Re: [OAUTH-WG] OAuth Security -- Next Steps
Anthony Nadalin <tonynad@microsoft.com> Mon, 25 July 2016 17:43 UTC
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB78E12D56C for <oauth@ietfa.amsl.com>; Mon, 25 Jul 2016 10:43:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.022
X-Spam-Level:
X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wPDTnRKSZY-B for <oauth@ietfa.amsl.com>; Mon, 25 Jul 2016 10:43:34 -0700 (PDT)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01on0090.outbound.protection.outlook.com [104.47.32.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC60312D548 for <oauth@ietf.org>; Mon, 25 Jul 2016 10:43:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=lhL3/racywT4ZsynQuyTfJm30S4iHsVNsClPkROAVyc=; b=Gwzf5IGll2rrjJNCjIkNmXiSBBg15uH9qs+JzEuldcHx04Wz8RpKMX0ddZFaTDnD1NVtU9Ix5u57j0jR65iOkVmxw3/ogDJtpwG/zVPBujosG0PszwI6lmXUqi1MIECTc/NpZ95+rzvjIqA6TRw2mSXIkBXZ40Pk3+hQKf08yMU=
Received: from DM5PR03MB2441.namprd03.prod.outlook.com (10.168.233.11) by DM5PR03MB2441.namprd03.prod.outlook.com (10.168.233.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.544.10; Mon, 25 Jul 2016 17:43:32 +0000
Received: from DM5PR03MB2441.namprd03.prod.outlook.com ([10.168.233.11]) by DM5PR03MB2441.namprd03.prod.outlook.com ([10.168.233.11]) with mapi id 15.01.0544.017; Mon, 25 Jul 2016 17:43:31 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] OAuth Security -- Next Steps
Thread-Index: AQHR5mOhWN1XRWaqIk2P73CixztdqqApavtA
Date: Mon, 25 Jul 2016 17:43:31 +0000
Message-ID: <DM5PR03MB2441ACA5B240108C320DFABAA60D0@DM5PR03MB2441.namprd03.prod.outlook.com>
References: <5795F109.9040403@gmx.net>
In-Reply-To: <5795F109.9040403@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=tonynad@microsoft.com;
x-originating-ip: [2001:4898:80e8:5::10e]
x-ms-office365-filtering-correlation-id: f0d2b7c6-1c51-44ba-121c-08d3b4b331f9
x-microsoft-exchange-diagnostics: 1; DM5PR03MB2441; 6:JgAfwz14viHWav4fbGQHcRDyIcpy6fDjl6cpNzTPwDcmUmrhYg23NBbIDnsV41JtQsTTjSNKGaGC9idbEzrtSaD1lxDBWXSEQDrRGJhxPYHM9rJq3jCCyTzDqg4xmSV3XaxL9t7cEyZVjbX2AIOSNH+JBsotEohnAkfhOyXECwMJJhGylosfDhi1d71XLMHxbf+PtyAqm3f+vhQ/s6cM5sIAoizudyuVSAxZSxZXF0tTvDjU4M/F/Wg4Z4QfiTcPAy1bocde6YiTg2OD8BsNwZzeMvEryWmThCNUgHySF2WOBHMxCGGaKvqtgWpqaZm+DzhZ877PJL+fJ0xHqS4kiQ==; 5:0yHI33852Wm9yBcXlB4ropPwgzVRQ205VmJAq3Z9EfSbUpbu0wNR5rJ3b1+J8Jler/8Ntz+zTY78wopgLLLlxhyibz4VT4li6adYawr91G0verD+ZNnZtCXO2AEmJC1CAhH6wExMoV3OysbZEi5E5w==; 24:AkxCC+EeOr4pwlzwkaJs+Tbw6BvAwgUa4mfO3PyXp/IeDOfsL+vsG1d7sW2nhp01HCPItXJKsZemfM97+/jVQcGe1HgJCItkYPD0jSupuM0=; 7:nSCCAYl/SPoUUuKDKGfl3fC7q3Y/FGSzTO0YTpUOsieW7e9a2fCpm9w6PNP+RCuW/8PX/ICN7AIrEw0lvsrSUCMYL+ny888KqRMykO5SGWjttNacFLK2jws+LHFdB9puqKnG8lHsJYKpGHIRruYf9X9y4QCgQE9VOwH44qtBePEaS73uq9dqlN+rCe2302p8MSgrUQtgqr+7G2K0fEor8g/IVK+ZW+mG3JE6va8LVML76cbBTBsL9EydO0MDj7JB
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM5PR03MB2441;
x-microsoft-antispam-prvs: <DM5PR03MB2441DAFB3EBC8BA00332FE7FA60D0@DM5PR03MB2441.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(61426038)(61427038); SRVR:DM5PR03MB2441; BCL:0; PCL:0; RULEID:; SRVR:DM5PR03MB2441;
x-forefront-prvs: 0014E2CF50
