Re: [OAUTH-WG] [Unbearable] Scoping of keys on the client.
John Bradley <ve7jtb@ve7jtb.com> Fri, 13 March 2015 21:21 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4ECC61A879E for <oauth@ietfa.amsl.com>; Fri, 13 Mar 2015 14:21:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p3IPE_EU9pFQ for <oauth@ietfa.amsl.com>; Fri, 13 Mar 2015 14:21:10 -0700 (PDT)
Received: from mail-qg0-f46.google.com (mail-qg0-f46.google.com [209.85.192.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 282011A8873 for <oauth@ietf.org>; Fri, 13 Mar 2015 14:21:06 -0700 (PDT)
Received: by qgfh3 with SMTP id h3so29155955qgf.2 for <oauth@ietf.org>; Fri, 13 Mar 2015 14:21:05 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=DncSVLDpanxDdcLy0F8O/4bOZ32JoyGOiyEYEYpaNSM=; b=hXhO/B5OCzwi7Mf06Z5JmSL7XnDU5Eq4lbBX7+8ulcT1sCME4ovVT7fmpgkTYDyfdZ iTzEy0yBZ3uEn01BKZa+6rJ8Y4rF1v9gvNI/gHV8duOvCjJY3FyZPwMnv06VWZwu00dU tWWJz7wjZlFHjl61XkSShRRxBMCKCPAVrV+bUmf44tqwYJrcuV/x0cue2ywjtAVjq44Y U3yc3TCKV7qSaYIG08Xr49GS4L4c9MpFJqjUAo4ESNfz8Rl6FkS4F+tNzx3I4/PonqOH Vuf9u3BB+u+X2ZzbkoJ+WkPI/vFA1nqXXdDA8BM/sdbXYlSRWrDIM4LYxVGuZ+7L6KkR bozg==
X-Gm-Message-State: ALoCoQln605jxQoFlrMqiMqn6YCDo7Lripd/vsXuPWigUZp6qs9yk5PRIKo7t1fhm8OOJquJQnof
X-Received: by 10.229.68.136 with SMTP id v8mr61466487qci.16.1426281665342; Fri, 13 Mar 2015 14:21:05 -0700 (PDT)
Received: from [192.168.8.101] ([181.202.25.120]) by mx.google.com with ESMTPSA id u194sm2197692qhd.36.2015.03.13.14.21.03 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 13 Mar 2015 14:21:04 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_A15129A1-D546-4305-AD1F-38508FBFB473"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <2E82C711-8A32-48D0-913B-EFB09865AEDF@oracle.com>
Date: Fri, 13 Mar 2015 18:20:59 -0300
Message-Id: <28F9966C-0101-4EDB-8445-BC35C549BFD5@ve7jtb.com>
References: <23715BE4-920C-497D-9C15-BF4CF49211E6@ve7jtb.com> <BN3PR0301MB1250B72035FC7C3D24211CA28C070@BN3PR0301MB1250.namprd03.prod.outlook.com> <C520EF34-655A-49FA-B7A2-801BF5E4E5A6@oracle.com> <723006D8-4253-451E-BBCE-214FF9441706@ve7jtb.com> <2E82C711-8A32-48D0-913B-EFB09865AEDF@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/PKOvGkugmg__0U55Bn2pddy28bo>
Cc: Andrei Popov <Andrei.Popov@microsoft.com>, "unbearable@ietf.org" <unbearable@ietf.org>, "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] [Unbearable] Scoping of keys on the client.
