IETF Logo Mail Archive

Re: [OAUTH-WG] Section 10.1 (Client authentication)

Torsten Lodderstedt <torsten@lodderstedt.net> Mon, 25 July 2011 16:06 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBFFB21F8BDE for <oauth@ietfa.amsl.com>; Mon, 25 Jul 2011 09:06:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.248
X-Spam-Level:
X-Spam-Status: No, score=-1.248 tagged_above=-999 required=5 tests=[AWL=1.000, BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YOTwqth7njqc for <oauth@ietfa.amsl.com>; Mon, 25 Jul 2011 09:06:18 -0700 (PDT)
Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.29.23]) by ietfa.amsl.com (Postfix) with ESMTP id 2739721F8BE0 for <oauth@ietf.org>; Mon, 25 Jul 2011 07:10:52 -0700 (PDT)
Received: from [130.129.17.214] by smtprelay01.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1QlLrm-0000fF-9J; Mon, 25 Jul 2011 16:10:43 +0200
Message-ID: <4E2D7960.9010603@lodderstedt.net>
Date: Mon, 25 Jul 2011 10:10:40 -0400
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11
MIME-Version: 1.0
To: Eran Hammer-Lahav <eran@hueniverse.com>
References: <CA375AE0.160C6%eran@hueniverse.com> <cc961fcb-52d4-4e06-8207-72a8f2825c4e@email.android.com> <90C41DD21FB7C64BB94121FBBC2E7234501D49FF7C@P3PW5EX1MB01.EX1.SECURESERVER.NET> <cefdbc23-87f2-4525-adb4-768b97606785@email.android.com> <90C41DD21FB7C64BB94121FBBC2E7234501D4A0024@P3PW5EX1MB01.EX1.SECURESERVER.NET> <44df5477-8c5c-47c4-bb29-6a154cd10848@email.android.com> <90C41DD21FB7C64BB94121FBBC2E72345021F378B3@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72345021F378B3@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Content-Type: multipart/alternative; boundary="------------090505000108060009020806"
X-Df-Sender: torsten@lodderstedt-online.de
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Section 10.1 (Client authentication)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2011 16:06:19 -0000

