Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and nonce

Warren Parad <wparad@rhosys.ch> Thu, 18 March 2021 12:25 UTC

Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B36343A2A5C for <oauth@ietfa.amsl.com>; Thu, 18 Mar 2021 05:25:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5_ZmT-j2cFn5 for <oauth@ietfa.amsl.com>; Thu, 18 Mar 2021 05:25:13 -0700 (PDT)
Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA9723A2A5D for <oauth@ietf.org>; Thu, 18 Mar 2021 05:25:12 -0700 (PDT)
Received: by mail-io1-xd36.google.com with SMTP id b10so2032731iot.4 for <oauth@ietf.org>; Thu, 18 Mar 2021 05:25:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WeflEa4PliPNZPKAj63Pvqu8ruiIhaqWIECR2UecaEA=; b=Jw+DBnf8qBZ9DvIQlesnW/IvT0GGutDE5f80jGbIZBhtLcGQ2j1DLQo9kMtINrYIQj 3SLRPwxQIV84Dc5Xc5yhLdZopS6PKkVTTgjjmgEJtLgAHRRnHbVfrEkrAXNkkBWn4pY9 Rl3kbV6EpepBZv18ZHLJTWxEz2tLeLHmTBjAL1PLB+nyc9rsQPdbzjQlAFlerLQxN4co 75a1eENbMrfMAlYqes/Ypeb5Ls3RCjrOjsTm5Hl9Drsy5JaguJ8H4y0jfbIB0vr6dUV2 XNY0gBdwzXaTM5MUBzokpzQbk8R3d0rrqJwQM8X76y3kKAqzYcZ2X8s0ozYUWHgVUpR7 EL4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WeflEa4PliPNZPKAj63Pvqu8ruiIhaqWIECR2UecaEA=; b=ZsiDX6Tod8j7ctnQrYI+Pxb/fz+A9aGDPYoo/3Y+WmJmHV+L+hihTj5cwIjObtM2UZ EM2njLKWcZLBM957Mu7alz7j7lqV83NhrfoZFiH538/fhlGPpDAh/o7MYIrCu7UXA8io hKE5v2hYYOnuL12NZQEgIQjC2Nw5p5/ESg8eVHNEnB1fvqzl5jFoq1NLmWMxof5WLq2s xLV4/N2ULe6ksMw7z6C3sXxqaEMTpWzstpOVq7ZVS3/Q3FdZMDkLDJTM4oruZQkNik90 KsVNXCA0fiwHzGYxOAjzjmdDMIk9AQ93MFVP/vhguTLHzUWfwVWJ3RaNsNdl0CNYdXnM 9vYA==
X-Gm-Message-State: AOAM531ZXjKcSspRw1BJYw4kvl6I30sSuDv8xFeJTbpG7V2RQUo5mnEP 0EQmhvbDde8VkobZkxBsxdXTFGtOjooKEsJOxRNq
X-Google-Smtp-Source: ABdhPJyrrTFdP2wVoBGyrPzozLfnFlzOYnqbUHQ+8z90leoB+j77b1X0pUivEwI2zodvixYwXoaDSB8FCj10r2p6Eh4=
X-Received: by 2002:a02:661c:: with SMTP id k28mr6701973jac.78.1616070310772; Thu, 18 Mar 2021 05:25:10 -0700 (PDT)
MIME-Version: 1.0
References: <CALkShcttq5WKzJ4Zp8396hd+Dnoa6x74s0ekBGGNddWhoNqJ=g@mail.gmail.com> <D4516625-A215-4864-A893-16975A1E901D@forgerock.com> <CADNypP9FTQ1-vtzuQbHakOUKwQd0gHZhOpWakUG2EWqECDxnow@mail.gmail.com> <0860DA51-9C0C-49CF-8CE4-F90415CC6D0D@forgerock.com>
In-Reply-To: <0860DA51-9C0C-49CF-8CE4-F90415CC6D0D@forgerock.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Thu, 18 Mar 2021 13:25:00 +0100
Message-ID: <CAJot-L1hkb3v8XDeYqQ-wGqKVmVJOXaWNPVxEg8DcrxpVT0REA@mail.gmail.com>
To: Neil Madden <neil.madden@forgerock.com>
Cc: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>, draft-ietf-oauth-jwt-introspection-response@ietf.org, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ce60ba05bdceb094"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/JtIEh2P-fum0Y_cM8oI1OA4FzQE>
Subject: Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and nonce
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Mar 2021 12:25:15 -0000

ūüíĮ

Warren Parad

Founder, CTO
Secure your user data with IAM authorization as a service. Implement
Authress <https://authress.io/>.


On Thu, Mar 18, 2021 at 1:07 PM Neil Madden <neil.madden@forgerock.com>
wrote:

>
>
> On 18 Mar 2021, at 11:33, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
> wrote:
>
> On Thu, Mar 18, 2021 at 3:45 AM Neil Madden <neil.madden@forgerock.com>
> wrote:
>
>>
>>
>> On 18 Mar 2021, at 05:33, Andrii Deinega <andrii.deinega@gmail.com>
>> wrote:
>>
>> ÔĽŅ
>> The Cache-Control header, even with its strongest directive "no-store",
>> is pretty naive protection... Below is an excerpt from RFC 7234 (Hypertext
>> Transfer Protocol: Caching).
>>
>> This directive is NOT a reliable or sufficient mechanism for ensuring
>>> privacy.  In particular, malicious or compromised caches might not
>>> recognize or obey this directive, and communications networks might be
>>> vulnerable to eavesdropping.
>>
>>
>> This quote is about privacy. Your concerns so far have been about replay
>> protection. TLS protects both.
>>
>>
>> Regarding TLS, I've mentioned that we don't always have the luxury to see
>> what is going on with the infrastructure. A bright example would be an AS
>> implemented as a serverless application and hosted by one of the cloud
>> providers.
>>
>>
>> Right, but (as I’ve said before) the same reasoning applies to a JWT too.
>> The infrastructure could just as easily ‚Äúterminate JWS‚ÄĚ as it currently
>> terminates TLS. As I keep saying, it’s much better to spend your time
>> ensuring end-to-end TLS than end-to-end JWT.
>>
>
> That's not always possible. In some enterprises, they will have an
> inspection middlebox that breaks the end-to-end TLS, e.g., ZScaler.
>
>
> And if you use encrypted JWTs to work around that you’ll soon have
> inspection middleboxes that break end-to-end JWT. This isn’t a game we can
> win by adding more layers of the same solution.
>
> ‚ÄĒ Neil
>
> ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>