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(6009001)(7916002)(199003)(189002)(377454003)(13464003)(53754006)(8990500004)(5005710100001)(586003)(2501003)(6116002)(102836003)(10090500001)(107886002)(81156014)(81166006)(19580405001)(19580395003)(2906002)(106356001)(5002640100001)(10400500002)(99286002)(10290500002)(92566002)(8936002)(106116001)(305945005)(189998001)(7846002)(3280700002)(87936001)(101416001)(122556002)(77096005)(2950100001)(3660700001)(7736002)(2900100001)(7696003)(5003600100003)(9686002)(74316002)(76176999)(50986999)(5001770100001)(76576001)(8676002)(54356999)(97736004)(86612001)(15650500001)(68736007)(105586002)(86362001)(33656002)(3826002)(42262002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR03MB2441; H:DM5PR03MB2441.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jul 2016 17:43:31.7412 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR03MB2441
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/KkHRYrEvTfK7nsnh7006SnlrIxk>
Subject: Re: [OAUTH-WG] OAuth Security -- Next Steps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2016 17:43:37 -0000
Sounds about right, but I would imagine that the BCP would cover any issue that arises not just mix-up -----Original Message----- From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig Sent: Monday, July 25, 2016 3:59 AM To: oauth@ietf.org Subject: [OAUTH-WG] OAuth Security -- Next Steps Hi all, We had two working group sessions at the Berlin IETF meeting and I am happy about the progress on many of the subjects. We managed to progress token exchange, native apps, AMR, and authorization server meta-data. We also identified new use cases to explore with the device flow document. We also did a call for adoption of the OAuth token binding functionality, which still needs to be confirmed on the mailing list. (Further emails will follow.) There are, however, aspects I am not happy with. I was hoping to make some progress on the mix-up mitigation and on the wider range of security documents. Here is how I see the story after talking to some meeting participants. 1) It seems that the solution approach to deal with the mix-up attack (only mix-up) described in draft-ietf-oauth-mix-up-mitigation-01 needs to be modified to reflect the preference of the working group. My impression (from speaking with participants at the meeting last week privately) is that there is interest in a solution that does not require protocol changes but rather relies on configuration. This may include a combination of exact redirect_URI matching + per-AS redirect_URI + session state checking. There are also other attacks described in draft-ietf-oauth-mix-up-mitigation-01, which need to be moved elsewhere to avoid confusion. 2) We need a new document, ideally a BCP, that serves as a high-level write-up describing various security issues with OAuth that points to the mostly existing documents for those who want to read the background information. Torsten has posted a mail to the list providing one possible outline of such a document. How does this sound? Ciao Hannes
- Re: [OAUTH-WG] OAuth Security -- Next Steps Anthony Nadalin
- [OAUTH-WG] Using IdToken instead of Access token Sergey Beryozkin
- [OAUTH-WG] OAuth Security -- Next Steps Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security -- Next Steps Vladimir Dzhuvinov
- Re: [OAUTH-WG] OAuth Security -- Next Steps Brian Campbell