> Sorry to chime in late as well…
> I support adoption of this draft. I have read the thread and to me it seems like there is a mechanism being proposed that solved a concrete problem in a simple manner. Some of the discussion can happen after the draft is adopted.
> Best,
> Kristina
>
>
> On Wed, Jun 26, 2024 at 7:49 AM Joseph Salowey <joe@salowey.net> wrote:
>>
>> Sorry to chime in late here. I'm in favor of adopting this draft.  While I realize that X.509 isn't for everyone, there is an established community of users out there that overlaps with OAUTH users.  I think there are needs to both separate the distribution of the keys from the establishment of trust in those keys and in the auditability of the process of distribution.  I think this draft establishes a deployable mechanism based on existing technology.  X.509 is a good starting point and additional mechanisms can be added as needed.
>>
>> Cheers,
>>
>> Joe
>>
>> On Tue, Jun 25, 2024 at 3:12 PM Watson Ladd <watsonbladd@gmail.com> wrote:
>>>
>>> On Tue, Jun 25, 2024 at 2:56 PM Michael Jones
>>> <michael_b_jones@hotmail.com> wrote:
>>> >
>>> > The other critique I voiced of the approach is that the application-level X.509 certificate can be used to secure the HOST part of the issuer, but not the entire issuer, since in general, the issuer will contain a PATH.  Yes, the service hosting the issuers controls all the paths, as Richard replied earlier, but it’s not the service who is the attacker that this enables.  The attackers that not securing the PATH enables are the tenants themselves.
>>> >
>>> >
>>> >
>>> > An attacker could host a tenant at the service and get an X.509 certificate securing the HOST part of its issuer.  However, because a legitimate tenant at another path shares the same HOST, the attacker can copy its X.509 certificate chain and utilize a substitution attack to make unauthorized statements about the victim tenant – statements that were not made by the hosting service.
>>> >
>>> >
>>> >
>>> > This attack was not addressed, and I believe is intrinsic to the decision not to protect the entire issuer value.
>>> >
>>> >
>>> >
>>> > I believe that adopting this draft would result in this attack occurring in practice.
>>>
>>> To be clear, drafts get modified by the WG after adoption so adoption
>>> is not the same thing as WGLC.
>>>
>>> However, I'm not sure I understand your attack scenario. If we have a
>>> "tenant" distinguished by a path, there is already a security issue
>>> with giving it the X509 certificate. It could then imitate any other
>>> tenant on that server already. That's why we use reverse proxies and
>>> put the certificate only on the proxying machines.
>>>
>>> Sincerely,
>>> Watson
>>>
>>>
>>>
>>> --
>>> Astra mortemque praestare gradatim
>>>
>>> _______________________________________________
>>> OAuth mailing list -- oauth@ietf.org
>>> To unsubscribe send an email to oauth-leave@ietf.org
>>
>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org
>> To unsubscribe send an email to oauth-leave@ietf.org
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org