IETF Logo Mail Archive

Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23

Daniel Fett <fett@danielfett.de> Thu, 28 December 2023 13:38 UTC

Return-Path: <fett@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FB11C15C2B7 for <oauth@ietfa.amsl.com>; Thu, 28 Dec 2023 05:38:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z32spuTTbUuC for <oauth@ietfa.amsl.com>; Thu, 28 Dec 2023 05:38:08 -0800 (PST)
Received: from mout-p-202.mailbox.org (mout-p-202.mailbox.org [IPv6:2001:67c:2050:0:465::202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFCF3C15C29F for <oauth@ietf.org>; Thu, 28 Dec 2023 05:38:06 -0800 (PST)
Received: from smtp2.mailbox.org (smtp2.mailbox.org [10.196.197.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4T18hn4n62z9sW9 for <oauth@ietf.org>; Thu, 28 Dec 2023 14:38:01 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=MBO0001; t=1703770681; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references; bh=0L0A0Z8uwouieyRn67iGtxCFnIuMO/r2ce9q2f2ZXLY=; b=guFArq0tA+0CFN7VmbR7Sl0bRjo2RirkvMcwMkIXd0AXmHQVQGJqHw866scPOwmXJSP9A8 ZUHmxkqLHVYpUxfvHF/kqzzJg2Lq1TtLhQtrfWmxyndJNnMxKlOcv5RFefRUUZFjXg4GJg DgUB2giC/l25iAoJbKDQdUk3YbiABEUQkzeT7oVcpKPiXU4Rp347ZzYGJGukTpTDBwnHY9 CS+4wnQo2y4NTTGX9hoN8BuZsPfFu1xHLacLWgsVvbIOehTAAy7t3Cb1VabSE3RIqa8n1D 9Sf0O/m6oQZVQHq6JUB5seHwumnTpRySgHTNRYnNb+15VEzsGeOou/LmrLjoqg==
Content-Type: multipart/alternative; boundary="------------9wagHPbfItcZ7ZVk4kQv9vlN"
Message-ID: <6bdfa6d8-594c-40b2-a5ed-4a8ca9943929@danielfett.de>
Date: Thu, 28 Dec 2023 14:38:00 +0100
MIME-Version: 1.0
Reply-To: mail@danielfett.de
Content-Language: de-DE
To: oauth@ietf.org
References: <AS8PR10MB74277A2DAC89D987531F7F74EECBA@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM>
From: Daniel Fett <fett@danielfett.de>
In-Reply-To: <AS8PR10MB74277A2DAC89D987531F7F74EECBA@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/KKkARjxgIWqjy2Gpzhswpa5xR4o>
Subject: Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Dec 2023 13:38:13 -0000

Hi Hannes,

thanks again for your feedback! It is incorporated in the editor's copy now.

- 
https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html

- Diff to published version: 
https://author-tools.ietf.org/api/iddiff?doc_1=draft-ietf-oauth-security-topics&url_2=https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.txt 
<https://author-tools.ietf.org/api/iddiff?doc_1=draft-ietf-oauth-security-topics&url_2=https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.txt>

I plan to publish the next version once we have resolved the discussion 
points from Roman's AD review.

