IETF Logo Mail Archive

Re: [OAUTH-WG] [Technical Errata Reported] RFC7519 (7720)

Brian Campbell <bcampbell@pingidentity.com> Tue, 05 December 2023 22:54 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D2AEC14F5ED for <oauth@ietfa.amsl.com>; Tue, 5 Dec 2023 14:54:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bZBD19M1eppP for <oauth@ietfa.amsl.com>; Tue, 5 Dec 2023 14:54:37 -0800 (PST)
Received: from mail-pf1-x430.google.com (mail-pf1-x430.google.com [IPv6:2607:f8b0:4864:20::430]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05FE7C14F5EA for <oauth@ietf.org>; Tue, 5 Dec 2023 14:54:36 -0800 (PST)
Received: by mail-pf1-x430.google.com with SMTP id d2e1a72fcca58-6ce3efb78e2so3306142b3a.1 for <oauth@ietf.org>; Tue, 05 Dec 2023 14:54:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; t=1701816876; x=1702421676; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=iwoxGi/hA8st1KuB732afw+tkiRTACTSk35CqQqhZco=; b=ZVowL0jx6ffwpfZ6qRY6ssWobSy0XQdVc+q7tM6PMZtcQNj9E7UV9hADJk5qwKzSCf q7AFBNie1av92g9KqZsWs7r5E5rS2nRqFZtKVOXaSkpMrkPQDPLUamF8sOuCG9tII91D FuKjPofMNHEMwzOMMKJr2X2hUIrbXp7reM6IR6zCBXCkd5FNv7/4EJTVWiHQriO9JOqN EcfIzeE7BqFfjbRu9Fz4CnmnoKfNWjCjEF8nlPIxIm+t7RI9rmeuHg3m//f8x3rm5klx uAoL90xrV4ae03Y/qMjHc7DiAAbW/bX+sVyUG8YG3/YH4bTGQ/ilbrDAXiN7AmfckgqR gIXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701816876; x=1702421676; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=iwoxGi/hA8st1KuB732afw+tkiRTACTSk35CqQqhZco=; b=OyKfYYF1PWtNoILus0ff/k25yYZnYEZtC8G3zVuj8f4Z0kH/A2WixGwAG1EtzKMT49 NkER59aUqyFW/yay/Q4G0dIOq/1u8NsDeGLhTk5bGR6wxr8ZmFG/qn3siq8DylgZCGa8 wMy7KXi5A+qLK5ZxiYYiPNye7kt/zYS8EO8kytdqqjTnUqihtZWinLWso5ZgjUUijWAT KyeCHGTIF5BX9BWfVvSYvK6BaLL1Iu5PI9KCuIQ3oIzo9D0ej2BjyQqaa4Mz92v4Y/ng Y27MQh/iN/kR061/fsFqCg/Eonri3PNnbyAklcu4LprA68pZ45VnnNQKoMwYu5kaN91S 0LdQ==
X-Gm-Message-State: AOJu0YzgyvBKQ62dRng35tv6DjNUAloWpuCkEd+VxTiQ1wxcgGpcP2DS aROhw5S9SmuN2vjyUrodDynqW38e/YYTJ3/oIZoTIi11FQukqL75Kny5yhJvkmqYDeu4u+AhcGL J7oCa7U0nR+5xWQ==
X-Google-Smtp-Source: AGHT+IE/l9CCJ37fc4fJy1t+9j3zv8lEvieuEI3DJLmQga2hOENTBLUV0HxGQ0FmwJirFezMLmKsfvCUspkfgQXfSJ0=
X-Received: by 2002:a05:6a20:ae0a:b0:18c:da:ba0b with SMTP id dp10-20020a056a20ae0a00b0018c00daba0bmr5769821pzb.44.1701816876329; Tue, 05 Dec 2023 14:54:36 -0800 (PST)
MIME-Version: 1.0
References: <20231201220618.357D418F726B@rfcpa.amsl.com> <LV8PR01MB8677B61878BE5F0D0925615BBD87A@LV8PR01MB8677.prod.exchangelabs.com>
In-Reply-To: <LV8PR01MB8677B61878BE5F0D0925615BBD87A@LV8PR01MB8677.prod.exchangelabs.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 05 Dec 2023 15:53:53 -0700
Message-ID: <CA+k3eCShPrd5w9pR_zami3UZfFcJM+iEOp_DmB0G5Nod4gf2tw@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: RFC Errata System <rfc-editor@rfc-editor.org>, "mbj@microsoft.com" <mbj@microsoft.com>, "ve7jtb@ve7jtb.com" <ve7jtb@ve7jtb.com>, "n-sakimura@nri.co.jp" <n-sakimura@nri.co.jp>, "rdd@cert.org" <rdd@cert.org>, "paul.wouters@aiven.io" <paul.wouters@aiven.io>, "hannes.tschofenig@arm.com" <hannes.tschofenig@arm.com>, "rifaat.s.ietf@gmail.com" <rifaat.s.ietf@gmail.com>, "vergenzt@gmail.com" <vergenzt@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000634e6a060bcb1e53"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Qkz2HqOzdVM0oyDPSeOdo-iLN8E>
Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC7519 (7720)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Dec 2023 22:54:41 -0000

I agree that the change in text is too much for an errata. But I am
sympathetic to the problem that the reporter has described. Perhaps it'd be
appropriate as an errata that, in the interest of interoperability,
mentions/reminds that 'iat' doesn't have defined semantics about rejection
and suggests (non-normatively) not to implement/enforce any (in the absence
of an application specific profile anyway)?

