Re: [OAUTH-WG] oauth - Requested sessions have been scheduled for IETF 98
Denis <denis.ietf@free.fr> Mon, 27 March 2017 08:46 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 147641294CF for <oauth@ietfa.amsl.com>; Mon, 27 Mar 2017 01:46:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.608
X-Spam-Level:
X-Spam-Status: No, score=-0.608 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kptCHw5SWhgn for <oauth@ietfa.amsl.com>; Mon, 27 Mar 2017 01:46:42 -0700 (PDT)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [IPv6:2a01:e0c:1:1599::15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6FAD1294B8 for <oauth@ietf.org>; Mon, 27 Mar 2017 01:46:41 -0700 (PDT)
Received: from [192.168.0.13] (unknown [88.182.125.39]) by smtp6-g21.free.fr (Postfix) with ESMTP id 6E37178039D; Mon, 27 Mar 2017 10:46:38 +0200 (CEST)
To: Nat Sakimura <sakimura@gmail.com>, oauth@ietf.org
References: <148858532832.15846.17124635719619343122.idtracker@ietfa.amsl.com> <CY4PR21MB0504F842748771485358717AF5380@CY4PR21MB0504.namprd21.prod.outlook.com> <9905FF1B-0E4A-459B-8322-6AC143092D42@lodderstedt.net> <2452F93F-BC4D-4F42-AD4C-85A0672BFBE8@adobe.com> <CABzCy2D=0kTCOgV2VAmR+BLUzsp0x58yq8S8+mykRoqC2mtuQw@mail.gmail.com> <9c814ef0-4df3-35ed-5453-dd8cad91b910@free.fr> <CABzCy2AqK0rCRRZ1w_KXiKNbzjqwSx+OMS2nSXnfjLsuE-cgvg@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <45feb0e5-d1e3-ca5a-e8c1-f9b44768d09b@free.fr>
Date: Mon, 27 Mar 2017 10:46:41 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CABzCy2AqK0rCRRZ1w_KXiKNbzjqwSx+OMS2nSXnfjLsuE-cgvg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------54E61668499F5CFFC49EA366"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Np9xaUqP-smWiBDWULJTJ6KP9PU>
Subject: Re: [OAUTH-WG] oauth - Requested sessions have been scheduled for IETF 98
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2017 08:46:48 -0000
Hi Nat, At present, I do not support the adoption of this document as a WG document since the different techniques that are being proposed have severe problems: * When the JWT contains a jwk , jwkt#s256 or jwe, the method is ineffective in case of a collusion between two users (ABC attack). * When the JWT contains a x5t#s256, the JWT is linked to a hash value of a certificate included in the JWT. The server then knows a unique identifier of the user. Such a method allows an easy linkage between all the accounts of a given user on different resource servers, even when the JWT only contains non-directly identifiable attributes. Hence, it does not respect 'privacy by design' principles. In addition, if a fixed value is being used for the audience restriction parameter, e.g. a URL of the server, then the authorization server can easily know where the access tokens will be used and thus it will be in a position to act as Big Brother. You may however continue to progress this document as an individual contribution. Denis PS. I will not subscribe to bitbucket.org because I don't agree with the conditions of this site. > Hi Denis, > > Thanks. > > Is it possible to file these separately at > https://bitbucket.org/Nat/oauth-rjwtprof/issues?status=new&status=open so > that each issue can be closed separately? (You need to login to > bitbucket to do so.) Pull request would be nice, too, but we are going > to do a bit of surgery on the spec as of now, so it might be wise to > wait till after that to avoid conflicts. > > Also, it is not yet a WG document so please support it become one. > > Best, > > Nat Sakimura > > On Wed, Mar 22, 2017 at 5:15 AM Denis <denis.ietf@free.fr > <mailto:denis.ietf@free.fr>> wrote: > > Hi Nat, > > > I have several comments on draft-sakimura-oauth-jpop-01 related to > security or privacy. > > > 1.The abstract states: > > Only the party in possession of a corresponding cryptographic key > with the Jpop token can use it to get access > to the associated resources unlike in the case of the bearer token > described in [RFC6750] where any party > in possession of the access token can access the resource. > > This is incorrect. > > Replace with: > > Any party able to use a corresponding private cryptographic key > with the Jpop token can use it to get access > to the associated resources unlike in the case of the bearer token > described in [RFC6750] where any party > in possession of the access token can access the resource. > > 2.In section 3, the text states: > > audThe identifier of the resource