-Daniel


Am 04.10.23 um 15:41 schrieb Tschofenig, Hannes:
>
> Hi all,
>
> here are some comments as part of my shepherd review of the OAuth 
> Security BCP.
>
> First, I want to send a big "Thanks" to everyone in the group for the 
> work on this document and to the authors in particular. It has taken 
> us a while to come up with such an impressive list of security 
> recommendations for OAuth 2.0.
>
> At this point in time my review comments can only be minor given the 
> amount of feedback this documents has already received.
>
> Here are a few remarks.
>
> I believe we should indicate that the specification updates other 
> OAuth RFCs. The obvious documents it updates are RFC 6749, RFC 6750 
> and RFC 6819.
>
> You can set these "updates" in the template you are using.
>
> In Section 1 you say:
>
> "
>
> It does not supplant the security advice given in
>
>    [RFC6749], [RFC6750], and [RFC6819], but complements those documents.
>
> "
>
> In the subsequent paragraph you state that you "depreciate some modes 
> of operation".
>
> I believe you are need to be clear about what you are doing in 
> relationship to these prior documents. It might also be useful to say 
> something about OAuth 2.1.
>
> Expand abbreviations on first use. Example: "AS" and "PKCE" in Section 
> 2.1. The AS abbreviation is only expanded later in Section 3. Decide 
> whether you want to use abbreviations or not. You mix them throughout 
> the document without no reasons.
>
> Listing the abbreviations in Section 1.2 may also be useful. There are 
> not that many abbreviations anyway.
>
> I have wording suggestions for this paragraph:
>
> FROM:
>
> "
>
>    Authorization servers SHOULD use client authentication if possible.
>
>    It is RECOMMENDED to use asymmetric (public-key based) methods for
>
>    client authentication such as mTLS [RFC8705] or using signed JWTs
>
>    ("Private Key JWT") in accordance with [RFC7521] and [RFC7523] (in
>
>    [OpenID.Core] defined as the client authentication method
>
>    private_key_jwt). When such methods for client authentication are
>
>    used, authorization servers do not need to store sensitive symmetric
>
>    keys, making these methods more robust against a number of attacks.
>
> "
>
> TO:
>
> "
>
>    Authorization servers SHOULD enforce client authentication, if 
> possible.
>
>    It is RECOMMENDED to use asymmetric cryptography for
>
>    client authentication, such as mTLS [RFC8705] or using signed JWTs
>
>    ("Private Key JWT"), in accordance with [RFC7521] and [RFC7523] (in
>
>    [OpenID.Core] defined as the client authentication method
>
>    private_key_jwt). When asymmetric cryptography for client 
> authentication is
>
>    used, authorization servers do not need to store sensitive symmetric
>
>    keys, making client authentication more robust against leakage of keys.
>
> "
>
> (Note: For the reader it is always better if they are told what attacks
>
> are prevented rather than saying "a number of attacks". You don't want 
> the reader
>
> to guess what you mean.)
>
> Section 2 is a summary of what follows in Section 4. Maybe you can 
> make this explicit
>
> either in the title of Section 2 or in the first paragraph of Section 2.
>
> Section 3.
>
> You write:
>
> "
>
>    These attackers conform to the attacker model that was used in formal
>
>    analysis efforts for OAuth [arXiv.1601.01229].  This is a minimal
>
>    attacker model. Implementers MUST take into account all possible
>
>    types of attackers in the environment in which their OAuth
>
>    implementations are expected to run.
>
> "
>
> When you say "these attackers" please clarify which attackers you are 
> talking about.
>
> Prior to this paragraph you have just spoken about various forms of 
> network attackers.
>
> Just before that you talked about network and web attackers.
>
> Then, you introduce more attackers and you keep talking about "this 
> attacker model" and
>
> "these attackers". Make it easier for the reader by referring 
> explictly which attackers
>
> you are talking about in a specific paragraph.
>
> Then, you conclude the section with a hint that there is an even 
> stronger attacker model.
>
> As a reader I might want to know what this stronger attacker model 
> looks like and why you
>
> do not consider it in this document.
>
> Section 4.1.1:
>
> You write:
>
> "
>
> Note: Vulnerabilities of this kind can also exist if the
>
>    authorization server handles wildcards properly.
>
> "
>
> I believe you are saying that the vulnerabilities caused by incorrect 
> redirect URI validation parsing when you refer to "this kind".
>
> I would also remove the "note"
>
> Section 4.1.3:
>
> You write:
>
> "
>
>    *  Servers on which callbacks are hosted MUST NOT expose open
>
>       redirectors (see Section 4.11).
>
> "
>
> Are you talking about authorization servers (which is what was 
> referenced in the paragraph before)?
>
> Section 4.10.1: Sender-constrained Access Tokens
>