On Sun, Dec 3, 2023 at 4:43 AM Justin Richer <jricher@mit.edu> wrote:

> This errata should be rejected, as stated in the write up, the change in
> text is too much for an errata. If the WG wants to revise JWT at this level
> it should be a full bis document.
>
> It's worth noting that the two other time based claims, nbf and exp, allow
> for clock skew in processing, but both of these claims have defined
> semantics about rejection whereas iat does not. One could argue that the
> libraries mentioned in the issue are doing things the spec doesn't say to
> do, but this kind of processing is extremely common.
>
> - Justin
>
> ------------------------------
> *From:* OAuth <oauth-bounces@ietf.org> on behalf of RFC Errata System <
> rfc-editor@rfc-editor.org>
> *Sent:* Friday, December 1, 2023 5:06 PM
> *To:* mbj@microsoft.com <mbj@microsoft.com>; ve7jtb@ve7jtb.com <
> ve7jtb@ve7jtb.com>; n-sakimura@nri.co.jp <n-sakimura@nri.co.jp>;
> rdd@cert.org <rdd@cert.org>; paul.wouters@aiven.io <paul.wouters@aiven.io>;
> hannes.tschofenig@arm.com <hannes.tschofenig@arm.com>;
> rifaat.s.ietf@gmail.com <rifaat.s.ietf@gmail.com>
> *Cc:* vergenzt@gmail.com <vergenzt@gmail.com>; oauth@ietf.org <
> oauth@ietf.org>; rfc-editor@rfc-editor.org <rfc-editor@rfc-editor.org>
> *Subject:* [OAUTH-WG] [Technical Errata Reported] RFC7519 (7720)
>
> The following errata report has been submitted for RFC7519,
> "JSON Web Token (JWT)".
>
> --------------------------------------
> You may review the report below and at:
> https://www.rfc-editor.org/errata/eid7720
>
> --------------------------------------
> Type: Technical
> Reported by: Timothy Vergenz <vergenzt@gmail.com>
>
> Section: 4.1.6
>
> Original Text
> -------------
> 4.1.6.  "iat" (Issued At) Claim
>
> The "iat" (issued at) claim identifies the time at which the JWT was
> issued.  This claim can be used to determine the age of the JWT.  Its
> value MUST be a number containing a NumericDate value.  Use of this
> claim is OPTIONAL.
>
> Corrected Text
> --------------
> 4.1.6.  "iat" (Issued At) Claim
>
> The "iat" (issued at) claim identifies the time at which the JWT was
> issued.  This claim can be used to determine the age of the JWT.  Its
> value MUST be a number containing a NumericDate value.  Use of this
> claim is OPTIONAL. Implementors MUST NOT reject otherwise-valid JWTs
> with "iat" claims that appear to be from the future; token issuers
> desiring this behavior may require it by including an "nbf" claim.
>
> Notes
> -----
> There is substantial confusion and disagreement among JWT library
> implementors about whether to reject JWTs with `iat` claims that appear to
> be from the future due to clock drift. This confusion has led to over half
> a dozen Github issues & PRs over the years in libraries in many different
> ecosystems, and lots of strong disagreement among library developers and
> users.
>
> Based on a sample of the top Google search results for jwt client
> libraries in 11 different language ecosystems, the majority (7) of the
> libraries sampled do not reject future `iat` claims, while the remaining 4
> *do* reject future `iat` claims by default. Of those 4 who do, *all* of
> them have had Github issues filed (by different unique users) in which the
> user was having a JWT unexpectedly rejected by a token validator using the
> library whose clock had drifted from that of the token issuer enough to
> trigger `iat`-based rejection.
>
> I propose we update the spec to explicitly prohibit rejection of
> future-`iat` JWTs (especially since token issuers have always been able to
> opt into this behavior using an `nbf` claim). Since this RFC has been
> published and cannot be edited, a new superseding RFC will have to be
> published and this one deprecated in order for the suggested change to make
> it out of the errata and into an actual RFC doc.
>
> I'm not sure if this merits a full RFC republish -- but as a data point
> for impact consideration, it's worth noting that this confusion has almost
> certainly wasted at least multiple hours per person (on average) of
> *dozens* of developers' time over the years, and led to at least half a
> dozen production bugs that I've seen mentioned. One of these bugs cropped
> up in my own organization on 2023-11-31 and has been observed previously
> but was misunderstood and not resolved; the 2023-11-31 occurence involved
> 10+ people in discussion. One Github issue I saw described an elongated
> full web server outage attributed to this confusion which cropped up during
> a leap-second-related clock drift issue. I'm filing this errata request on
> calendar day 3+ of discussing this issue in my organization (if you include
> past times this issue has cropped up).
>
> Thanks for your consideration! I look forward to hearing back.
>
> Instructions:
> -------------
> This erratum is currently posted as "Reported". (If it is spam, it
> will be removed shortly by the RFC Production Center.) Please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party
> will log in to change the status and edit the report, if necessary.
>
> --------------------------------------
> RFC7519 (draft-ietf-oauth-json-web-token-32)
> --------------------------------------
> Title               : JSON Web Token (JWT)
> Publication Date    : May 2015
> Author(s)           : M. Jones, J. Bradley, N. Sakimura
> Category            : PROPOSED STANDARD
> Source              : Web Authorization Protocol
> Area                : Security
> Stream              : IETF
> Verifying Party     : IESG
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.35.0 | Report a Bug | By Email | System Status