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Mar 2015 21:21:13 -0000
I used that as an example. I know one AS that is doing that for refresh tokens as it doesn't require any client or protocol change. No the WG haven't discussed it. The POP use case for AT is focused on app/client to RS. Given that the AS and RS may not be in the same domain using token binding to secure the AT to the RS gets trickier. In principal if the client knows the the URI of the resource server it could make a request to the RS and then take the public key and put it in a JWK to push to the AS as part of the existing POP key distribution spec. The client would then get back a AT bound to that key. That limits the client to only using a single RS as tin the current spec the key is only exchanged for code. The key could be sent with refresh tokens if we wanted to allow multiple RS with different keys, however to do that securely you really want to secure the refresh token, to do that in a public client the AS could use token binding. Those are issues the OAuth WG will need to look at. To do that properly knowing things like if the RT leaks to another app on the device can it still be used? Those questions need to be answered to formulate security considerations, and determine if token binding is the correct tool to use for a given use case. John B. > On Mar 13, 2015, at 5:22 PM, Phil Hunt <phil.hunt@oracle.com> wrote: > > Maybe I am recalling wrongly, but I don’t think OAuth WG discussed securing refresh tokens using binding (yet). The OAuth POP use cases were focused on app-to-app access token security. > > Phil > > @independentid > www.independentid.com > phil.hunt@oracle.com > >> On Mar 13, 2015, at 12:58 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: >> >> I think it is important to think through how the choices may impact how protocols can use token binding. >> >> The NAAPS profile of connect is a possible candidate for using token binding but that is highly dependent on how keys are shared on the client. >> >> A simple OAuth use case is using token binding to secure a refresh token. >> >> How secure that is would depend on what other apps on the device may be able to use that token if it leaked. >> >> Understanding how keys are shared between apps is I think important. >> >> John B >> >> >> Sent from my iPhone >> >>> On Mar 13, 2015, at 2:46 PM, Phil Hunt <phil.hunt@oracle.com> wrote: >>> >>> The problem being that this just becomes device binding and app to app token binding still isn't possible. >>> >>> Do we care? >>> >>> Phil >>> >>>> On Mar 13, 2015, at 10:18, Andrei Popov <Andrei.Popov@microsoft.com> wrote: >>>> >>>> Thanks for raising this topic John. >>>> >>>>> I found some people that believe all apps sharing a common TLS library would be able to share the same ID/key for a origin. >>>> In our prototypes so far (in Win10), the Token Binding Protocol implementation, the Token Binding key storage APIs, and the TLS library are three separate components. Among other things, this allows 3-rd-party apps share Token Binding keys and achieve single sign-on regardless of the TLS library they might be using (if they choose to do so). >>>> >>>>> The different views impact security considerations in native environments. As an example can you pass a token from one app to another and have it still work to the same origin, or is it a security feature that it won't work and the token cant be stolen from a app and re-used by a different app on the same device. >>>> I think that single sign-on between apps and browsers is at least a useful option. >>>> >>>>> I don't think there is anything in the specs on this. >>>>> Figuring out where some of these issues get documented might be useful. >>>> Documenting key scoping is indeed useful; on the other hand standardizing the specifics might require standardizing user and application isolation models across platforms, which I don't think would be in scope for this forum. Perhaps we could agree on some general principles and include implementation guidance on Token Binding key scoping? >>>> >>>> Cheers, >>>> >>>> Andrei >>>> >>>> -----Original Message----- >>>> From: Unbearable [mailto:unbearable-bounces@ietf.org] On Behalf Of John Bradley >>>> Sent: Friday, March 13, 2015 9:57 AM >>>> To: unbearable@ietf.org >>>> Subject: [Unbearable] Scoping of keys on the client. >>>> >>>> Now that we are officially a WG I have a question (no hat) >>>> >>>> One thing that I identified as a potential issue talking to people who are working on early deployments, is the expectations around how keys are shared between applications. >>>> >>>> I found some people that believe all apps sharing a common TLS library would be able to share the same ID/key for a origin. >>>> >>>> Other folks were under the impression that each application would have its own key for an origin. >>>> >>>> The different views impact security considerations in native environments. As an example can you pass a token from one app to another and have it still work to the same origin, or is it a security feature that it won't work and the token cant be stolen from a app and re-used by a different app on the same device. >>>> >>>> There was a middle view by the MDM people that the ID/key would be scoped to a profile/container so that all the enterprise apps would share ID/key but that social apps would not. >>>> >>>> I don't know that there is necessarily one right answer, as this may be implementation dependent. >>>> >>>> I don't think there is anything in the specs on this. One reason I ask is that some of those differences impact on Native Application Single Signon and OAuth. >>>> >>>> In some of the Windows prototypes I understand there is a Key Storage API that is used to share keys between the browser and apps. >>>> >>>> Android, Windows, iOS , OSX may all have implementation specific details, but people building applications that leverage token binding will need to understand the differences as they may have security and privacy implications. >>>> >>>> Figuring out where some of these issues get documented might be useful. >>>> >>>> John B. >>>> >>>> _______________________________________________ >>>> Unbearable mailing list >>>> Unbearable@ietf.org >>>> https://www.ietf.org/mailman/listinfo/unbearable >
- Re: [OAUTH-WG] [Unbearable] Scoping of keys on th… John Bradley