server. > > According to the content of RFC 7800: > > The "aud" (audience) claim identifies the recipients that the JWT > is intended for. The interpretation of audience values is > application specific. > > Replace with: > > audThe recipients that the JWT is intended for (the interpretation > of audience values is application specific). > > 3.In section 3, the text states: > > cnfThe confirmation method. > > Their semantics are defined in [RFC7519] and [RFC7800] > > > This is incorrect: cnf is neither defined in [RFC7519] nor in > [RFC7800]. > > 4.In section 6.2, the text states: > > For this, the following steps are taken: > > 1.The client prepares a nonce. > > 2.The client creates JWS compact serialization over the nonce > > > JSON Web Token Claims are listed at: > https://www.iana.org/assignments/jwt/jwt.xhtml > > "nonce" has not been defined by the IANA, but is mentioned in > OpenID Connect Core 1.0 incorporating errata set 1. It is > described as : > > nonce > > String value used to associate a Client session with an ID Token, > and to mitigate replay attacks. The value is passed through > unmodified from the Authentication Request to the ID Token. If > present in the ID Token, Clients MUST verify that the nonce > Claim Value is equal to the value of the nonceparameter sent in > the Authentication Request. If present in the Authentication Request, > Authorization Servers MUST include a nonceClaim in the ID Token > with the Claim Value being the nonce value sent in the > Authentication Request. > Authorization Servers SHOULD perform no other processing on > noncevalues used. The noncevalue is a case sensitive string. > > I have several observations: > > a)there is some difficulty to mandate the use of a parameter that > is not registered by IANA. > > b)the further processing of the nonce is not indicated in the text > > c) The last sentence from the above description states: > "Authorization Servers SHOULD perform no other processing on > noncevalues used" > There is a practical problem with such a sentence since > Authorization Servers would need to remember nonces for ever. > Either that sentence should be deleted or the nonce shall be only > used with a UTC time parameter included in the Authentication Request. > > In any case, the definition of a nonce as specified in OpenID > Connect Core 1.0 incorporating errata set 1 should not be used and > another parameter > (e.g. rdn for random) should be defined and registered by IANA and > used in combination with a UTC time parameter included in the > Authentication Request. > In this way, only the rdn received during the last X minutes will > need to be remembered by the Authorization Servers. > > > 5.The title of section 9.1 is: "Certificate validation" > > Change the title of this section into : > > "9.1. Common Name Constrained Token" > > 6.In section 9.1, the text states: > > The "cn" JWT confirmation method relies its security property on the > > X.509 client certificate authentication. > > Replace with: > > The "cn" JWT confirmation method relies its security property by > the inclusion of the Common Name (CN) > that is part of the Distinguished Name (DN) of an X.509 > certificate. The JWT is linked to the common name > included in the certificate. Such a method is not privacy friendly > since it allows an easy linkage between > all the accounts of a given user on different resource servers. > > 7.Add a new section 9.2 to deal with the case of the cid. > > Proposed text: > > 9.2. Client ID Constrained Token > > The "cid" JWT confirmation method relies its security property on > the assumption that the cid legitimately > used by one server cannot be used by another user. It also relies > on the assumption that the authentication data > associated with "cid" combined with the "iss" will only be used by > the legitimate user. This method is ineffective > in case of a collusion between two users, since one user can > perform all the computations needed by the other user. > > 8.In section 9.2, the text states: > > The client’s secret key must be kept securely. Otherwise, the > notion of PoP breaks down. > > The PKIX group from the IETF is using the vocabulary private key / > public key when asymmetric cryptography is being used > and secret key when symmetric algorithms are being used (let us > call a spade a spade). > > However, keeping a client's private key securely is not the right > wording either. If