Re: [OAUTH-WG] client certs and TLS Terminating Reverse Proxies (was Re: I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt)

"Salz, Rich" <rsalz@akamai.com> Wed, 30 October 2019 16:41 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A99771200EC for <oauth@ietfa.amsl.com>; Wed, 30 Oct 2019 09:41:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3NIYTPECR3Hv for <oauth@ietfa.amsl.com>; Wed, 30 Oct 2019 09:41:28 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50939120073 for <oauth@ietf.org>; Wed, 30 Oct 2019 09:41:28 -0700 (PDT)
Received: from pps.filterd (m0122332.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id x9UGXtIw024594; Wed, 30 Oct 2019 16:41:26 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=tYlnhiunII4cwFCHMoaRiqVZ+4sy6SlVFIFny98I4rU=; b=hiM6TpHrISlaO0Zf/bx+nySKLeaohi7oLlj/BltbM5ljo8glUpKSR9iTSizgkzh+OQgQ leTT2FjtJGLrL1wilCaLWktBrDLBG6z9dqqINrHc428WRCF3bLz674+/LFVPyAjTPA67 ITPRICsNfJaCRtZC1SEbD+mhbOWoXGsEOGEWpmHvYF3ibydxwcUxr6TfxGFqeUGnI65q f0n3fwTmOGNQH3gi/ecqs7ZCe1IYRjGbWp+Iv4SpC2vTPjByKBDcMDmx2DHPa5/AX2tK eCaooLf6Jzq6GzySA1OSm/ubQKsQwy8g7Vzs0Uf0LJYDZx1GSmaolGayf43hAuT94t0n uw==
Received: from prod-mail-ppoint8 (prod-mail-ppoint8.akamai.com [96.6.114.122] (may be forged)) by mx0a-00190b01.pphosted.com with ESMTP id 2vxwghbya4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 30 Oct 2019 16:41:25 +0000
Received: from pps.filterd (prod-mail-ppoint8.akamai.com [127.0.0.1]) by prod-mail-ppoint8.akamai.com (8.16.0.27/8.16.0.27) with SMTP id x9UGWusG019555; Wed, 30 Oct 2019 12:41:24 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.57]) by prod-mail-ppoint8.akamai.com with ESMTP id 2vxwfnqw2y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 30 Oct 2019 12:41:24 -0400
Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com (172.27.123.103) by usma1ex-dag1mb6.msg.corp.akamai.com (172.27.123.65) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 30 Oct 2019 12:41:23 -0400
Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com ([172.27.123.103]) by usma1ex-dag1mb3.msg.corp.akamai.com ([172.27.123.103]) with mapi id 15.00.1473.005; Wed, 30 Oct 2019 12:41:23 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Neil Madden <neil.madden@forgerock.com>
CC: Justin Richer <jricher@mit.edu>, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] client certs and TLS Terminating Reverse Proxies (was Re: I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt)
Thread-Index: AQHVi20DwSDixrsmwUqaChyBzydqk6dtvDgAgAKKHACAACgPAIAAB5+AgAAQz4CAAb9SAIAA0ZsAgABfMACAAAkLAP//v+yAgABJiYD//+FxAA==
Date: Wed, 30 Oct 2019 16:41:22 +0000
Message-ID: <011AB6F2-F178-4D8F-8589-70A4C9CEC47A@akamai.com>
References: <2B2ACEE8-7B48-4E2D-94DA-AF3DA86DE809@mit.edu> <E58B4EB0-7E59-4A0C-B43F-263CEF0B955D@forgerock.com> <50867522-C1A5-4BE2-888A-910B352D1EC8@mit.edu> <4DFE9EE9-2A57-4F2F-B2E2-12217FE3CECE@forgerock.com> <96892FC9-87E8-472F-B989-3D41DF43D2CC@akamai.com> <1543ED50-D92F-4679-87F5-AE679E4184AB@forgerock.com>
In-Reply-To: <1543ED50-D92F-4679-87F5-AE679E4184AB@forgerock.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.32.191]
Content-Type: multipart/alternative; boundary="_000_011AB6F2F1784D8F858970A4C9CEC47Aakamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-10-30_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-1910300150
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,1.0.8 definitions=2019-10-30_07:2019-10-30,2019-10-30 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 impostorscore=0 lowpriorityscore=0 mlxlogscore=999 spamscore=0 suspectscore=0 adultscore=0 bulkscore=0 phishscore=0 malwarescore=0 mlxscore=0 clxscore=1015 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1908290000 definitions=main-1910300150
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/QXvRa0DwYoN9PafIxo-SEj42LEg>
Subject: Re: [OAUTH-WG] client certs and TLS Terminating Reverse Proxies (was Re: I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Oct 2019 16:41:30 -0000

  *   I'm thinking of a uniformly random 16 byte name right now. Have at it.
Cute but missing the point.  I don’t have to guess it.  YOU have to securely deploy it across your proxy (however many staff), your backend (however many staff), your application developers (however many), and perhaps your diagnosing or debug teams if they are different.  And then you must make sure that if ANYONE ever takes a packet trace, or makes a slide out of a sample message, that they don’t disclose the header, such as by showing “here’s how we do OAUTH” at a user group meeting.

  *   Again, this is a defense in depth measure. A config file is fine.
No, it’s not.  It’s a multi-party shared secret that isn’t identified as a secret.  It’s not defense in depth, it’s a foundation of sand.

  *   irrelevant to the current discussion, which is about how the backend distinguishes security-critical headers that the proxy set from security-critical headers that were sneaked past the proxy by a client (through misconfiguration or parsing bug).
The backend must trust the proxy.  If you tell the proxy to “use FOOBAR123” as the header of the client certificate, how do you know that the proxy properly provided the client certificate?  Pretending that the backend only has to trust *part* of the proxy, because we use a sekrit header value is just that, pretending.

Your links to confused deputy and CSRF do not address the issues I raised.


  *   Authenticating the other side of a communication pipe is not sufficient to authenticate the origin of the data contained within those messages. The whole point of a proxy is that it forwards requests from clients. In the face of misconfigurations and parsing bugs the backend cannot distinguish headers that were set by the proxy from headers that were spoofed by the client. *This is the entire problem I have been discussing*.
And you believe that configuring a proxy, of which you are skeptical, addresses that concern?