Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"

Hans Zandbelt <hans.zandbelt@zmartzone.eu> Fri, 08 November 2019 08:34 UTC

Return-Path: <hans.zandbelt@zmartzone.eu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC33D120170 for <oauth@ietfa.amsl.com>; Fri, 8 Nov 2019 00:34:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=zmartzone-eu.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dq4FGs36vHH3 for <oauth@ietfa.amsl.com>; Fri, 8 Nov 2019 00:34:25 -0800 (PST)
Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDC8A1200FA for <oauth@ietf.org>; Fri, 8 Nov 2019 00:34:25 -0800 (PST)
Received: by mail-qk1-x72c.google.com with SMTP id d13so4572883qko.3 for <oauth@ietf.org>; Fri, 08 Nov 2019 00:34:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zmartzone-eu.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2JdqeRh+lwE9sJv8OHtNVAnaRM3yCiMo2qlju4DI948=; b=kq+Og8yorgiGyqG7xX0vZc1ny70rZlTGGAJhZ8JVcKgH5qc8TPSSfxg/y88PJbzLBG Xv6TLFOC1cZ88xJ7uwsEEIjE0kKMYoOLXYQadcVGb8MDYIqZwdINZhJ5yIgEE9hnIaB4 vQpJBSunZw7l/9sJNEssigXhwR6HUR8Wqqb6mepvxnYdZlxuZ6H4dQXExzPsNno1At4v ZmJeKyG10q6G5tb51TMvA31UYJTbNpGEsiWdmcUqh1NL/AQ+Lr4h65MBik9VC7qW8YUM tYwPsQux28f0W1YQmCMWm0l7GMZDdgrSDGMzfEobHOF5I5YplZ8jCUxbW3MMX2lObsxI u5FA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2JdqeRh+lwE9sJv8OHtNVAnaRM3yCiMo2qlju4DI948=; b=sY5+06ifDfJ6Mg2ZKMtDUZrF6jVzXz4JpV9S34YmNqH8yMInKHR1Z37g3oGUBnOCsn G6DaHYRhsb9SceDbQHpF8QhTSLoemfuHAbgrefypdlyGw9iXjz47QNr54cDShCkblwQB iuAStfGzA1uP6yvwXChi+xp0/JvqgblCC60SHOncm9vSe192eApiFldPka3NOWO/ViVX cnQ1eA4mgmjKo1uSnOUINCCjkPVH6DMeHDmEcr07D75FysACALTkdOahPRuFajimH7XI 1cfIn5zBf5diJVslba8gLaH1DT8puLnqlwKcY2CLKFsFBy2wk6ZSA0jjcXdfBFyZXrmE ta5Q==
X-Gm-Message-State: APjAAAU/XG9yqWdlK4xN9fcFhllGvRT/b4E0Je/qHxac3sIEwQpXGiT9 jEV/NkX4QmbVY8qwt7TBKcctyYINNwIiVQfsg7JTRw==
X-Google-Smtp-Source: APXvYqwygy92m6p90r7PCTfng+DwMhRwD1+A/v4fUNMEu4R9SQ2IgOXONFAeQeOfKeQD/CADXzEEiAVbC1P0RFyOzdQ=
X-Received: by 2002:a37:a5c7:: with SMTP id o190mr7689485qke.478.1573202064716; Fri, 08 Nov 2019 00:34:24 -0800 (PST)
MIME-Version: 1.0
References: <VI1PR08MB5360FBBAF0D3A38BDBED618BFA790@VI1PR08MB5360.eurprd08.prod.outlook.com> <CAMVRk++o2MdndK37FfADzEZJx988o=PvPWN_mhdgDK=OU1dtow@mail.gmail.com> <3ECDBBC5-F183-4227-857A-A95C53C74274@mit.edu> <d021c84a-36f3-f371-2903-2b6051ee654f@free.fr> <8324a1d3-2fe8-430c-facc-1f3c5d7db260@danielfett.de> <21a36a19-1f24-25d9-9478-1e282a1bea19@free.fr>
In-Reply-To: <21a36a19-1f24-25d9-9478-1e282a1bea19@free.fr>
From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Date: Fri, 8 Nov 2019 08:34:13 +0000
Message-ID: <CA+iA6uhqVf9B2VxzS7cFx_ATSymB9gsAk0ebpjdv99ymW6RjXA@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: Daniel Fett <fett@danielfett.de>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003a55850596d1a697"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ShceTtt5QZ5fDlUz2nPkTBdT4Y4>
Subject: Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Nov 2019 08:34:28 -0000

one client can always share the protected data with another client once
retrieved, regardless of pop or secure elements

Hans.

On Fri, Nov 8, 2019 at 8:38 AM Denis <denis.ietf@free.fr> wrote:

> Daniel,
>
> No. It is not a correct summary. One client can allow another client to
> get an access token that belongs to it.
> The key point is that a software only solution can't prevent this
> collaborative attack and since, at this time,
> the OAuth WG is not considering the use of secure elements, the attack
> cannot be countered.
>
> Please have a look at:
> https://www.ietf.org/mail-archive/web/oauth/current/msg16767.html
>
> Denis
>
>
> Hi Denis,
>
> Am 07.11.19 um 09:16 schrieb Denis:
>
>
>        *Whatever kind of cryptographic is being used, when two users
> collaborate, a software-only solution will be unable to prevent the
> transmission *
> *       of an attribute of a user that possess it to another user that
> does not possess it. *
>
> To stay in OAuth lingo, what you are saying is: Two collaborating clients
> can exchange their access tokens and use them.
>
> Is that a correct summary of your attack?
>
> -Daniel
>
>
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


-- 
hans.zandbelt@zmartzone.eu
ZmartZone IAM - www.zmartzone.eu