Re: [OAUTH-WG] Section 10.1 (Client authentication)
Torsten Lodderstedt <torsten@lodderstedt.net> Mon, 25 July 2011 16:06 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBFFB21F8BDE for <oauth@ietfa.amsl.com>; Mon, 25 Jul 2011 09:06:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.248
X-Spam-Level:
X-Spam-Status: No, score=-1.248 tagged_above=-999 required=5 tests=[AWL=1.000, BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YOTwqth7njqc for <oauth@ietfa.amsl.com>; Mon, 25 Jul 2011 09:06:18 -0700 (PDT)
Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.29.23]) by ietfa.amsl.com (Postfix) with ESMTP id 2739721F8BE0 for <oauth@ietf.org>; Mon, 25 Jul 2011 07:10:52 -0700 (PDT)
Received: from [130.129.17.214] by smtprelay01.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1QlLrm-0000fF-9J; Mon, 25 Jul 2011 16:10:43 +0200
Message-ID: <4E2D7960.9010603@lodderstedt.net>
Date: Mon, 25 Jul 2011 10:10:40 -0400
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11
MIME-Version: 1.0
To: Eran Hammer-Lahav <eran@hueniverse.com>
References: <CA375AE0.160C6%eran@hueniverse.com> <cc961fcb-52d4-4e06-8207-72a8f2825c4e@email.android.com> <90C41DD21FB7C64BB94121FBBC2E7234501D49FF7C@P3PW5EX1MB01.EX1.SECURESERVER.NET> <cefdbc23-87f2-4525-adb4-768b97606785@email.android.com> <90C41DD21FB7C64BB94121FBBC2E7234501D4A0024@P3PW5EX1MB01.EX1.SECURESERVER.NET> <44df5477-8c5c-47c4-bb29-6a154cd10848@email.android.com> <90C41DD21FB7C64BB94121FBBC2E72345021F378B3@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72345021F378B3@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Content-Type: multipart/alternative; boundary="------------090505000108060009020806"
X-Df-Sender: torsten@lodderstedt-online.de
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Section 10.1 (Client authentication)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2011 16:06:19 -0000
+1 Am 25.07.2011 02:16, schrieb Eran Hammer-Lahav: > > How about, add this to 10.1: > > When client authentication is not possible, the > authorization server SHOULD employ other > > means to validate the client's identity. For example, by > requiring the registration of > > the client redirection URI or enlisting the resource owner > to confirm identity. The > > authorization server must consider the security implications > of interacting with > > unauthenticated clients and take measures to limit the > potential exposure of other > > credentials (e.g. refresh tokens) issued to such clients. > > EHL > > *From:*Torsten Lodderstedt [mailto:torsten@lodderstedt.net] > *Sent:* Sunday, July 10, 2011 1:59 AM > *To:* Eran Hammer-Lahav; OAuth WG > *Subject:* RE: Section 10.1 (Client authentication) > > Hi, > > I just remembered the original aim of the text. We not just intended > to list alternative means but to get a general message across: If you > cannot authenticate a client considers this in your security design! > Either (1) you accept the fact the respective identities can be forged > and handle them as untrusted entities through your logic (as far as I > remember Skylar suggested the term forgeable clients) or (2) you find > other ways to establish trust in the client's identity. > > The effect of (1) depends on the security policy of the certain > deployment and the risk associated with certain functions. It could > e.g. mean to rely on the id to aggregate log entries (not critical) > but never to automatically process authz processes or settle payment > transaction. > > Examples for (2) are: redirect uri validation, relying on the user to > identify the client, and (subsequently) use refresh tokens as mean for > client authentication. I don't think we can give a complete list of > means here since I assume some deployments will have their own > capabilities. > > Please also note: redirect uri validation is not an adequate > replacement for client authentication. It's not effective for native > apps and useless if the attacker uses a native app (no matter whether > the legitimate client is a web, user agent based or native app). > > regards, > Torsten. > > > > Eran Hammer-Lahav <eran@hueniverse.com <mailto:eran@hueniverse.com>> > schrieb: > > Hey Torsten, > > The provided text and alternative text are just not helpful. If I am unable to understand it, I have doubt other readers will be able to. > > I don't know what you mean by 'other means' which are not already described in the document (based on -17). Referencing the security thread model document in a normative reference requires making it a normative reference which I am opposed to doing - the