Re: [OAUTH-WG] Robert Wilton's No Objection on draft-ietf-oauth-iss-auth-resp-03: (with COMMENT)
Roman Danyliw <rdd@cert.org> Wed, 05 January 2022 15:13 UTC
Return-Path: <rdd@cert.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B441C3A0BC5; Wed, 5 Jan 2022 07:13:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9e2Gt8ZTVHVx; Wed, 5 Jan 2022 07:13:10 -0800 (PST)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0708.outbound.protection.office365.us [IPv6:2001:489a:2202:d::708]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 818E83A0BB9; Wed, 5 Jan 2022 07:13:09 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=PFJfoLEk1lkmRCe1Ca6qDI3SjeI45JdiRsOUeG437qcL/g7+6ED+lOqIKcclQ0yckhEwt22MXM3JCjuuE37RjXbcYOyieQxlTVq6S9i65+ud5Lk/tdO6vtV/HlTtucxb9WIsLf7wVO/YnmSpJDJ/DpAN4C4GswzYEtZ1YezKngJyE880yS+w2e4BwKhO0dxSTK2dpa/YLh8x7D2RCw0H18yuDNMXXJJHmq/cR+tLvqDWi+gUhVxwfOmNnbjxVxVpiQaweX9pxxCf5+7JHgSEq18vLhDAW5p4Y68hAFAaEkgI7gR/9tloofS4x/hfvAK1kzI6U3rP7vWRJ9E+jNY0ww==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=raBIRiN11i7JCfchBoSrd+bwH16/CnuZnlZO99k0lt4=; b=LkLrBTp3A7OUb3MSvYNlfNVLcb6uiktDW8W20a+asBNDdaIRjkXP28D50maAJl6T8StuEMphI9NZDSV1M2RC2i17631TGTvh8kozGRS+M5THsozyNC+Ufb+hNVaBsFX10TaPwjwKwHiFYFyXvYFiR/E8hZEZ37w85554nOric1o9qSxXBfXqAio3PtrG9ytsVUYmMBEkAFNBR7ISfs7xRma9cyYFiVL2tVWbuyIx5jWzCAJmUMhMcQhBbjVIR6nVpIdXu22QdDobLPCIYu9iV+EU1l6E7ejnk4A/G7PcCOJzKlWtGzetyaZws+XHLbhMF5p47nWduE5jNc+CX2KuCg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=raBIRiN11i7JCfchBoSrd+bwH16/CnuZnlZO99k0lt4=; b=ceuK+4c4guGusjo8cNPkufpV05mMYisgaKyKEzgD4EELC4nMLTVAmg1DC1YK6d+NbmxZO1MuL/i2//7J/Whk4Q5Af8Uvf/PhC7ziFu+5tJ6Hg6xm5TlQYm7XkPFA1aR7GSwJfNiGGDls54vp94Hw76BduRRdUcn+ughG5qzA7uI=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1206.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:17f::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4844.14; Wed, 5 Jan 2022 15:13:00 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::f0be:6d5:6544:cce0]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::f0be:6d5:6544:cce0%4]) with mapi id 15.20.4844.016; Wed, 5 Jan 2022 15:13:00 +0000
From: Roman Danyliw <rdd@cert.org>
To: Robert Wilton <rwilton@cisco.com>, The IESG <iesg@ietf.org>
CC: "oauth@ietf.org" <oauth@ietf.org>, "draft-ietf-oauth-iss-auth-resp@ietf.org" <draft-ietf-oauth-iss-auth-resp@ietf.org>, "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>
Thread-Topic: [OAUTH-WG] Robert Wilton's No Objection on draft-ietf-oauth-iss-auth-resp-03: (with COMMENT)
Thread-Index: AQHX5dVZCB5DpG8nw0eb0NcoOP5cjKxUtrTA
Date: Wed, 05 Jan 2022 15:13:00 +0000
Message-ID: <BN2P110MB11077BCECA3284EEBE01D579DC4B9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <163826823482.22222.14507198184402043742@ietfa.amsl.com>
In-Reply-To: <163826823482.22222.14507198184402043742@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9b52052b-768a-4b2b-6f80-08d9d05ddcba
x-ms-traffictypediagnostic: BN2P110MB1206:
x-microsoft-antispam-prvs: <BN2P110MB12062F3ADE204AFB75B7ACE2DC4B9@BN2P110MB1206.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: loFLM8IZL+pqTwaznXWVTDNtjqSpYNCo1Qxpi3wAbFpH79kSD/kI8CPWF1mLNKZr4J4ziBXNaR9PWWHt7vT+373XlQ4hK/j119sN34+i7DNOh0MhIEpHWi12AlDISJmXs6/O3EbqHd5rfKQ6O31T5tfuaQjbn1E9QsCqxPX4e2jArGao9wkt37zWtBHfmBpsBTuD7frW1z8+D26VU1KzU4FdXFWHqBgZ2w1IheWWSqN6gSde00AAWER5tKv6tcai5g5UDx8Y8VjT0Bc1wigv+W+gxlUMaBSdOg/4Bds8ZJbamv2NuJCqXiHy5nPTpxvRrqhvHnJIrhlMzbJQUrdBd9qNouxr/l53YnpwTQOc/P8KIYAnKTQfVssJZVuT9nBH+jRd3L4Y8JjhRVFPj2jQF78YBHmlofmieaNwPubLXHmHQ+cdCopEJjqzkCq+EzAiMIurbylD7W/uoEnKM/8rlmfGp8qThYf8VXCT6CJcIRy57yedTkI789gU4a/5cQ/zDZH7Xuab1YRRO62SaUI6cPm5A9BQRweiMbZZCbHBz6QXW3Fr26htQjcXG/EIkEdNJEeQ2xwz6Jv1WK5GM416IyoOV9F2k3kG4L5Ib3E4UHUcbe0gtpwq+2dDYJ13yHtu6O0mIVpY+dqVRtyO30QsQ/Smy0z7M2u474qPe0lNSSy4y6wKTM556n8uxQRy5F/5fez2GR1KonnthzR0vHTa5Q==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(122000001)(26005)(5660300002)(38070700005)(9686003)(498600001)(8936002)(71200400001)(186003)(110136005)(966005)(82960400001)(86362001)(8676002)(6506007)(53546011)(2906002)(52536014)(7696005)(38100700002)(66446008)(83380400001)(55016003)(4326008)(66556008)(66476007)(54906003)(66946007)(64756008)(76116006)(33656002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: