IETF Logo Mail Archive

[OAUTH-WG] Re: Shepherd Review for OAuth 2.0 Protected Resource Metadata draft

Michael Jones <michael_b_jones@hotmail.com> Mon, 08 July 2024 13:24 UTC

Return-Path: <michael_b_jones@hotmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6786EC1D5C6E for <oauth@ietfa.amsl.com>; Mon, 8 Jul 2024 06:24:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.232
X-Spam-Level:
X-Spam-Status: No, score=-0.232 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id efDg03JkkhWk for <oauth@ietfa.amsl.com>; Mon, 8 Jul 2024 06:24:55 -0700 (PDT)
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12olkn2013.outbound.protection.outlook.com [40.92.21.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74C31C1E7238 for <oauth@ietf.org>; Mon, 8 Jul 2024 06:24:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IPVdTMRVvocvIMT1BjV3zNn59d/3T3lsiJOerS5reQXvqi8mQ7d0AZOe+OsfITyeVjYAbcklpNzc0em8W0He8f9dG4XNTbTcu6JlOna8scEQ/9ykbEQFdsfQj0fJKbAeDT/CDpnD1jLbhnpsvHey2j/KnCIMUZj7vs0VlHLlG4edxmxwAP2OMj9i0Hjn3/i3JwfD1LrzRqqOqQnSO7npd0EmWrU69Y4PZCkggomnFF2iZsKNvHZlOWoZoxzsk2j1v4Dq+SPu7twU5uRW7ptDKfPt+RdeRM1LzGKruJRD6phMQuDNDY4UngjJ8HayLDx0gaxLKX+l62p8bZQjdulnSg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=lkVqtdgOXx9n/3yJBBzjoSTIFPzBk7Iop/FGfHVqckE=; b=dl7Z6aQF7AdlANPyHlLAtOzdQTzZqXCBRkr8o/GqM5t3/D9dWyPOxjyenbLLFjrlwqyMfjk4mwGT+PplY/L2/C0pOZ7hBZDcbvjDAvbk/4dSeHyfUyjovECkTN6memCrU8jJoWsFhy4mecyvRqu92GuQaN8OK+dwtwDsWc8eC+qhOEHw0Ivz2+wC04GBTk/W6GxOuyF4G+mHeifBhTRJeOi7bYFT3OOsMhXhlZ8XMka0lnEWdILiJYmoy/ys5EN7d07VbW1F9TWJOzovqOeEDPx6i5qClYOo03T26izkYx0DaYnc9iq9bacmGxYgqWMpi1uQXVsxbwqeOmGXreQ/2w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lkVqtdgOXx9n/3yJBBzjoSTIFPzBk7Iop/FGfHVqckE=; b=WBFKouGFnXLqArrVuuwMZaHQSQf+eHr272BXtWFIYRCObWJPCDA5PJEDMmcZGJ5dezmEP6ITDuLk5da6TcbvjjGsbort3IymWK2CvXbkosOQi+KjTqgGmDEJzkMwGal2Q0XpmKtOmWrH3PBIWulT5sqtVs0oxFDrhfTA/SprdHyXzahq4MN9sHZZBQ3ubpN1SgxIq09Hi5PgImeecR/+QkPGfrx7mXKZ6a8jokMe36WkVNtw7jNxG4BiVcDyuPAG4O4PfW11YuvzJrozPGuiTD+Oa+Y9YQk6QYAtgl5BGvwwzb77WwSZs4vOwXWCJGFepI4B8/eTSsyJV/U6Dg/j+g==
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com (2603:10b6:a03:295::14) by SA2PR02MB7691.namprd02.prod.outlook.com (2603:10b6:806:145::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7741.35; Mon, 8 Jul 2024 13:24:52 +0000
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::6394:e79c:c32a:4c6a]) by SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::6394:e79c:c32a:4c6a%5]) with mapi id 15.20.7741.033; Mon, 8 Jul 2024 13:24:52 +0000
From: Michael Jones <michael_b_jones@hotmail.com>
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Thread-Topic: [OAUTH-WG] Shepherd Review for OAuth 2.0 Protected Resource Metadata draft
Thread-Index: AQHazg4OeHF+Xv7/y0mOIRewA52fCbHpHhYwgAB/X4CAAIFqAIACuRRE
Date: Mon, 08 Jul 2024 13:24:52 +0000
Message-ID: <SJ0PR02MB7439BFAD4D6A5AB5A11F8E98B7DA2@SJ0PR02MB7439.namprd02.prod.outlook.com>
References: <CADNypP-xQVgdGn45dB-F-udcmALg=HWb3X1qwhEyZz8nL15j_A@mail.gmail.com> <SJ0PR02MB743926934360E742A090C3E7B7D82@SJ0PR02MB7439.namprd02.prod.outlook.com> <CADNypP9rge6xEaZ6jnp3g3QFr=nEKHqN7hPMQqo_u3TY6MLs6Q@mail.gmail.com> <SJ0PR02MB7439A31CFE6947A0F01658F4B7D82@SJ0PR02MB7439.namprd02.prod.outlook.com>
In-Reply-To: <SJ0PR02MB7439A31CFE6947A0F01658F4B7D82@SJ0PR02MB7439.namprd02.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [OG58r7oDMw5F+227HabDJ2kJsEFpviZZ]
