IETF Logo Mail Archive

Re: [OAUTH-WG] Fwd: New Version Notification for draft-fett-oauth-dpop-03.txt

Denis <denis.ietf@free.fr> Wed, 13 November 2019 09:17 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1C0D1208B6 for <oauth@ietfa.amsl.com>; Wed, 13 Nov 2019 01:17:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gIm8xR0tQ2wE for <oauth@ietfa.amsl.com>; Wed, 13 Nov 2019 01:17:13 -0800 (PST)
Received: from smtp.smtpout.orange.fr (smtp08.smtpout.orange.fr [80.12.242.130]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A5301208B5 for <oauth@ietf.org>; Wed, 13 Nov 2019 01:17:12 -0800 (PST)
Received: from [192.168.1.11] ([90.79.49.31]) by mwinf5d16 with ME id RMH92100J0gNo7u03MH9xh; Wed, 13 Nov 2019 10:17:10 +0100
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Wed, 13 Nov 2019 10:17:10 +0100
X-ME-IP: 90.79.49.31
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
References: <157254438077.30463.2012864551682668420.idtracker@ietfa.amsl.com> <CA+k3eCQrdDqMTHD6bgV-jOTC5DRn3tj2RME1=jdzR6H3W45+BA@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <f1b61e85-d7e3-7a66-9e85-caaa94726ebf@free.fr>
Date: Wed, 13 Nov 2019 10:17:09 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <CA+k3eCQrdDqMTHD6bgV-jOTC5DRn3tj2RME1=jdzR6H3W45+BA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------2CEB5D99FA92756A7E7B1E47"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/WC8jCC-U3bAhlBHEVRLAdSOuY98>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-fett-oauth-dpop-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Nov 2019 09:17:16 -0000

Hello Brian,

Section 2 states:

    Under the attacker model defined in [I-D.ietf-oauth-security-topics],
    the mechanism defined by this specification aims to prevent token
    replay at a different endpoint.

    More precisely, if an adversary is able to get hold of an access
    token or refresh token because it set up a counterfeit authorization
    server or resource server, the adversary is not able to replay the
    respective token at another authorization or resource server.

The problem to be solved is NOT to prevent token replay at a different 
endpoint, but to prevent token replay at the same or a different endpoint.

The text is only considering an adversary, but is omitting to consider 
collusion attacks between clients.

Since [I-D.ietf-oauth-security-topics] is "OAuth 2.0 Security Best 
Current Practice", the comments I sent to the list are applicable to 
this document too.
DPoP is not able to counter collusion attacks between clients and this 
should be clearly advertised in the abstract, in the main objectives 
(section 2)
and in the security considerations (section 9).

Denis

> Hello WG,
>
> Just a quick note to let folks know that -03 of the DPoP draft was 
> published earlier today. The usual various document links are in the 
> forwarded message below and the relevant snippet from the doc history 
> with a summary of the changes is included here for convenience.
>
> Hopefully folks will have time to read the (relativity) short document 
> before the meeting(s) in Singapore where (spoiler alert) I plan to ask 
> that the WG consider adoption of the draft.
>
> Thanks,
>
>  -03
>    o  rework the text around uniqueness requirements on the jti claim in
>       the DPoP proof JWT
>    o  make tokens a bit smaller by using "htm", "htu", and "jkt" rather
>       than "http_method", "http_uri", and "jkt#S256" respectively
>    o  more explicit recommendation to use mTLS if that is available
>    o  added David Waite as co-author
>    o  editorial updates
>
> ---------- Forwarded message ---------
> From: <internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>>
> Date: Thu, Oct 31, 2019 at 11:53 AM
> Subject: New Version Notification for draft-fett-oauth-dpop-03.txt
> To: Torsten Lodderstedt <torsten@lodderstedt.net 
> <mailto:torsten@lodderstedt.net>>, Michael Jones <mbj@microsoft.com 
> <mailto:mbj@microsoft.com>>, John Bradley <ve7jtb@ve7jtb.com 
> <mailto:ve7jtb@ve7jtb..com>>, Brian Campbell 
> <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>>, 
> David Waite <david@alkaline-solutions.com 
> <mailto:david@alkaline-solutions.com>>, Daniel Fett 
> <mail@danielfett.de <mailto:mail@danielfett.de>>
>
>
>
> A new version of I-D, draft-fett-oauth-dpop-03.txt
> has been successfully submitted by Brian Campbell and posted to the
> IETF repository.
>
> Name:           draft-fett-oauth-dpop
> Revision:       03
> Title:          OAuth 2.0 Demonstration of Proof-of-Possession at the 
> Application Layer (DPoP)
> Document date:  2019-10-30
> Group:          Individual Submission
> Pages:          15
> URL: https://www.ietf.org/internet-drafts/draft-fett-oauth-dpop-03.txt
> Status: https://datatracker.ietf.org/doc/draft-fett-oauth-dpop/
> Htmlized: https://tools.ietf.org/html/draft-fett-oauth-dpop-03
> Htmlized: https://datatracker.ietf.org/doc/html/draft-fett-oauth-dpop
> Diff: https://www.ietf.org/rfcdiff?url2=draft-fett-oauth-dpop-03
>
> Abstract:
>    This document describes a mechanism for sender-constraining OAuth 2.0
>    tokens via a proof-of-possession mechanism on the application level.
>    This mechanism allows for the detection of replay attacks with access
>    and refresh tokens.
>
>
>
>
> Please note that it may take a couple of minutes from the time of 
> submission
> until the htmlized version and diff are available at tools.ietf.org 
> <http://tools.ietf.org>.
>
> The IETF Secretariat
>
>
> /CONFIDENTIALITY NOTICE: This email may contain confidential and 
> privileged material for the sole use of the intended recipient(s). Any 
> review, use, distribution or disclosure by others is strictly 
> prohibited..  If you have received this communication in error, please 
> notify the sender immediately by e-mail and delete the message and any 
> file attachments from your computer. Thank you./
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email