the key is kept securely in a secure element > (e.g. smart card), this is not enough, since the holder of the > secure element may use this key for himself ... or worse for the > benefit of someone else. > > Proposed change : > > 9.3. Key Constrained Token > > This method has four variants. > > When the JWT contains a jwk, the JWT confirmation method relies > its security property on the assumption that the private key > associated with the public key contained in the access token will > only be used by the legitimate user. In order to avoid an easy linkage > between user's accounts, this method presents the advantage that > the key pair can be changed for every JWT. However, this method > is ineffective in case of a collusion between two users, since one > user can perform all the computations needed by the other user. > > When the JWT contains a jwkt#s256, the server must have a prior > knowledge of the public key and the method relies its security > property > on the assumption that the private key associated with the public > key contained in the access token will only be used by the > legitimate user. > Hence, this method is ineffective in case of a collusion between > two users, since one user can perform all the computations needed > by the other user. > > When the JWT contains a x5t#s256, the server must have a prior > knowledge of the public key certificate. The JWT is then linked to > a hash value > of a certificate included in the JWT. The server knows a unique > identifier of the user. Such a method is not privacy friendly > since it allows > an easy linkage between all the accounts of a given user on > different resource servers. > > When the JWT contains a jwe, the JWT confirmation method relies > its security property on the assumption that the secret key included > in the JWT will only be used by the legitimate user. In order to > avoid an easy linkage between user's accounts, this method presents > the advantage that the secret key can be changed for every JWT. > However, this method is ineffective in case of a collusion between > two users, > since one user can perform all the computations needed by the > other user. > > 9.The text states in section 9.3: > > 9.3.Audi_a_nce Restriction > > When using the signature method the client must specify to the AS > the aud it intends to send the token to, so that it can be > included in the AT. > > A malicious RS could receive a AT with no aud or a logical > audience and then replay the AT and jws-on-nonce to the actual server. > > > Proposed change in order to address privacy concerns : > > 9.4.Audi_e_nce Restriction > > When using the signature method, the client must specify to the AS > the aud it intends to send the token to, so that it can be > included in the AT. > > RFC 7800 states that the interpretation of audience values is > application specific. If a fixed value is being used, e.g. a URL > of the server, > then the authorization server can easily know where the access > tokens will be used and thus is in a position to act as Big Brother. > It is thus recommended to use a different value in the aud claims > for each access token that contains no semantics in it but that > the resource server > can easily recognize.// > > If a malicious RS receives an AT with no aud or a logical audience > in it then it can replay the AT and jws-on-nonce to another server. > > Denis > > >> HI Chairs, >> >> I would also like to ask 5 min. on Monday (as I cannot be on >> Friday) for >> The OAuth 2.0 Authorization Framework: JWT Pop Token Usage [1]. >> >> [1] https://tools.ietf.org/html/draft-sakimura-oauth-jpop-01 >> >> It is capturing strong and rather urgent demands from the >> financial sector and would be great if it can be considered in >> the WG. >> >> Best, >> >> Nat Sakimura >> >> On Tue, Mar 21, 2017 at 10:28 PM Antonio Sanso <asanso@adobe.com >> <mailto:asanso@adobe.com>> wrote: >> >> hi Torsten, >> >> good one. I personally I am looking forward to see this >> particular document find its way. >> >> IMHO this is something much needed. >> >> regards >> >> antonio >> >> On Mar 21, 2017, at 2:08 PM, Torsten Lodderstedt >> <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote: >> >>> Hi Chairs, >>> >>> I would like to request 5 minutes on Monday to briefly >>> present the status of the security document. This is mainly >>> to raise awareness in the group since I didn’t get that much >>> input