[OAUTH-WG] Re: Call for adoption - First Party Apps

Neil Madden <neil.e.madden@gmail.com> Tue, 10 September 2024 09:20 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7B44C151548 for <oauth@ietfa.amsl.com>; Tue, 10 Sep 2024 02:20:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.215
X-Spam-Level:
X-Spam-Status: No, score=-1.215 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7p1A6lJ-UC9M for <oauth@ietfa.amsl.com>; Tue, 10 Sep 2024 02:20:13 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87ADEC14F71D for <oauth@ietf.org>; Tue, 10 Sep 2024 02:20:13 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id 38308e7fff4ca-2f75428b9f8so43983421fa.3 for <oauth@ietf.org>; Tue, 10 Sep 2024 02:20:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725960011; x=1726564811; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:from:to:cc:subject:date:message-id :reply-to; bh=c8AKp/DarUBlYlbVwUQFmo0InTe1TBl7bxLQoLYqPDU=; b=QFzyyP/dm/A2Wh4EU4Wt0rdg/R+kQ0TxJBkSNrO9T074rCxlk+3QGPluYQrIqrIQi9 Bg1miPVPz/C7nTzCnxESwRS8urhW3+qYLIHDOtu8UL5oe0flHRHneG1TKBWlyculJbbb 0+Rbj3sX4BWcQ+u9Ibv4mbZ4NYM9oNwuAdieKodgohq3Lg2aNGBU6dswfflJtP3ukkBU F9HaicpkER1p+HwcFpbvhuENJZ7FFf6NzbSUGvQwCHuFjDjhTkmFIJLognFVK+W7wa5p zlQJpNklYePgTFp5qBd7JUcdJMoT1OVnbHLDyVn2i89Y5eSC6PxJ3VEjcSFJVM8bW7Gs ARnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725960011; x=1726564811; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=c8AKp/DarUBlYlbVwUQFmo0InTe1TBl7bxLQoLYqPDU=; b=h0NOOAdc3ToAnnguCjDlBjgAKHcgOSgQ51vprooekOxFJ7swSvWhKSZOQdRZ4W2EtH ENRqcEF2Jzy1ZlET0TXRKAUfplBXaU+5R2VRBv8y4jrIWBslh6KmbKiXi+IjklJ2O2Vz s7RQC52bZCKgwFt4t8qPn9/QeiNOi+UkXxJGHVTmFyLjgeCImyPnybakOQS3kwtthiCX jf+SVj8xLWIG5ST7SwTiAtrH3gDNSYkDUK1ZGWrOTzPAsOdXDW489/iHzep5LlpvbYCn uPOthzRouCjcFrHzwBfMBm9pYcAwiK4WpXkknm7abXoEIJBA19horkSGKnWWnAwlU+Kf Nr5Q==
X-Forwarded-Encrypted: i=1; AJvYcCVlrm7sWrjqUDAdcko5kaEc3XdCHGwM2GfUf6Of7gFBi/O6xHJbPF3JwIxNbLqi075RWeGdCw==@ietf.org
X-Gm-Message-State: AOJu0YyWUqbkV1OUNOPy3yzu9bVO4KkgA89RNXMNR6bIZ1A+LzB556Jt rlP7cbOWjynrRh9C+a/Ka3/QNcn0Bu+w2X2O2GfaIpbFYvGgb4sENOtWSw==
X-Google-Smtp-Source: AGHT+IE0pKaa+LkHU635OT9Md4HnQfzFFwMb8Ak556tcA7qSiQpNTfvn/BWGt90iXMMEbeiXHsZorg==
X-Received: by 2002:a05:651c:2126:b0:2f3:e2fd:aae0 with SMTP id 38308e7fff4ca-2f75a96ea93mr101784121fa.6.1725960010191; Tue, 10 Sep 2024 02:20:10 -0700 (PDT)
Received: from smtpclient.apple ([2a00:23ee:10b8:922:3d6c:203a:f1b0:125a]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a8d25cf4a45sm450968066b.180.2024.09.10.02.20.09 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 10 Sep 2024 02:20:09 -0700 (PDT)
From: Neil Madden <neil.e.madden@gmail.com>
X-Google-Original-From: Neil Madden <Neil.E.Madden@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-9EB0028D-403F-4230-9282-EFC8013A323B"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
Date: Tue, 10 Sep 2024 10:19:59 +0100
Message-Id: <FB914BDA-A2E1-4D32-963C-1A7E9BD49F52@gmail.com>
References: <CACZ9TyC3gTnwCwkmcwZ8JBm=vFrEErhw=2ULKU8vVNJMpJGjWQ@mail.gmail.com>
In-Reply-To: <CACZ9TyC3gTnwCwkmcwZ8JBm=vFrEErhw=2ULKU8vVNJMpJGjWQ@mail.gmail.com>
To: Tim Cappalli <tim.cappalli@okta.com>
X-Mailer: iPhone Mail (21F90)
Message-ID-Hash: FPN3QAVWO64YHPYUQWX7RYENEUSEWM43
X-Message-ID-Hash: FPN3QAVWO64YHPYUQWX7RYENEUSEWM43
X-MailFrom: neil.e.madden@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - First Party Apps
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/MRbCLh14hPH8wBJxuZjSBLPLnbU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