v2 document should include everything needed to implement the protocol without any additional specifications (for the core functionality). > > When I was asking for examples, I was hoping for something like 'for example, use x, y, or z', not a reference to about 10 pages of text (which by itself is pretty confusing, but that's a different issue - I hope to find the time to provide detailed feedback for that document). > > I think the current document makes a pretty > good case for using the redirection URI as a form of client validation, and clearly lays out the differences between a public and private client. It has new requirements for the registration of redirection URIs when client authentication is not possible. > > If there are specific things the authorization server can do to improve security beyond client authentication, we should list them explicitly in the document. > > Can you list exactly what you have in mind by 'other means'? Just the bullet points will be enough. > > EHL > > > > -----Original Message----- > > From: Torsten Lodderstedt[mailto:torsten@lodderstedt.net] <mailto:[mailto:torsten@lodderstedt.net]> > > Sent: Friday, July 08, 2011 12:59 AM > > To: Eran Hammer-Lahav; OAuth WG > > Subject: RE: Section 10.1 (Client authentication) > > > > seems you are contradicting yourself. > > > > You criticised the MUST and suggested to include some examples. I bought > > into your > argument and suggested to refer to the security doc for examples > > and additional explanations. That's what this document is intended for, to > > provide background beyond what we can cover in the core spec. > > > > And I don't think the spec already makes that point. But you are free to refer > > me to the respective text. > > > > regards, > > Torsten. > > > > > > > > Eran Hammer-Lahav<eran@hueniverse.com <mailto:eran@hueniverse.com>> schrieb: > > > > >I still don’t find it useful. I think the existing text overall makes > > >this point already. > > > > > >EHL > > > > > >From: Torsten Lodderstedt[mailto:torsten@lodderstedt.net] <mailto:[mailto:torsten@lodderstedt.net]> > > >Sent: Wednesday, July 06, 2011 12:48 AM > > >To: Eran Hammer-Lahav; OAuth WG > > >Subject: Re: Section 10.1 (Client authentication) > > > > > >Hi Eran, > > > > > >I would > suggest to change it to SHOULD and add a reference to > > >https://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-00 sections > > >3.7 and 5.2.3. > > > > > >regards, > > >Torsten. > > > > > > > > >Eran Hammer-Lahav > > <eran@hueniverse.com<mailto:eran@hueniverse.com <mailto:eran@hueniverse.com%3cmailto:eran@hueniverse.com>>> > > >schrieb: > > >It's a pointless MUST given how undefined the requirements are. It will > > >only be understood by security experts and they don't really need it. > > >At a minimum, it needs some examples. > > > > > >EHL > > > > > >From: Torsten Lodderstedt > > ><torsten@lodderstedt.net<mailto:torsten@lodderstedt.net <mailto:torsten@lodderstedt.net%3cmailto:torsten@lodderstedt.net>>> > > >Date: Wed, 1 Jun 2011 00:53:37 -0700 > > >To: Eran Hammer-lahav > > > ><eran@hueniverse.com<mailto:eran@hueniverse.com <mailto:eran@hueniverse.com%3cmailto:eran@hueniverse.com>>>, OAuth WG > > ><oauth@ietf.org<mailto:oauth@ietf.org <mailto:oauth@ietf.org%3cmailto:oauth@ietf.org>>> > > >Subject: Section 10.1 (Client authentication) > > > > > >Hi Eran, > > > > > >would you please add the following sentence (which was contained in the > > >original security considerations text) to the second paragraph of > > >section 1.0.1? > > > > > >Alternatively, authorization servers MUST utilize > > > other means than client authentication to achieve their security > > > objectives. > > > > > > > > >I think it's important to state that authorization server should > > >consider alternative way to validate the client identity if secrets > > >cannot be used. The security threat document also suggest some. > > > > > >regards, > > >Torsten.
- [OAUTH-WG] Section 10.1 (Client authentication) Torsten Lodderstedt
- Re: [OAUTH-WG] Section 10.1 (Client authenticatio… Eran Hammer-Lahav
- Re: [OAUTH-WG] Section 10.1 (Client authenticatio… Torsten Lodderstedt
- Re: [OAUTH-WG] Section 10.1 (Client authenticatio… Eran Hammer-Lahav
- Re: [OAUTH-WG] Section 10.1 (Client authenticatio… Torsten Lodderstedt
- Re: [OAUTH-WG] Section 10.1 (Client authenticatio… Eran Hammer-Lahav
- Re: [OAUTH-WG] Section 10.1 (Client authenticatio… Torsten Lodderstedt
- Re: [OAUTH-WG] Section 10.1 (Client authenticatio… Eran Hammer-Lahav
- Re: [OAUTH-WG] Section 10.1 (Client authenticatio… Torsten Lodderstedt