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR02MB7439:EE_|SA2PR02MB7691:EE_
x-ms-office365-filtering-correlation-id: 32ed933f-5d62-4b31-0103-08dc9f515986
x-microsoft-antispam: BCL:0;ARA:14566002|19110799003|8060799006|9400799024|461199028|440099028|3412199025|4302099013|1602099012|102099032;
x-microsoft-antispam-message-info: IRv8eKXTPep69Cu/1ouLWW2nHbyt+HV2DNEcL+3NHMlbrFrn9L3pR/QzqjqiagQUSZvrw0BtZmldYxz06Orv5nu71IhmeLqUYBcIaQ6CYeZ/S2OrgBVIIHS/bhULhoaAaWQwK0n9QZjDa+IylPer9Y6RMqOjKaLrd4NWFMB3AgrQqRw9jhNe04rwisXY+AieP0ew6yqwnihUV+/kPFQ8SvlRbaRBtoudB4AMws+6sYyLkovRgiypJDvvgp5eTpt15VVf2Gsna8YfWzd3ezKuNhT7Mdo2/ZiHCPAhQ74KYoAo5ZN4OYsz6eFUGdkrVhOZWxh8DYFoQRVSafWjcVvnaxFY4EU1xe38nvRm0/EljMOO+uA7J4R1t9Td5GfIXe2xu4rwtt3phz9CD1ASvTOR5Y1/aNQEUCcYdJFcYDa0y/esMv4NBLEbKT4NA3W+62jrxxEdvbIYgcznj6/2T1HtHSrFLovGiOCpyLhhnVTBc97XPS48OePvC3cPjLlfl9wFYhKH/OhuZjTRTgAtg1lLAAY5W52IvU6U5C1RkcLNt23eFHsLs/Dm8w4yzrodL/nxc+/KGI3+tfEfR5zXaIe6aHHsRif9Ns/2ulVYk3C/JOvxnpz77nIEp7c2ObJ4UJ8svPaHimRxiVl1C9M/rl0YreHFUtdtaW1zMTaOyqLCBIpphAv+TY0kiZZcN4VoprHGz2c5HXlKyAMukdWdm83Dbov8J7pGL9mfhVTgEihOmBnVxAKRTyIb7I6Q26QHMEE0dHxs/Dlim3m8qfohhymYuZLcAeTrGW4DraO3Keu1GHc=
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: b9aPNYeLcewk4M0/K50UUY/ZZlttkt7fEMdHI50AqMHLMqV67Gm7nDjfW/86k0gkP7aqCf5L/GnC7zQm172aVCoxfSXzaBSvCcB3aPqcZUTpKvCOEeo57qtzGPIvBOX6DXHGUUpWwKl/HvakCVJ900c70PSnR3L4s77d0trzEyc6de9iB3c23X8VAP2p74MCn5NlZMn1yvjXI2gRENOafgjfqc9g/NcFoqhBpNfmjWErqr1+mE4+4Ud0lo0Oj/3GeifksvEiGhKjbHbmOZcPdm37Y6++dKowVuVBNmlAzwFDtxbyGenrS//l2Jlw1p3Q8NsapFOfY+7RCsVHUTjc0IVj8yVf56l0hpdY7BN5MQcBNbSSj1X31wgVr5yMHNnGF3p5AwYMl+Vhf2axNL/xU/LsltAPzz971jxnuRjJMD8KdZ6v/m3rJlrj+oXUdPfZsIeUdZdDXb+da41nfYNfhn05LuQaha3j4cgmi9f4FDUjF6j8QjnGHktm8CVbLAGI3fSPA7AGEWxLsRCn6h/oBSrwK6JGfL8sd9sDt7zhxgxxEIcyXNAYcCchToKyoNcITfc11w+mEj8iqJJZV8pEl3Az8VR6dz1TBpyv3IN914VaHw3BwyVhujWxoH14Smio8htpCuyBgX21PVS6arAItzRIbj4dhdLbtn4e2tBCKPnGqVtKKqXi2jcKzKmeuzMRi4UpC9PuB5md/Cdz2k0JIhfsqQ1ez3iRStTceFEjxNHZlBUeFtZzxPvVIQPMYOXseUCJifPRg9L6Ue1svNEqWwHlG7U+ZgI8fbmJEZeYcGrbBdoa/fjWnZDqhWkwnP4RUFhDYyHDvv990X0Vea3IVk4hHix/uGkNPuR3ll5ytT7PTfGzCOkwlcjwc+tWUDCumYLD4jljTFnnjBzUTrg+YgVzCthpl1qkxuuB6KUBZLgkLJ2p6Z/Ezm0spgzLiMNURUq5yf4FJCgU5gBRmVUC5Kz4sHRs/5n4/RNa7HzjihDNWiLwiJNR5PJD13l5fmkAoxBW+RPNZk76YDrnB3uN9goPHTf0LhzOKHW7Al3JpYyC8v1ZRByJ+J51kMHnfs+GWGHJ+qc9bMgykhnHt3C+7yybrbJA515e+RN6FYw2BJhSgWs//rBCYtZg6xWy6TGQA9fQjibHF0Vf4TQTvcg8UXjTzZUMmOpMjdcMK+F34/qfPU7Qm6jEf7YhfmvUiKeqXUQ0WIyfp5hgsg6uTNDFNEdDh0m6qVegl/2nrI1zBXyxMxKoMoeO05OVMQGQMTWxmKI+Wg70GIcqfYuDlBDs1Q==
Content-Type: multipart/alternative; boundary="_000_SJ0PR02MB7439BFAD4D6A5AB5A11F8E98B7DA2SJ0PR02MB7439namp_"
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-7719-20-msonline-outlook-0f88b.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR02MB7439.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 32ed933f-5d62-4b31-0103-08dc9f515986
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jul 2024 13:24:52.2828 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA2PR02MB7691
Message-ID-Hash: UFHXKGCLYVQQDCKVGTQFAVHW6VQWUVJX
X-Message-ID-Hash: UFHXKGCLYVQQDCKVGTQFAVHW6VQWUVJX
X-MailFrom: michael_b_jones@hotmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Shepherd Review for OAuth 2.0 Protected Resource Metadata draft
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/KJo_9yYLMl0iSAOj_7DwAaPpUaQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Can you reply to this today, Rifaat?