The draft is motivated by allowing native apps to provide a login journey for OAuth rather than using the browser. This encourages people to input credentials directly into apps, which (a) directly contradicts the advice in the security BCP, and (b) opens up users to significantly more attack vectors (including that the phishing-resistance of FIDO is significantly weakened). We shouldn’t be encouraging this. 

— Neil

On 5 Sep 2024, at 15:48, Tim Cappalli <tim.cappalli@okta.com> wrote:


IMO, we're getting very off topic here. The WebAuthn text is not part of the draft being called for adoption.

On Thu, Sep 5, 2024 at 2:15 AM Neil Madden <neil.e.madden@gmail.com> wrote:
On 5 Sep 2024, at 05:45, David Waite <david@alkaline-solutions.com> wrote:
>
> 
>
>> On Sep 4, 2024, at 4:27 PM, Neil Madden <neil.e.madden@gmail.com> wrote:
>>
>>> On 4 Sep 2024, at 22:48, Watson Ladd <watsonbladd@gmail.com> wrote:
>>>
>>> I can always grab the cookie jar off the user browser if I have that
>>> level of access.
>>
>> USB access is not privileged, but that’s beside the point.
>
>>
>> Put another way, the phishing-resistance of WebAuthn only really makes sense in a world of sandboxed apps: web apps, mobile apps. Any spec that encourages the use of OAuth auth flows outside of such sandboxed environments, as this one potentially does, is going to make defending against phishing harder.
>
> The client is not an identified/authenticated component in the architecture, so there is a user trust required in using a client - that the client actually is an agent acting in the user’s interest rather than acting maliciously.
>
> Platforms have the ability to provide specific API for these interactions to become a trustworthy client, and to block privileged access (including access to speak directly to hardware) behind audited entitlements to prevent from installed software acting as a malicious client.

Right, this is what I mean by sandboxed.

>
> Note that some platforms also provide entitlements and heuristics for password manager access - however, as a knowledge-based system the platform cannot really prevent malicious applications from still attempting to manipulate their way to credential phishing.
>
>>
>> (I’d also question why first-party apps need a standardised API for this anyway: they can do whatever they like using proprietary APIs already).
>
> I would struggle to come up with standards-track RFCs which would not be able to instead be accomplished with proprietary APIs. The editors and working groups found value in peer review and in interoperability.

Standards are for promoting interoperability, not for getting free peer review of private APIs.

>
> I have seen the pitfalls of a proprietary approach to this and would say peer review is important. My primary concern is whether we can have a clients that authenticate against multiple implementing ASes based solely on this work. Profiling authentication methods like passkey-based authentication would go a long way toward alleviating that concern.
>
> -DW

_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-leave@ietf.org