Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00

Brian Campbell <bcampbell@pingidentity.com> Fri, 14 May 2021 22:23 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C86CF3A4238 for <oauth@ietfa.amsl.com>; Fri, 14 May 2021 15:23:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MgtMYC4L9DFj for <oauth@ietfa.amsl.com>; Fri, 14 May 2021 15:23:34 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B11493A4236 for <oauth@ietf.org>; Fri, 14 May 2021 15:23:33 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id c15so224391ljr.7 for <oauth@ietf.org>; Fri, 14 May 2021 15:23:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=eoaHRw/YcasmCsFx+JwkXMfq2TJRa5YtLxaM470ZEjE=; b=KFAcxftuOh20YIaTzFKj2tvdjOWI+Jxo14hhg/hJo2sHPbPw2TazcLgFO9hHdgRXVk VCm2kxvA+GeFWHbFyPrLPAoq676vEgFQ+yWML9t40tOYv5BeqZ5RJWJgWm4VtqqspRIo 3cWiI7C/AztfoIeg8Cx31gjyyr2lTK1pv7WwUTd3+4s/dD8JbGVUaN8l/+akvkrfz9g5 Lufu8S3blyELWacpMXD9RiPanoF9a6m0ufF/vJhN0fbGxKYOWgHGLF5TbQDJwKUpFQk0 t8bbEioEJgQuX42tWJ+2KPXy6sebjBcEBjvoBOTgJ0YfjvTlx6bUZI0FKLxp//BwgCbl gEdQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=eoaHRw/YcasmCsFx+JwkXMfq2TJRa5YtLxaM470ZEjE=; b=m1Rkr4fp/HJCimn+dv8zeJsYoYZoOy4hqCeU2kfjLwX+tvAzoPGKZgSufNrZa+W3D9 K1yfKrLUNV3ZnWKpgKAFHTHV7d4jlImOGtE8FVZtdsPZIHLdcoMzm1S7rTOtUqcJ4rvL NWRO20jz1po1aEkmYVQU9+gC2jqWmmMjACQHPcbofs6VLnc8cuBJDgren93QE9911DL+ 80FzK6KWR3ipmHDfMsmncLAqvWPvJ9ncfIiHK5CNY6D0g9zNWTBBu4fQQqNWTQHhIvOw Sx4xAGLW2qJuzwCyn7a2TZZbGlfDcwLLisSxbm2QwciBOyaj7j2ZnYE6TS2hcaHoQH7R uXpQ==
X-Gm-Message-State: AOAM530Rs8RcExcVCgTUyGkcuI1BWqC1rWnLE457QIDi7/bKmglms0Lc HzFnb2SS5eQKSxuw+D/TpzA2taGQk0vRx9BVk0KBJN1HKr4L/uJVty5Fzi8C+X4ShO2lIgq9hsO CbBwRbc4xX/NC5w==
X-Google-Smtp-Source: ABdhPJxZ5Ty0sb+xl/HPkXcJPLdgRcw9t9rVzUS74PVgZHd7c2ZkRlf7Shh5ZLCFsTMqv9PebGiPJsId3WxWIZCRXAo=
X-Received: by 2002:a2e:b61a:: with SMTP id r26mr17681873ljn.485.1621031010543; Fri, 14 May 2021 15:23:30 -0700 (PDT)
MIME-Version: 1.0
References: <634f7b10-bb26-e05c-7d79-566c893c32b6@hackmanit.de> <E43CA16C-CB38-4E9E-9ADD-295ECBA38ED9@forgerock.com> <710ef35f-ba66-0e05-96ea-e48b9e86cf29@danielfett.de>
In-Reply-To: <710ef35f-ba66-0e05-96ea-e48b9e86cf29@danielfett.de>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 14 May 2021 16:23:04 -0600
Message-ID: <CA+k3eCS6Z60c19mFb6AdZXCuUxqhdtzavsPg9Yc-64eamofNJQ@mail.gmail.com>
To: Daniel Fett <fett@danielfett.de>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008dbd9e05c251b103"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/M4-I_08RBJEXBx_D-hkbvBd6hgc>
Subject: Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 May 2021 22:23:39 -0000

Perhaps this draft could be marked as replacing
draft-ietf-oauth-mix-up-mitigation (I think the chairs have the tools to do
that) so that the datatracker somewhat reflects the history?

Some discussion in the draft itself might be helpful to a subset of readers
interested or knowledgeable about the history.  But I suspect that it'd
just be noise for the majority of readers.

On Mon, May 10, 2021 at 7:26 AM Daniel Fett <fett@danielfett.de> wrote:

> Hi Neil,
>
> I'm not sure - maybe others can chime in here as well - if a discussion
> relating to an expired previous draft is something one would expect in the
> spec.
>
> For the record, the client_id does not provide any additional security.
> The key to mitigating Mix-Up is that the "honest AS" ensures that the code
> issued at its token endpoint is sent to the honest IdP's token endpoint,
> and not to the attacker IdP's token endpoint. This is ensured by the iss
> parameter. The client_id would maybe be relevant if the honest AS sends
> different issuer values for different client_ids - I have not heard of such
> a constellation. I'm not sure why the client_id was included in the
> previous draft.
>
> -Daniel
>
>
> Am 10.05.21 um 14:57 schrieb Neil Madden:
>
> I have also read it and it looks good to me. It might be worth explicitly
> discussing how it relates to the older draft [1] (that we implemented at
> the time). That older draft also included a client_id parameter in the
> response, so it would be good to clarify if that is actually needed to
> prevent the attack or not.
>
> [1]:
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-mix-up-mitigation-01
>
>
> Kind regards,
>
> Neil
>
> On 15 Apr 2021, at 08:04, Karsten Meyer zu Selhausen <
> karsten.meyerzuselhausen@hackmanit.de> wrote:
>
> Hi all,
>
> the latest version of the security BCP references
> draft-ietf-oauth-iss-auth-resp-00 as a countermeasures to mix-up attacks.
>
> There have not been any concerns with the first WG draft version so far:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/
>
> I would like to ask the WG if there are any comments on or concerns with
> the current draft version.
>
> Otherwise I hope we can move forward with the next steps and hopefully
> finish the draft before/with the security BCP.
>
> Best regards,
> Karsten
>
> --
> Karsten Meyer zu Selhausen
> Senior IT Security Consultant
> Phone:	+49 (0)234 / 54456499
> Web:	https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training
>
> Is your OAuth or OpenID Connect client vulnerable to the severe impacts of mix-up attacks? Learn how to protect your client in our latest blog post on single sign-on:https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks
>
> Hackmanit GmbH
> Universitätsstraße 60 (Exzenterhaus)
> 44789 Bochum
>
> Registergericht: Amtsgericht Bochum, HRB 14896
> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Dr. Marcus Niemietz
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
>
> -- https://danielfett.de
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._