Re: [OAUTH-WG] AD Review of draft-ietf-oauth-jwt-bcp
Eric Rescorla <ekr@rtfm.com> Fri, 21 December 2018 22:38 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AA79130EA3 for <oauth@ietfa.amsl.com>; Fri, 21 Dec 2018 14:38:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3-sif7WiNYSu for <oauth@ietfa.amsl.com>; Fri, 21 Dec 2018 14:38:19 -0800 (PST)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93871130E9F for <oauth@ietf.org>; Fri, 21 Dec 2018 14:38:18 -0800 (PST)
Received: by mail-lf1-x12c.google.com with SMTP id e26so4965978lfc.2 for <oauth@ietf.org>; Fri, 21 Dec 2018 14:38:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PVYC4mf/kqzHv+NyW2GfLaZ+OUYq6iy+McHB1od79wU=; b=uU7twoEfUaYwimj+p5HgBWMIfjVdXufnotCE8vsF5M48tot0l8ldQj//jry6ziOkJo wfW0LPFF5QT4XB089S1VW+S5n+4uyqfHGAWezNAPiH9fWy0mtMFuE0cf71AAjCEwIFFU 7DZFTvsLKwtPOkS1Pao2p8mAOG0iMoEK+sNVHgk6Pe+7T/ITRPBr5LLSsukK8A7tmCFi 3Nam7WsMlEh5hMhdYUkxb7ocXtE8ZlB1zi6keSRn3r9Q2q43Tphg8jxAAPVN/e1in3Hb Fz4NGSNFkDY/V9kRELct/TwuvB0QfVXa2ofU+nJd63Zj7mKmUqlT9omsijSv6FlocnMq KPfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PVYC4mf/kqzHv+NyW2GfLaZ+OUYq6iy+McHB1od79wU=; b=FTyuWnItI0UQr1dCOoU1eM1edv9dDIoyvdRcsPz7M4+VIDZpKNgeeiJEw+C5Xe0x7T Tw6uB6avGmE1J1WMrV2AV8P5VYqYiD67QHW7R9dvFfUdwZg3Jc3887a3l5lf3PnWCiLj AZbQaG38lbD1WHpXBI8JzSYcIJtcpAgdezed59z1JQIbo4NaD3NmWrY3pL/Jc8BJYEek JF5vQJmqzyMzrr96kR2F5+lNQcjmbdWh0eo6Cif13K8kafif/r2tnXlfIFquoiYFcIqD KT+jvllkhaXEpKJczLRwvQ6EjebQz6ylUbCL2lyTXHNqYZhMPx4jO1GUj/HisppEAZ3p melw==
X-Gm-Message-State: AA+aEWbDHAFNYM+YICwOL6Zu32RNgmx/QNLEWyTLvGxHfp9yS6XMPXzf JJvfVWMm2T09IqaaTuv2pNfrzM4a276FjT2NvyZ6EZZF
X-Google-Smtp-Source: AFSGD/XSlbgbqdkqu0b35tXnK2NWHEYNavQx7mwcRVWwB3VXGWAHExkJ2uLh1uiyeJuQblz99NamBJSgQLv9WCWwRA4=
X-Received: by 2002:ac2:4343:: with SMTP id o3mr2474132lfl.129.1545431896728; Fri, 21 Dec 2018 14:38:16 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBOwbN9-Yjoshc-NW7Px_c5RkVQg_8P3dHpZnRszNuJtQg@mail.gmail.com> <SN6PR00MB0301C6909630591B0BAB27DDF5CA0@SN6PR00MB0301.namprd00.prod.outlook.com>
In-Reply-To: <SN6PR00MB0301C6909630591B0BAB27DDF5CA0@SN6PR00MB0301.namprd00.prod.outlook.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 21 Dec 2018 14:37:40 -0800
Message-ID: <CABcZeBOUaov00AyCFiVpdiZME9Ry8US-rE=ngxGp0zxwMvKZ2g@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: oauth <oauth@ietf.org>, Yaron Sheffer <yaronf.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000003aba3a057d8fe789"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/VW8wsTT2kNnJSRE5dJzZR_ub6vk>
Subject: Re: [OAUTH-WG] AD Review of draft-ietf-oauth-jwt-bcp
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Dec 2018 22:38:22 -0000
On Mon, Nov 5, 2018 at 12:39 AM Mike Jones <Michael.Jones@microsoft.com> wrote: > Hi Eric. Thanks again for your review. > https://github.com/yaronf/I-D/pull/24 is intended to address your review > comments. Text changes made to address each of your comments are listed > below. > > > > *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of * Eric Rescorla > *Sent:* Monday, August 27, 2018 4:03 AM > *To:* oauth <oauth@ietf.org> > *Subject:* [OAUTH-WG] AD Review of draft-ietf-oauth-jwt-bcp > > > > Rich version of this review at: > https://mozphab-ietf.devsvcdev.mozaws.net/D4649 > > > COMMENTS > S 1.2. > > 1.2. Conventions used in this document > > > > The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", > > "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and > > "OPTIONAL" in this document are to be interpreted as described in > > [RFC2119]. > > You will want to cite 8174 here. > > < The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", > "SHOULD", > > < "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in > this document are to be > > < interpreted as described in {{RFC2119}}. > > --- > > > The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL > > > NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", > > > "MAY", and "OPTIONAL" in this document are to be interpreted as > > > described in BCP 14 {{RFC2119}} {{RFC8174}} when, and only when, they > > > appear in all capitals, as shown here. > > > S 