on it since Seoul. >>> >>> kind regards, >>> Torsten. >>> >>>> Am 18.03.2017 um 01:52 schrieb Mike Jones >>>> <Michael.Jones@microsoft.com >>>> <mailto:Michael.Jones@microsoft.com>>: >>>> >>>> Hi Chairs, >>>> >>>> I'd like to request that the following presentations be >>>> added to the agenda: >>>> >>>> OAuth Token Exchange (draft-ietf-oauth-token-exchange) - >>>> Mike Jones - 15 minutes >>>> OAuth Authorization Server Metadata >>>> (draft-ietf-oauth-discovery) - Mike Jones - 15 minutes >>>> >>>> I'd also talked with Brian Campbell and I think he wants to >>>> lead this discussion, in part based on his implementation >>>> experience: >>>> >>>> OAuth Token Binding (draft-ietf-oauth-token-binding) - >>>> Brian Campbell - 30 minutes >>>> >>>> (Brian may suggest a different amount of time) >>>> >>>> I agree that William Dennis should present about the OAuth >>>> Device Flow (draft-ietf-oauth-device-flow). >>>> >>>> For completeness, I don't think a presentation is needed >>>> about OAuth AMR Values (draft-ietf-oauth-amr-values) >>>> because it's now completed its IESG review. >>>> >>>> I'll look forward to seeing many of you in just over a week! >>>> >>>> -- Mike >>>> >>>> -----Original Message----- >>>> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of >>>> "IETF Secretariat" >>>> Sent: Friday, March 3, 2017 3:55 PM >>>> To: oauth-chairs@ietf.org <mailto:oauth-chairs@ietf.org>; >>>> smccammon@amsl.com <mailto:smccammon@amsl.com> >>>> Cc: oauth@ietf.org <mailto:oauth@ietf.org> >>>> Subject: [OAUTH-WG] oauth - Requested sessions have been >>>> scheduled for IETF 98 >>>> >>>> Dear Stephanie McCammon, >>>> >>>> The session(s) that you have requested have been scheduled. >>>> Below is the scheduled session information followed by the >>>> original request. >>>> >>>> oauth Session 1 (2:30:00) >>>> Friday, Morning Session I 0900-1130 >>>> Room Name: Zurich C size: 100 >>>> --------------------------------------------- >>>> oauth Session 2 (1:00:00) >>>> Monday, Afternoon Session III 1710-1810 >>>> Room Name: Zurich C size: 100 >>>> --------------------------------------------- >>>> >>>> >>>> >>>> Request Information: >>>> >>>> >>>> --------------------------------------------------------- >>>> Working Group Name: Web Authorization Protocol Area Name: >>>> Security Area Session Requester: Stephanie McCammon >>>> >>>> Number of Sessions: 2 >>>> Length of Session(s): 2.5 Hours, 1 Hour Number of >>>> Attendees: 50 Conflicts to Avoid: >>>> First Priority: saag core tls tokbind >>>> >>>> >>>> >>>> >>>> People who must be present: >>>> Hannes Tschofenig >>>> Kathleen Moriarty >>>> Derek Atkins >>>> >>>> Resources Requested: >>>> Projector in room >>>> >>>> Special Requests: >>>> Please avoid conflict with sec area BoFs. >>>> --------------------------------------------------------- >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106&sdata=FYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&reserved=0 >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463058106&sdata=FYIqTvgn1%2Fpjyqw%2BtGhDWgiB0G0ATuL30ap%2B3bLX6aQ%3D&reserved=0 >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=02%7C01%7C%7C254d07b9729a4cfc8dd408d4705b73a2%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636256985463068122&sdata=5CIJnWs2VdLM9FUWt%2FWlOxIilp5N2vfr7b9elwhL%2BA4%3D&reserved=0 >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> >> -- >> >> Nat Sakimura >> >> Chairman of the Board, OpenID Foundation >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > -- > > Nat Sakimura > > Chairman of the Board, OpenID Foundation >
- [OAUTH-WG] oauth - Requested sessions have been s… "IETF Secretariat"
- Re: [OAUTH-WG] oauth - Requested sessions have be… Mike Jones
- Re: [OAUTH-WG] oauth - Requested sessions have be… Brian Campbell
- Re: [OAUTH-WG] oauth - Requested sessions have be… Torsten Lodderstedt
- Re: [OAUTH-WG] oauth - Requested sessions have be… Antonio Sanso
- Re: [OAUTH-WG] oauth - Requested sessions have be… Nat Sakimura
- Re: [OAUTH-WG] oauth - Requested sessions have be… Denis
- Re: [OAUTH-WG] oauth - Requested sessions have be… Nat Sakimura
- Re: [OAUTH-WG] oauth - Requested sessions have be… Denis
- Re: [OAUTH-WG] oauth - Requested sessions have be… Nat Sakimura
- Re: [OAUTH-WG] oauth - Requested sessions have be… Denis
- Re: [OAUTH-WG] oauth - Requested sessions have be… Benjamin Kaduk
- Re: [OAUTH-WG] oauth - Requested sessions have be… Benjamin Kaduk