Re: [OAUTH-WG] [Technical Errata Reported] RFC6749 (4749)
Vladimir Dzhuvinov <vladimir@connect2id.com> Fri, 29 July 2016 06:39 UTC
Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2BD412B031 for <oauth@ietfa.amsl.com>; Thu, 28 Jul 2016 23:39:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cu5TDtQA3WRN for <oauth@ietfa.amsl.com>; Thu, 28 Jul 2016 23:39:36 -0700 (PDT)
Received: from p3plsmtpa09-03.prod.phx3.secureserver.net (p3plsmtpa09-03.prod.phx3.secureserver.net [173.201.193.232]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 080A2124281 for <oauth@ietf.org>; Thu, 28 Jul 2016 23:39:35 -0700 (PDT)
Received: from [192.168.1.9] ([46.10.70.150]) by p3plsmtpa09-03.prod.phx3.secureserver.net with id QWfX1t0013EY5i601WfY3w; Thu, 28 Jul 2016 23:39:35 -0700
To: Jim Manico <jim@manicode.com>, Justin Richer <jricher@mit.edu>
References: <20160726204839.0874EB81C1A@rfc-editor.org> <D4C83BE2-7754-4968-AA91-F34E04978963@manicode.com> <E0EC9EC3-EDD7-49D4-8346-83326FC29DA5@mit.edu> <76BFF944-7B23-4CF6-8EFC-3FBFBF207FBF@manicode.com>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Organization: Connect2id Ltd.
Message-ID: <f3dabfa2-a36c-8043-6a3f-6aeb00bba641@connect2id.com>
Date: Fri, 29 Jul 2016 09:39:30 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <76BFF944-7B23-4CF6-8EFC-3FBFBF207FBF@manicode.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms070904090602080404020402"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/M_Z36b6UP3gGIJbBCe5l51fyE8o>
Cc: Derek Atkins <derek@ihtfp.com>, "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC6749 (4749)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jul 2016 06:39:37 -0000
On 29/07/16 06:09, Jim Manico wrote: > Thank you Justin, comments inline. > >> These are client secrets, not user passwords, so they’re supposed to be high entropy and not human-memorable (or human-typable really). > This still sounds like sensitive data, and I don't understand the relevance of "human memorable". If time allows can you tell me more? > >> Also, this needs to be used over TLS. > Sure, but the problems of HTTP Basic are well established and go beyond TLS (no timeout, included in each request, cached by the browser for that window session, etc). The browser is not involved in the token request. One alternative to HTTP Basic (and its POST variant) is for the client to authenticate by submitting a JWT hashed with the client secret, or a JWT signed with an RSA or EC key that was previously registered with the AS: https://tools.ietf.org/html/rfc7523#section-2.2 I find JWT auth the more secure method, as it mitigates against some attacks previously discussed here. And it also lessens the potential security damage if the client accidentally makes a plain HTTP request to the token endpoint (the client_secret itself is not leaked). > >> The connection requires TLS anyway because the tokens returned (or the token keys in the OAuth PoP case) also need to be protected, regardless of how you hash the client’s secret. With that in mind, Digest doesn’t buy you much. > So this looks like a way to transport the client id and secret. Wouldn't some form of "strong authentication" like mutual TLS or similar be a better default standard? The OAuth 2 threat model makes this exact recommendation. > > Respectfully, > -- > Jim Manico > @Manicode > Secure Coding Education > +1 (808) 652-3805 > >> On Jul 28, 2016, at 4:25 PM, Justin Richer <jricher@mit.edu> wrote: >> >> These are client secrets, not user passwords, so they’re supposed to be high entropy and not human-memorable (or human-typable really). Also, this needs to be used over TLS. The connection requires TLS anyway because the tokens returned (or the token keys in the OAuth PoP case) also need to be protected, regardless of how you hash the client’s secret. With that in mind, Digest doesn’t buy you much. >> >> — Justin >> >>> On Jul 26, 2016, at 8:08 PM, Jim Manico <jim@manicode.com> wrote: >>> >>> Please forgive me if this comment is out of order or inappropriate in any way... >>> >>> ...but why is HTTP Basic even being discussed in 2016? It has horrific security properties at multiple levels; shouldn't we at least move to HTTP Digest if not something stronger? >>> >>> Regards. >>> -- >>> Jim Manico >>> @Manicode >>> >>>> On Jul 26, 2016, at 4:48 PM, RFC Errata System <rfc-editor@rfc-editor.org> wrote: >>>> >>>> The following errata report has been submitted for RFC6749, >>>> "The OAuth 2.0 Authorization Framework". >>>> >>>> -------------------------------------- >>>> You may review the report below and at: >>>> http://www.rfc-editor.org/errata_search.php?rfc=6749&eid=4749 >>>> >>>> -------------------------------------- >>>> Type: Technical >>>> Reported by: Phil Hunt <phil.hunt@oracle.com> >>>> >>>> Section: 2.3.1 >>>> >>>> Original Text >>>> ------------- >>>> Clients in possession of a client password MAY use the HTTP Basic >>>> authentication scheme as defined in [RFC2617] to authenticate with >>>> the authorization server. The client identifier is encoded using the >>>> "application/x-www-form-urlencoded" encoding algorithm per >>>> Appendix B, and the encoded value is used as the username; the client >>>> password is encoded using the same algorithm and used as the >>>> password. The authorization server MUST support the HTTP Basic >>>> authentication scheme for authenticating clients that were issued a >>>> client password. >>>> >>>> Corrected Text >>>> -------------- >>>> Clients in possession of a client password MAY use the HTTP Basic >>>> authentication scheme as defined in [RFC2617] to authenticate with >>>> the authorization server. The client identifier is encoded using the >>>> "application/x-www-form-urlencoded" encoding algorithm per >>>> Appendix B, and the encoded value is used as the username; the client >>>> password is encoded using the same algorithm and used as the >>>> password. The url encoded values are then encoded as defined in >>>> [RFC2617]. The authorization server MUST support the HTTP Basic >>>> authentication scheme for authenticating clients that were issued a >>>> client password. >>>> >>>> Notes >>>> ----- >>>> It was not clear to some implementers that the intention is a 2-step encoding. First for special characters and second the 2617 base 64 encoding. Implementers thought 6749 was in conflict with 2617. >>>> >>>> To avoid inter-op issues, a new clarifying sentence is proposed. >>>> "The url encoded values are then encoded as defined in [RFC2617]." >>>> >>>> Instructions: >>>> ------------- >>>> This erratum is currently posted as "Reported". If necessary, please >>>> use "Reply All" to discuss whether it should be verified or >>>> rejected. When a decision is reached, the verifying party (IESG) >>>> can log in to change the status and edit the report, if necessary. >>>> >>>> -------------------------------------- >>>> RFC6749 (draft-ietf-oauth-v2-31) >>>> -------------------------------------- >>>> Title : The OAuth 2.0 Authorization Framework >>>> Publication Date : October 2012 >>>> Author(s) : D. Hardt, Ed. >>>> Category : PROPOSED STANDARD >>>> Source : Web Authorization Protocol >>>> Area : Security >>>> Stream : IETF >>>> Verifying Party : IESG >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… Jim Manico
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… Vladimir Dzhuvinov
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… Phil Hunt (IDM)
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… Jim Manico
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… Justin Richer
- [OAUTH-WG] [Technical Errata Reported] RFC6749 (4… RFC Errata System