> The text gives the reader the impression that the token binding would 
> be an option for developers to use.
>
> I don't think that this is the case. I am particularly referring to 
> this sentence:
>
> "
>
>    *  *DPoP* ([I-D.ietf-oauth-dpop]): DPoP (Demonstration of Proof-of-
>
>       Possession at the Application Layer) outlines an application-level
>
> sender-constraining for access and refresh tokens that can be used
>
>       in cases where neither mTLS nor OAuth Token Binding (see below)
>
>       are available.
>
> "
>
> I would change it to:
>
> "
>
>    *  *DPoP* ([I-D.ietf-oauth-dpop]): DPoP (Demonstration of Proof-of-
>
>       Possession at the Application Layer) outlines an application-level
>
> sender-constraining for access and refresh tokens that can be used
>
>       in cases where mTLS is not available.
>
> "
>
> I would then remove the subsequent text talking about old, expired drafts.
>
> Alternatively, you could move the text to the appendix.
>
> Section 4.10.2: Audience Restricted Access Tokens
>
> In the text you say:
>
> "
>
>    Audience restriction essentially restricts access tokens to a
>
>    particular resource server.  The authorization server associates the
>
>    access token with the particular resource server and the resource
>
>    server SHOULD verify the intended audience.
>
> "
>
> You have to put a MUST here. If the resource server does not check the 
> audience
>
> restriction when using audience restricted access tokens then you 
> obviously do not
>
> get the value from it. It is like using DPOP and not using the 
> proof-of-possession.
>
> Likewise the SHOULD language in this sentence is also questionable:
>
> "
>
> The client SHOULD tell the authorization server the intended resource
>
>    server.  The proposed mechanism [RFC8707] could be used or by
>
>    encoding the information in the scope value.
>
> "
>
> If the client does not tell the authorization server what the intended 
> resource server
>
> is then how should the authorization server know (unless in a very 
> limited setup).
>
> Also the reference to RFC 8707 is a bit weak. We standardized resource 
> indicators: why not
>
> recommend using it?
>
> Section 4.10.3: The section heading is "Discussion: Preventing Leakage 
> via Metadata".
>
> The content of the section is not really a discussion but rather a 
> description of why
>
> this path has not been taken. I wonder whether it would be better to 
> move this section
>
> to the appendix and then start the text by explaining why other 
> solutions have been used instead of this approach.
>
> Section 4.11: I would put the definition about what an "open 
> redirector" is into the terminology section since you
>
> are using the term already in earlier sections. Here is the definition:
>
> "
>
> An open redirector is an endpoint that forwards a user’s
>
>    browser to an arbitrary URI obtained from a query parameter.
>
> "
>
> Typos/Wording:
>
> FROM:
>
> "
>
> Afterwards, the updated the OAuth attacker model is presented.
>
> "
>
> TO:
>
> "
>
> Afterwards, the updated OAuth attacker model is presented.
>
> "
>
> Section 4.1:
>
> "... wild ."
>
>          ^
>
> Consider using the guidelines for inclusive language:
>
> https://www.rfc-editor.org/part2/#inclusive_language 
> <https://www.rfc-editor.org/part2/#inclusive_language>
>
> For example, "If the attacker is able to ... , **he** will directly 
> get access to ..."
>
> Another example is "whitelisted".
>
> Section 4.1.2: a wording suggestion.
>
> FROM:
>
> "
>
> The attack
>
>    described here combines this behavior with the client as an open
>
>    redirector (see Section 4.11.1) in order to get access to access
>
>    tokens.
>
> "
>
> TO:
>
> "
>
> The attack
>
>    described here combines this behavior with the client as an open
>
>    redirector (see Section 4.11.1) to obtain access tokens.
>
> "
>
> Section 4.7.1: word missing
>
> FROM:
>
> "
>
> PKCE provides robust protection against CSRF attacks even in presence
>
>    of an that can read the authorization response (see Attacker A3 in
>
>    Section 3).
>
> "
>
> TO:
>
> "
>
> PKCE provides robust protection against CSRF attacks even in presence
>
>    of an attacker that can read the authorization response (see 
> Attacker A3 in
>
>    Section 3).
>
> "
>
> Section 4.18.2: capitalization
>
> FROM:
>
> "
>
> Wildcard origins like "*" in postMessage MUST not be used as
>
>    attackers can use them to leak a victim's in-browser message to
>
>    malicious origins.
>
> "
>
> TO:
>
> "
>
> Wildcard origins like "*" in postMessage MUST NOT be used as
>
>    attackers can use them to leak a victim's in-browser message to
>
>    malicious origins.
>
> "
>
> You might also want to replace the short title "oauth-security-topics" 
> (which can be found on each page) with something like "OAuth 2.0 
> Security BCP".
>
> Ciao
>
> Hanns
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
Please use my new email address:mail@danielfett.de

v2.23.0 | Report a Bug | By Email