[OAUTH-WG] Re: Shepherd Review for OAuth 2.0 Protected Resource Metadata draft
Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> Wed, 10 July 2024 12:03 UTC
Return-Path: <rifaat.s.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB541C169438 for <oauth@ietfa.amsl.com>; Wed, 10 Jul 2024 05:03:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8MiUInG8hhBh for <oauth@ietfa.amsl.com>; Wed, 10 Jul 2024 05:03:18 -0700 (PDT)
Received: from mail-oi1-x234.google.com (mail-oi1-x234.google.com [IPv6:2607:f8b0:4864:20::234]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E58A6C14CF09 for <oauth@ietf.org>; Wed, 10 Jul 2024 05:03:18 -0700 (PDT)
Received: by mail-oi1-x234.google.com with SMTP id 5614622812f47-3d96365dc34so855049b6e.2 for <oauth@ietf.org>; Wed, 10 Jul 2024 05:03:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1720612998; x=1721217798; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Zt5IIb0WaaHAmyLURlrXS68F3W5eLFBXkFO7PP4ZaM8=; b=Bq6nB15Fo3Ihj+b0LhjvSOtKmcd7i5WEyOzEXPk3pORvXKaQbpBHcn212ZddCeKgSO Jw5TtqhJ/exfT1AhCEzbLSjfclYSCRvsPKiDkacN/cxfOiFRe7aRrdPEgpZWbE1uHREs rMFMuXyNs5eBGpT8mm5yyuKzomUVsIdpJLuyeKQxOHcOwfTvuqY6LrHTvCaY+3+sBuXG Qb/ZKI9LINYKjI7tush2clQdKYlz2n1e4R1ks3iGnqmOHC7FPCGyQt0vvicSjdvKZxb/ Y9o8pr0muknX5fJeZw5AfMqWOQ+FXw1uI2WxZkJb6L62uONXm3DBCS37hquGGB4WwJMz MetQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720612998; x=1721217798; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Zt5IIb0WaaHAmyLURlrXS68F3W5eLFBXkFO7PP4ZaM8=; b=LE8Q//93Lu+bJPUGJlJ4lvIewzpL/Ptl3wbHLBFb8xlw8FDBMkIDWSGv7ysDRPGFdX coB9i/XRXEhJbSbzXmlk5IbY9oPo6bmADk7OFTDt7le3q6Tfx994abl+emqKAHobYFkG WDCpNciUI8kYGt15czFpue9IcQJUMlAhUTIp4BLnro6oyPUwAzm+MOuGDKoDXsM8jPGR QSCy7YgbtNdFEaMLft72GEwjA8kjYaqmYR3IkKiYZm93FrMjqgRnxB2f8BcHkU4Wye4/ nsGDbmVzVzjnOWq8lLfwBMEXZLKcYQcWd4T1saX00qTz/UIxKGRXxnKXfzY/VjevS4z9 4fhw==
X-Gm-Message-State: AOJu0YzQVx+odrnxLL1uZWERNtN4e36BeFshcoXa7oXltfwvJrU/NS0M C8FaF/ELfvi7Ay5QyI5vyGNnKPs9TShnqbacACCabE61cmjUC5In6iejvq6zZ5cuAC3BdoK0k02 EhrBupjFz2GTo5Rkozuh8Rc0mID8V3w==
X-Google-Smtp-Source: AGHT+IGb3oGkt2smWhSM10yAHECjpX8HLNevvwx1S0zGvoeRrSmcJ5gV+GZH3lTMtglozeh5U2BlyuNfmm0quu7z+Zk=
X-Received: by 2002:a05:6808:1210:b0:3d9:3290:6454 with SMTP id 5614622812f47-3d93c0d4414mr4916188b6e.59.1720612997690; Wed, 10 Jul 2024 05:03:17 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP-xQVgdGn45dB-F-udcmALg=HWb3X1qwhEyZz8nL15j_A@mail.gmail.com> <SJ0PR02MB743926934360E742A090C3E7B7D82@SJ0PR02MB7439.namprd02.prod.outlook.com> <CADNypP9rge6xEaZ6jnp3g3QFr=nEKHqN7hPMQqo_u3TY6MLs6Q@mail.gmail.com> <SJ0PR02MB7439A31CFE6947A0F01658F4B7D82@SJ0PR02MB7439.namprd02.prod.outlook.com> <SJ0PR02MB7439BFAD4D6A5AB5A11F8E98B7DA2@SJ0PR02MB7439.namprd02.prod.outlook.com>
In-Reply-To: <SJ0PR02MB7439BFAD4D6A5AB5A11F8E98B7DA2@SJ0PR02MB7439.namprd02.prod.outlook.com>
From: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Date: Wed, 10 Jul 2024 08:03:05 -0400
Message-ID: <CADNypP8k4CmDmi0BCVf4U7zxPFYofb65fohPu1zcsDZT-wEZiw@mail.gmail.com>
To: Michael Jones <michael_b_jones@hotmail.com>
Content-Type: multipart/alternative; boundary="00000000000085ff4b061ce36e25"
Message-ID-Hash: C2Z36A4QSXPQHCWVPKVPLPUODW2NUM3L
X-Message-ID-Hash: C2Z36A4QSXPQHCWVPKVPLPUODW2NUM3L
X-MailFrom: rifaat.s.ietf@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Shepherd Review for OAuth 2.0 Protected Resource Metadata draft
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/R_Ch8jBVmbi8c7-XQc9VSNkv8E0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