Thanks,
-- Mike


________________________________
From: Michael Jones
Sent: Saturday, July 6, 2024 12:55:19 PM
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Cc: oauth <oauth@ietf.org>
Subject: RE: [OAUTH-WG] Shepherd Review for OAuth 2.0 Protected Resource Metadata draft


What puzzles me of talking about downgrade attacks in this context is between what points in time you are anticipating that a downgrade might occur.  The Resource Server advertises its proposed authentication methods in a WWW-Authenticate response.  The client then chooses one of them, probably within milliseconds of receiving the WWW-Authenticate response.  When in that flow are you thinking that a downgrade might occur?



Remember that the client is essentially instantaneously using fresh information provided by the resource server.  It is not using information provided at some prior time.



If not the text already proposed in the PR, what specifically would you suggest that we say about downgrade possibilities?



                                                                -- Mike



From: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Sent: Saturday, July 6, 2024 5:05 AM
To: Michael Jones <michael_b_jones@hotmail.com>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Shepherd Review for OAuth 2.0 Protected Resource Metadata draft





A fair question is whether allowing clients to choose from among
 supported authentication methods represents an opportunity for a downgrade attack.
 Since resource servers will only enumerate authentication methods acceptable to them, by definition,
 any choice made by the client from among them is one that the resource server is OK with.
 Thus, the resource server allowing the use of different supported authentication methods
 does not represent an opportunity for a downgrade attack.



A resource server could be configured to accept a method that is considered secure at one time, that might be considered insecure later on.

A resource server could also be misconfigured with insecure methods.



For this reason, I still think that a discussion of a potential downgrade attack is warranted in the security consideration section.



Regards,

 Rifaat











On Sat, Jul 6, 2024 at 12:30 AM Michael Jones <michael_b_jones@hotmail.com<mailto:michael_b_jones@hotmail.com>> wrote:

The PR https://github.com/oauth-wg/draft-ietf-oauth-resource-metadata/pull/45 is intended to address these shepherd review comments.  Please review.



                                                                Thanks,

                                                                -- Mike



From: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com<mailto:rifaat.s.ietf@gmail.com>>
Sent: Thursday, July 4, 2024 5:30 AM
To: oauth <oauth@ietf.org<mailto:oauth@ietf.org>>
Subject: [OAUTH-WG] Shepherd Review for OAuth 2.0 Protected Resource Metadata draft



Mike, Phil, Aaron,



The following is my shepherd review for OAuth 2.0 Protected Resource Metadata
https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-05.html

Comments/Questions

5.4. Compatibility with other authentication methods

Would this not open the door for potential downgrade attacks if the list of authentication methods include weaker methods?
I think this should be discussed in the Security Consideration section.


Nits

Section 1, second sentence:
“This specification is intentionally as parallel as possible …”
It feels like there is a missing word after “intentionally”; maybe “designed”, “specified”?

Regards,

 Rifaat

v2.35.0 | Report a Bug | By Email | System Status