+1

Am 25.07.2011 02:16, schrieb Eran Hammer-Lahav:
>
> How about, add this to 10.1:
>
>           When client authentication is not possible, the 
> authorization server SHOULD employ other
>
>           means to validate the client's identity. For example, by 
> requiring the registration of
>
>           the client redirection URI or enlisting the resource owner 
> to confirm identity. The
>
>           authorization server must consider the security implications 
> of interacting with
>
>           unauthenticated clients and take measures to limit the 
> potential exposure of other
>
>           credentials (e.g. refresh tokens) issued to such clients.
>
> EHL
>
> *From:*Torsten Lodderstedt [mailto:torsten@lodderstedt.net]
> *Sent:* Sunday, July 10, 2011 1:59 AM
> *To:* Eran Hammer-Lahav; OAuth WG
> *Subject:* RE: Section 10.1 (Client authentication)
>
> Hi,
>
> I just remembered the original aim of the text. We not just intended 
> to list alternative means but to get a general message across: If you 
> cannot authenticate a client considers this in your security design! 
> Either (1) you accept the fact the respective identities can be forged 
> and handle them as untrusted entities through your logic (as far as I 
> remember Skylar suggested the term forgeable clients) or (2) you find 
> other ways to establish trust in the client's identity.
>
> The effect of (1) depends on the security policy of the certain 
> deployment and the risk associated with certain functions. It could 
> e.g. mean to rely on the id to aggregate log entries (not critical) 
> but never to automatically process authz processes or settle payment 
> transaction.
>
> Examples for (2) are: redirect uri validation, relying on the user to 
> identify the client, and (subsequently) use refresh tokens as mean for 
> client authentication. I don't think we can give a complete list of 
> means here since I assume some deployments will have their own 
> capabilities.
>
> Please also note: redirect uri validation is not an adequate 
> replacement for client authentication. It's not effective for native 
> apps and useless if the attacker uses a native app (no matter whether 
> the legitimate client is a web, user agent based or native app).
>
> regards,
> Torsten.
>
>
>
> Eran Hammer-Lahav <eran@hueniverse.com <mailto:eran@hueniverse.com>> 
> schrieb:
>
> Hey Torsten,
>
> The provided text and alternative text are just not helpful. If I am unable to understand it, I have doubt other readers will be able to.
>
> I don't know what you mean by 'other means' which are not already described in the document (based on -17). Referencing the security thread model document in a normative reference requires making it a normative reference which I am opposed to doing - the v2 document should include everything needed to implement the protocol without any additional specifications (for the core functionality).
>
> When I was asking for examples, I was hoping for something like 'for example, use x, y, or z', not a reference to about 10 pages of text (which by itself is pretty confusing, but that's a different issue - I hope to find the time to provide detailed feedback for that document).
>
> I think the current document makes a pretty
> good case for using the redirection URI as a form of client validation, and clearly lays out the differences between a public and private client. It has new requirements for the registration of redirection URIs when client authentication is not possible.
>
> If there are specific things the authorization server can do to improve security beyond client authentication, we should list them explicitly in the document.
>
> Can you list exactly what you have in mind by 'other means'? Just the bullet points will be enough.
>
> EHL
>
>
> >  -----Original Message-----
> >  From: Torsten Lodderstedt[mailto:torsten@lodderstedt.net]  <mailto:[mailto:torsten@lodderstedt.net]>
> >  Sent: Friday, July 08, 2011 12:59 AM
> >  To: Eran Hammer-Lahav; OAuth WG
> >  Subject: RE: Section 10.1 (Client authentication)
> >
> >  seems you are contradicting yourself.
> >
> >  You criticised the MUST and suggested to include some examples. I bought
> >  into your
> argument and suggested to refer to the security doc for examples
> >  and additional explanations. That's what this document is intended for, to
> >  provide background beyond what we can cover in the core spec.
> >
> >  And I don't think the spec already makes that point. But you are free to refer
> >  me to the respective text.
> >
> >  regards,
> >  Torsten.
> >
> >
> >
> >  Eran Hammer-Lahav<eran@hueniverse.com  <mailto:eran@hueniverse.com>>  schrieb:
> >
> >  >I still don’t find it useful. I think the existing text overall makes
> >  >this point already.
> >  >
> >  >EHL
> >  >
> >  >From: Torsten Lodderstedt[mailto:torsten@lodderstedt.net]  <mailto:[mailto:torsten@lodderstedt.net]>
> >  >Sent: Wednesday, July 06, 2011 12:48 AM
> >  >To: Eran Hammer-Lahav; OAuth WG
> >  >Subject: Re: Section 10.1 (Client authentication)
> >  >
> >  >Hi Eran,
> >  >
> >  >I would
> suggest to change it to SHOULD and add a reference to
> >  >https://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-00  sections
> >  >3.7 and 5.2.3.
> >  >
> >  >regards,
> >  >Torsten.
> >  >
> >  >
> >  >Eran Hammer-Lahav
> >  <eran@hueniverse.com<mailto:eran@hueniverse.com  <mailto:eran@hueniverse.com%3cmailto:eran@hueniverse.com>>>
> >  >schrieb:
> >  >It's a pointless MUST given how undefined the requirements are. It will
> >  >only be understood by security experts and they don't really need it.
> >  >At a minimum, it needs some examples.
> >  >
> >  >EHL
> >  >
> >  >From: Torsten Lodderstedt
> >  ><torsten@lodderstedt.net<mailto:torsten@lodderstedt.net  <mailto:torsten@lodderstedt.net%3cmailto:torsten@lodderstedt.net>>>
> >  >Date: Wed, 1 Jun 2011 00:53:37 -0700
> >  >To: Eran Hammer-lahav
> >
> ><eran@hueniverse.com<mailto:eran@hueniverse.com  <mailto:eran@hueniverse.com%3cmailto:eran@hueniverse.com>>>, OAuth WG
> >  ><oauth@ietf.org<mailto:oauth@ietf.org  <mailto:oauth@ietf.org%3cmailto:oauth@ietf.org>>>
> >  >Subject: Section 10.1 (Client authentication)
> >  >
> >  >Hi Eran,
> >  >
> >  >would you please add the following sentence (which was contained in the
> >  >original security considerations text) to the second paragraph of
> >  >section 1.0.1?
> >  >
> >  >Alternatively, authorization servers MUST utilize
> >  >     other means than client authentication to achieve their security
> >  >     objectives.
> >  >
> >  >
> >  >I think it's important to state that authorization server should
> >  >consider alternative way to validate the client identity if secrets
> >  >cannot be used. The security threat document also suggest some.
> >  >
> >  >regards,
> >  >Torsten.

v2.23.0 | Report a Bug | By Email