All, Mike and I met yesterday and discussed this. My concern was with the potential of a downgrade attack if there is a MITM between the client and the resource server. It seems that the draft defined a protection against such an attack as described in section 3.3. The next step is the shepherd write-up, which I will start soon. Regards, Rifaat On Mon, Jul 8, 2024 at 9:24 AM Michael Jones <michael_b_jones@hotmail.com> wrote: > Can you reply to this today, Rifaat? > > Thanks, > -- Mike > > > ------------------------------ > *From:* Michael Jones > *Sent:* Saturday, July 6, 2024 12:55:19 PM > *To:* Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> > *Cc:* oauth <oauth@ietf.org> > *Subject:* RE: [OAUTH-WG] Shepherd Review for OAuth 2.0 Protected > Resource Metadata draft > > > What puzzles me of talking about downgrade attacks in this context is > between what points in time you are anticipating that a downgrade might > occur. The Resource Server advertises its proposed authentication methods > in a WWW-Authenticate response. The client then chooses one of them, > probably within milliseconds of receiving the WWW-Authenticate response. > When in that flow are you thinking that a downgrade might occur? > > > > Remember that the client is essentially instantaneously using fresh > information provided by the resource server. It is not using information > provided at some prior time. > > > > If not the text already proposed in the PR, what specifically would you > suggest that we say about downgrade possibilities? > > > > -- Mike > > > > *From:* Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> > *Sent:* Saturday, July 6, 2024 5:05 AM > *To:* Michael Jones <michael_b_jones@hotmail.com> > *Cc:* oauth <oauth@ietf.org> > *Subject:* Re: [OAUTH-WG] Shepherd Review for OAuth 2.0 Protected > Resource Metadata draft > > > > > > A fair question is whether allowing clients to choose from among > supported authentication methods represents an opportunity for a > downgrade attack. > Since resource servers will only enumerate authentication methods > acceptable to them, by definition, > any choice made by the client from among them is one that the resource > server is OK with. > Thus, the resource server allowing the use of different supported > authentication methods > does not represent an opportunity for a downgrade attack. > > > > A resource server could be configured to accept a method that is > considered secure at one time, that might be considered insecure later on. > > A resource server could also be misconfigured with insecure methods. > > > > For this reason, I still think that a discussion of a potential downgrade > attack is warranted in the security consideration section. > > > > Regards, > > Rifaat > > > > > > > > > > > > On Sat, Jul 6, 2024 at 12:30 AM Michael Jones <michael_b_jones@hotmail.com> > wrote: > > The PR > https://github.com/oauth-wg/draft-ietf-oauth-resource-metadata/pull/45 is > intended to address these shepherd review comments. Please review. > > > > Thanks, > > -- Mike > > > > *From:* Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> > *Sent:* Thursday, July 4, 2024 5:30 AM > *To:* oauth <oauth@ietf.org> > *Subject:* [OAUTH-WG] Shepherd Review for OAuth 2.0 Protected Resource > Metadata draft > > > > Mike, Phil, Aaron, > > > > The following is my shepherd review for OAuth 2.0 Protected Resource > Metadata > https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-05.html > > *Comments/Questions* > > 5.4. Compatibility with other authentication methods > > Would this not open the door for potential downgrade attacks if the list > of authentication methods include weaker methods? > I think this should be discussed in the Security Consideration section. > > > *Nits* > > Section 1, second sentence: > “This specification is intentionally as parallel as possible …” > It feels like there is a missing word after “intentionally”; maybe > “designed”, “specified”? > > Regards, > > Rifaat > > > >
- [OAUTH-WG] Shepherd Review for OAuth 2.0 Protecte… Rifaat Shekh-Yusef
- [OAUTH-WG] Re: Shepherd Review for OAuth 2.0 Prot… Michael Jones
- [OAUTH-WG] Re: Shepherd Review for OAuth 2.0 Prot… Rifaat Shekh-Yusef
- [OAUTH-WG] Re: Shepherd Review for OAuth 2.0 Prot… Michael Jones
- [OAUTH-WG] Re: Shepherd Review for OAuth 2.0 Prot… Michael Jones
- [OAUTH-WG] Re: Shepherd Review for OAuth 2.0 Prot… Rifaat Shekh-Yusef