IETF Logo Mail Archive

Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00

Daniel Fett <fett@danielfett.de> Mon, 10 May 2021 13:26 UTC

Return-Path: <fett@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A86F3A1CAB for <oauth@ietfa.amsl.com>; Mon, 10 May 2021 06:26:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2bjzbC2fiLs1 for <oauth@ietfa.amsl.com>; Mon, 10 May 2021 06:26:29 -0700 (PDT)
Received: from d3f.me (redstone.d3f.me [5.9.29.41]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 547DC3A1CAC for <oauth@ietf.org>; Mon, 10 May 2021 06:26:29 -0700 (PDT)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by d3f.me (Postfix) with ESMTPA id 2B93427D6C for <oauth@ietf.org>; Mon, 10 May 2021 13:26:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1620653186; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=q4uNqvq620/xcxoxf+x6YHdv3RCg6rphi00al/uKhL8=; b=OgYItbUedstFZXd1+pe5EIZsJKzdLPqBRjLkg5uiBaXxCKCDBP78aCCPbh8JRl3IQYZLX+ o/UkYmSU5yOOQo5QcLZBJsyjMCvl2umytByDuI7tcc4KazJrDFDBiZEkOIWKAoGscv8urA pR7vLZMmu7D6K0JgxWAV3Fir9Zg9D5s=
To: oauth@ietf.org
References: <634f7b10-bb26-e05c-7d79-566c893c32b6@hackmanit.de> <E43CA16C-CB38-4E9E-9ADD-295ECBA38ED9@forgerock.com>
From: Daniel Fett <fett@danielfett.de>
Message-ID: <710ef35f-ba66-0e05-96ea-e48b9e86cf29@danielfett.de>
Date: Mon, 10 May 2021 15:26:25 +0200
MIME-Version: 1.0
In-Reply-To: <E43CA16C-CB38-4E9E-9ADD-295ECBA38ED9@forgerock.com>
Content-Type: multipart/alternative; boundary="------------8B66FD3D17F2568802825BC0"
Content-Language: de-DE
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1620653186; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=q4uNqvq620/xcxoxf+x6YHdv3RCg6rphi00al/uKhL8=; b=TAgjjBF69gevCnjzEA4Pat/vBjTYFnnEfUuq3aaRzR9Y7UnVuUPFhSyh8VHIUQQSxOGM2o yzJYQj+fMyJCo+wBnj5caKiFVcEI5p79o5py0i7NiZ3+HIRK8KEuB2TfZoSXUBiOts+5cW 7Ti/m6Brx5gsRxLVAatj1cZ77MCE9L4=
ARC-Seal: i=1; s=dkim; d=danielfett.de; t=1620653186; a=rsa-sha256; cv=none; b=IgesllS+I+xCNVo9AqTEkHrUfBHEM/7dGh68ksK8wxjnGxZv+17QDh10S6bQeKZUUXeuVt viaTHC6NmP25x7oTCv3dBo4LnTi9BOEwlP1FOxvIUzJwNLErqbZWgjh7O9t3EOWbfNjlmC f1t4rttmihnDC6b8bcu6KZM8CxbLUX4=
ARC-Authentication-Results: i=1; d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
Authentication-Results: d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
X-Spamd-Bar: ---
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/SzdrfvMpl00H-e_R1IETXEPNIGE>
Subject: Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 May 2021 13:26:34 -0000

Hi Neil,

I'm not sure - maybe others can chime in here as well - if a discussion
relating to an expired previous draft is something one would expect in
the spec.

For the record, the client_id does not provide any additional security.
The key to mitigating Mix-Up is that the "honest AS" ensures that the
code issued at its token endpoint is sent to the honest IdP's token
endpoint, and not to the attacker IdP's token endpoint. This is ensured
by the iss parameter. The client_id would maybe be relevant if the
honest AS sends different issuer values for different client_ids - I
have not heard of such a constellation. I'm not sure why the client_id
was included in the previous draft.

-Daniel


Am 10.05.21 um 14:57 schrieb Neil Madden:
> I have also read it and it looks good to me. It might be worth
> explicitly discussing how it relates to the older draft [1] (that we
> implemented at the time). That older draft also included a client_id
> parameter in the response, so it would be good to clarify if that is
> actually needed to prevent the attack or not.
>
> [1]: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-mix-up-mitigation-01
> <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-mix-up-mitigation-01> 
>
> Kind regards,
>
> Neil
>
>> On 15 Apr 2021, at 08:04, Karsten Meyer zu Selhausen
>> <karsten.meyerzuselhausen@hackmanit.de
>> <mailto:karsten.meyerzuselhausen@hackmanit.de>> wrote:
>>
>> Hi all,
>>
>> the latest version of the security BCP references
>> draft-ietf-oauth-iss-auth-resp-00 as a countermeasures to mix-up attacks.
>>
>> There have not been any concerns with the first WG draft version so
>> far: https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/
>>
>> I would like to ask the WG if there are any comments on or concerns
>> with the current draft version.
>>
>> Otherwise I hope we can move forward with the next steps and
>> hopefully finish the draft before/with the security BCP.
>>
>> Best regards,
>> Karsten
>>
>> -- 
>> Karsten Meyer zu Selhausen
>> Senior IT Security Consultant
>> Phone:	+49 (0)234 / 54456499
>> Web:	https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training
>>
>> Is your OAuth or OpenID Connect client vulnerable to the severe impacts of mix-up attacks? Learn how to protect your client in our latest blog post on single sign-on:
>> https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks
>>
>> Hackmanit GmbH
>> Universitätsstraße 60 (Exzenterhaus)
>> 44789 Bochum
>>
>> Registergericht: Amtsgericht Bochum, HRB 14896
>> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Dr. Marcus Niemietz
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
> ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


-- 
https://danielfett.de

v2.23.0 | Report a Bug | By Email