p94f9niqUJy9eINEAkGQtVtpKytfgrtK1v4r96KSGwfpNjeZJVXBsZ8rtsrkx2ix4KGLbhLsAGRflJ3cqgqgAjHbMm3X4hgKBcH4uFASb8MRVYqU4U8yeLnKk95SCIDXkRS7uEzvaaND6W0XwZvtNg==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 9b52052b-768a-4b2b-6f80-08d9d05ddcba
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jan 2022 15:13:00.2352 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1206
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/SMl2suFetILupJjminJDz5-7wl0>
Subject: Re: [OAUTH-WG] Robert Wilton's No Objection on draft-ietf-oauth-iss-auth-resp-03: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jan 2022 15:13:15 -0000
Hi Rob! Thanks for your review. I wanted to close the loop on your COMMENT. See below. > -----Original Message----- > From: OAuth <oauth-bounces@ietf.org> On Behalf Of Robert Wilton via > Datatracker > Sent: Tuesday, November 30, 2021 5:31 AM > To: The IESG <iesg@ietf.org> > Cc: oauth@ietf.org; draft-ietf-oauth-iss-auth-resp@ietf.org; oauth- > chairs@ietf.org > Subject: [OAUTH-WG] Robert Wilton's No Objection on draft-ietf-oauth-iss- > auth-resp-03: (with COMMENT) > > Robert Wilton has entered the following ballot position for > draft-ietf-oauth-iss-auth-resp-03: No Objection > > When responding, please keep the subject line intact and reply to all email > addresses included in the To and CC lines. (Feel free to cut this introductory > paragraph, however.) > > > Please refer to https://www.ietf.org/blog/handling-iesg-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Hi, > > Thanks for this document, just one comment on a couple of sentences in the > security section that I found unclear in this paragraph: > > There are also alternative countermeasures to mix-up attacks. When > an authorization response already includes an authorization server's > issuer identifier by other means, and this identifier is checked as > laid out in Section 2.4, the use and verification of the iss > parameter is not necessary and MAY be omitted. This is the case when > OpenID Connect response types that return an ID token from the > authorization endpoint (e.g., response_type=code id_token) or JARM > response mode are used, for example. However, if a client receives > an authorization response that contains multiple issuer identifiers, > the client MUST reject the response if these issuer identifiers do > not match. The details of alternative countermeasures are outside of > the scope of this specification. > > I'm probably missing something but this seems to suggest both: > - the use and verification of the iss parameter is not necessary and MAY be > omitted. - if a client receives an authorization response that contains multiple > issuer identifiers, > the client MUST reject the response if these issuer identifiers do not match. Indeed, both are suggested courses of action, but across three scenarios: (a) one iss which gets compared against the server's metadata document (paragraph 2 of Section 2.4) (b) no iss is present because there is a OpenIDConnect ID token or JARM JWT (both mechanisms provide a nearly equivalent mitigation to "iss", see last three paragraphs of Section 2.4) (c) multiple iss where the above behavior applies for rejection if they don't match; and also checks per (a) (this text) Regards, Roman
- [OAUTH-WG] Robert Wilton's No Objection on draft-… Robert Wilton via Datatracker
- Re: [OAUTH-WG] Robert Wilton's No Objection on dr… Roman Danyliw
- Re: [OAUTH-WG] Robert Wilton's No Objection on dr… Rob Wilton (rwilton)