2.6. > > > > 2.6. Substitution Attacks > > > > There are attacks in which one recipient will have a JWT intended > for > > it and attempt to use it at a different recipient that it was not > > intended for. If not caught, these attacks can result in the > > I don't understand this attack. Can you go into more detail? > > > For instance, if an OAuth 2.0 {{RFC6749}} access token is presented to > an OAuth 2.0 protected resource > > > that it is intended for, that protected resource might attempt to gain > access to a different > > > protected resource by presenting that same access token to the different > protected resource, > > > which the access token is not intended for. > > S 3.2. > > Therefore, applications MUST only allow the use of cryptographically > > current algorithms that meet the security requirements of the > > application.. This set will vary over time as new algorithms are > > introduced and existing algorithms are deprecated due to discovered > > cryptographic weaknesses. Applications must therefore be designed > to > > enable cryptographic agility. > > Is this must normative? > > < Applications must therefore be designed to enable cryptographic agility. > > --- > > > Applications MUST therefore be designed to enable cryptographic agility. > > > S 3.2. > > may be no need to apply another layer of cryptographic protections > to > > the JWT. In such cases, the use of the "none" algorithm can be > > perfectly acceptable. JWTs using "none" are often used in > > application contexts in which the content is optionally signed; then > > the URL-safe claims representation and processing can be the same in > > both the signed and unsigned cases. > > I think you probably need to have a clearer "don't use none by > default" statement here. > > > The "none" algorithm should only be used when the JWT is > cryptographically protected by other means. > Is there a reason this isn't a MUST? S 3.4. > > > ECDH-ES ephemeral public key (epk) inputs should be validated > > according to the recipient's chosen elliptic curve. For the NIST > > prime-order curves P-256, P-384 and P-521, validation MUST be > > performed according to Section 5.6.2.3.4 "ECC Partial Public-Key > > Validation Routine" of NIST Special Publication 800-56A revision 3 > > [nist-sp-800-56a-r3]. > > Is there an X25519 specification for JWE? If so, you should probably > specify the appropriate checks. > > > Likewise, if the "X25519" or "X448" {{RFC8037}} algorithms are used, > > > then the values MUST be validated according {{RFC7748}}. > > S 3.5. > > 3.5. Ensure Cryptographic Keys have Sufficient Entropy > > > > The Key Entropy and Random Values advice in Section 10.1 of > [RFC7515] > > and the Password Considerations in Section 8.8 of [RFC7518] MUST be > > followed. In particular, human-memorizable passwords MUST NOT be > > directly used as the key to a keyed-MAC algorithm such as "HS256". > > If you can't use them "directly" than how should you use them? Do you > want to say anything about password hashing (argon, etc.)? > > > Rather, the principles from {{RFC2898}} SHOULD be used > > > to derive cryptographic keys from user-supplied passwords. > This doesn't seem to have made it in. -Ekr > Given the broad diversity of JWT usage and applications, the best > combination of types, required claims, values, header parameters, key > usages, and issuers to differentiate among different kinds of JWTs > will, in general, be application specific. I get that this is the state we find ourselves in, but it seems like it's unfortunate. This might be a good time to re-emphasize the recommendation for explicit types in 3.11. > For new JWT applications, the use of explicit typing is RECOMMENDED. Thanks again, -- Mike >
- [OAUTH-WG] AD Review of draft-ietf-oauth-jwt-bcp Eric Rescorla
- Re: [OAUTH-WG] AD Review of draft-ietf-oauth-jwt-… Mike Jones
- Re: [OAUTH-WG] AD Review of draft-ietf-oauth-jwt-… Mike Jones
- Re: [OAUTH-WG] AD Review of draft-ietf-oauth-jwt-… Eric Rescorla
- [OAUTH-WG] Fwd: AD Review of draft-ietf-oauth-jwt… Eric Rescorla
- Re: [OAUTH-WG] Fwd: AD Review of draft-ietf-oauth… Mike Jones