IETF Logo Mail Archive

Re: [OAUTH-WG] Review of draft-ietf-oauth-pop-architecture

Phil Hunt <phil.hunt@oracle.com> Tue, 21 July 2015 07:27 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BA5B1AD1A3 for <oauth@ietfa.amsl.com>; Tue, 21 Jul 2015 00:27:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Level:
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ruS_SaqtoBoZ for <oauth@ietfa.amsl.com>; Tue, 21 Jul 2015 00:27:34 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF3D71AD16B for <oauth@ietf.org>; Tue, 21 Jul 2015 00:27:34 -0700 (PDT)
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id t6L7RYJx010821 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 21 Jul 2015 07:27:34 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0022.oracle.com (8.13.8/8.13.8) with ESMTP id t6L7RUH9002594 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 21 Jul 2015 07:27:30 GMT
Received: from abhmp0016.oracle.com (abhmp0016.oracle.com [141.146.116.22]) by aserv0122.oracle.com (8.13.8/8.13.8) with ESMTP id t6L7RRLr016912; Tue, 21 Jul 2015 07:27:27 GMT
Received: from dhcp-8989.meeting.ietf.org (/31.133.138.137) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 21 Jul 2015 00:27:27 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail=_C2D008E8-276F-49E6-AEC2-9850351E2EB2"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <sjm8uan7n85.fsf@securerf.ihtfp.org>
Date: Tue, 21 Jul 2015 09:27:23 +0200
Message-Id: <50B6C28A-86A3-4D7F-87BB-FC47C613870A@oracle.com>
References: <sjm8uan7n85.fsf@securerf.ihtfp.org>
To: Derek Atkins <derek@ihtfp.com>
X-Mailer: Apple Mail (2.2102)
X-Source-IP: userv0022.oracle.com [156.151.31.74]
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/L7t-Y8auJi1jG1w-ZaMoguRmEfM>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Review of draft-ietf-oauth-pop-architecture
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jul 2015 07:27:37 -0000

Derek,

Just looking at the issue you mentioned earlier. I think you also wanted to add in that a resource server A might be legitimately trying to re-use the token with an unintended “audience”, resource server B.  Correct?

If so, here is a possible amendment to the case in 3.1:

Original Text:
>    Imagine a scenario where a resource server that receives a valid
>    access token re-uses it with other resource server.  The reason for
>    re-use may be malicious or may well be legitimate.  In a legitimate
>    use case consider chaining of computations whereby a resource server
>    needs to consult other third party resource servers to complete the
>    requested operation.  In both cases it may be assumed that the scope
>    of the access token is sufficiently large that it allows such a re-
>    use.  For example, imagine a case where a company operates email
>    services as well as picture sharing services and that company had
>    decided to issue access tokens with a scope that allows access to
>    both services.
> 
>    With this use case the desire is to prevent such access token re-use.
>    This also implies that the legitimate use cases require additional
>    enhancements for request chaining.

Proposed text:
Imagine a scenario where a resource server that receives a valid
   access token re-uses it with another resource server.  The reason for
   re-use may be malicious or may well be legitimate. For example, in a legitimate
   use case consider chaining of computations whereby a resource server
   needs to consult another third party resource servers to complete the
   requested operation. In this case, the third-party is not the intended audience (target) of 
   the access token issued to the client. In both cases it may be assumed that the scope
   of the access token is sufficiently large that it allows such a re-
   use.  For example, imagine a case where a company operates email
   services as well as picture sharing services and that company had
   decided to issue access tokens with a scope that allows access to
   both services.

   With this use case the desire is to prevent such access token re-use and to ensure that only the intended client
   and resource servers may wield the token.
   This also implies that the legitimate use cases require additional
   enhancements for request chaining.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com

> On Jul 10, 2015, at 10:48 PM, Derek Atkins <derek@ihtfp.com> wrote:
> 
> Hi,
> 
> In performing my shephard review of draft-ietf-oauth-pop-architecture I
> found one issue that was bugging me: you talk about target naming "too
> late" in the draft.  I.e., as I was reading through section 3.1 about
> token reuse I think it doesn't have enough detail about how you would
> prevent server A asking the client for a token for a resource of server
> B, and then server A acting as the client for server B?  I.e., how do
> you prevent server A acting as a MITM between the client and server B?
> (This is sort of the same question that resulted in TLS channel
> bindings).
> 
> I know this target (scope) protection exists, and it's even discussed a
> bit later in the document but it's not even mentioned as a possible
> threat in 3.1, which seems like a glaring ommission.
> 
> I'll create a more formal shephard review but I'd suggest some
> additional text to at least mention this threat in 3.1; you can provide
> a pointer to the protections then, too.
> 
> -derek
> -- 
>       Derek Atkins                 617-623-3745
>       derek@ihtfp.com             www.ihtfp.com
>       Computer and Internet Security Consultant
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email