Re: [OAUTH-WG] New Version Notification for draft-ietf-oauth-dpop-01.txt

Brian Campbell <bcampbell@pingidentity.com> Fri, 06 November 2020 22:02 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28C8D3A0DA6 for <oauth@ietfa.amsl.com>; Fri, 6 Nov 2020 14:02:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XxuhfDFfwIel for <oauth@ietfa.amsl.com>; Fri, 6 Nov 2020 14:02:36 -0800 (PST)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CD323A0DA5 for <oauth@ietf.org>; Fri, 6 Nov 2020 14:02:35 -0800 (PST)
Received: by mail-lf1-x12d.google.com with SMTP id l2so3996765lfk.0 for <oauth@ietf.org>; Fri, 06 Nov 2020 14:02:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4wo+1Fwi9V6M4K5sEuLyEeNkBN2egRoBpk9SE4ZR1N4=; b=CLWXrkGc5rXBvr9VuCUexwsUXe/Jf2ucmeRLNewEJosYFCXhnDgNxMdG1B+0xuJPz3 bbyELUdnT0mD3MWJx2aZckSjW/v6+jCjajIw27AlfkyphYb/dvbz+zENK1MyLcicjGH7 CV/dNtMyD+N8ba7d2a9iWYIdUp23WXGjG4JggmQiLyyeyYJu4WQY3GFfUlb3Xprt+Rbh MHZyItZPQ8iKOSa3qncbGWMzTG8HyOX1gcm5JjrPohtj4t54UFMQOU4sraa3OtNVR0I/ l6a+z4+Ve8c5sOu2qBPRqLuznWUf5iMM55baDqNUeuIUA2DRhqVKZdw+o3orZ55ND4mk 0hCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4wo+1Fwi9V6M4K5sEuLyEeNkBN2egRoBpk9SE4ZR1N4=; b=sipJHYdSYiwpvrx2E+DrepXfPYjaBSKGpANvur7vJOzz2jf14cerjdyll0BzGY88bW WwqOngYAcER2hPAXteMHKQFx6WObCRFh8b+vBWy4zhW6K6U1rYTDmAKR2Wp07ROAYzgt Q8YoJZEZhdTdFtGRuzwh4BJ5TlPEjl36bl9TP6PQ88W+pCMlLKpebdG6FYXIMrHZ5Vhh 0AQLFKriYxoWEifLZzZclJ2HS+Fgg/ey4YtGF8PJsNu1j6DRtLrFHtqL9waiY235QLmQ q0wZzmL/+Q15IZ1eXI47PhDnkSJIYzBeDZUXTgACP84jITGIpV9XuL5fVemfabg30w7e +aFA==
X-Gm-Message-State: AOAM531Rd81EQpR5WipH/OXVn+ItEd66ZJCknqVOS8aOOKCGz7Z7IxRq 2+S4I5/6bXh1Ae/A1ADFqkcg7ffGHxd+LedeHidaCrvzqs6oJgOwKHcIblOz1KjSjkLBa7jqUCW KpY9hKZ8AheVP6g==
X-Google-Smtp-Source: ABdhPJx1yQ1lVi8AM1xSVvTkKKO24H+PH+FfCjNCtjYebMaWvUCwXzvjqV6srxzn7pFWOBXEW6waegkTgnzSeM+Hjrw=
X-Received: by 2002:a05:6512:3485:: with SMTP id v5mr1790639lfr.181.1604700154007; Fri, 06 Nov 2020 14:02:34 -0800 (PST)
MIME-Version: 1.0
References: <158835743733.12112.7484502726888997082@ietfa.amsl.com> <CA+k3eCQTVqX8wv6-4vX9=0LQZ8wQO+43kiESAM4ChriM=eHUVA@mail.gmail.com> <55D70F29-CF65-405B-AAE0-4978C25C8FCF@forgerock.com> <CA+k3eCToSnXcbt7vZAoju77-+eRnLrRW8zYAYiZxrhvS1N7pdA@mail.gmail.com>
In-Reply-To: <CA+k3eCToSnXcbt7vZAoju77-+eRnLrRW8zYAYiZxrhvS1N7pdA@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 6 Nov 2020 15:02:07 -0700
Message-ID: <CA+k3eCQZsWCbR_eqv2umTDDbWiHp5siu4NFnoONz8Y8sMiSnrg@mail.gmail.com>
To: Neil Madden <neil.madden@forgerock.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a6b75b05b3775e2d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/PhQ_mDmABWhil5RPPSFNFkqZJwk>
Subject: Re: [OAUTH-WG] New Version Notification for draft-ietf-oauth-dpop-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Nov 2020 22:02:38 -0000

On Tue, May 5, 2020 at 2:52 PM Brian Campbell <bcampbell@pingidentity.com>
wrote:

>
>
>> 9.1:
>> This would be a good place to mention BREACH as an example of how a DPoP
>> proof (and AT) might leak, despite only being sent over a direct HTTPS
>> channel. Note though that adding a random jti is an effective defence
>> against this even if the server doesn’t check it.
>>
>
> Thanks for that note as a good reason to keep jti even if the requirements
> on checking it are relaxed.
>

In trying to add some text that makes such mention I realized (again) that
I don't have a very good understanding of BREACH. With a bit of reading of
the overview and paper at http://breachattack.com/ it seems that BREACH is
applicable to attacking compression for leaking sensitive information in
HTTP responses. Whereas a DPoP proof is only defined to be sent in an HTTP
request. And ATs are only in a response once and then used in requests.
Perhaps it's a limitation of my own imagination or intellect but I don't
see how BREACH is relevant here. If you can explain it to me "for dummies"
style or better yet propose some text, we can certainly look at adding it.
Short of that though, I'm not equipped to write anything legitimate about
it and will just omit any such mention.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._