Re: [OAUTH-WG] Fwd: AD Review of draft-ietf-oauth-jwt-bcp
Mike Jones <Michael.Jones@microsoft.com> Sat, 23 February 2019 00:26 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A073130EA7 for <oauth@ietfa.amsl.com>; Fri, 22 Feb 2019 16:26:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 34m6sJW_fFpk for <oauth@ietfa.amsl.com>; Fri, 22 Feb 2019 16:26:12 -0800 (PST)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650128.outbound.protection.outlook.com [40.107.65.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03DDD130E8A for <oauth@ietf.org>; Fri, 22 Feb 2019 16:26:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=X1GktHGFAi9aBxX/Q8uEPoaBIHrlmo7j8TQbQJUCdUM=; b=ml6JVUp/xulycWB21iM2eVmPGn2nTPLiV80lOPlF/GDqsKIrnv9agF8xhomU/s7Qw3651hJLED0aYolCf/mymTxoWsO5lecNFQ+lRsZpffthvYnz9lzimLVsx8Wj9yTDpMUyrhfmDluYjGgplauuylSrNtO4hhl+URW58ClfuXc=
Received: from MW2PR00MB0298.namprd00.prod.outlook.com (52.132.148.29) by MW2PR00MB0425.namprd00.prod.outlook.com (52.132.149.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1686.0; Sat, 23 Feb 2019 00:26:08 +0000
Received: from MW2PR00MB0298.namprd00.prod.outlook.com ([fe80::c5ca:88ae:3151:1a2b]) by MW2PR00MB0298.namprd00.prod.outlook.com ([fe80::c5ca:88ae:3151:1a2b%6]) with mapi id 15.20.1691.000; Sat, 23 Feb 2019 00:26:08 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Eric Rescorla <ekr@rtfm.com>, oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Fwd: AD Review of draft-ietf-oauth-jwt-bcp
Thread-Index: AQHUmgS5HCXki7ZWEES4qXJnBTIH5KXs4wrQ
Date: Sat, 23 Feb 2019 00:26:08 +0000
Message-ID: <MW2PR00MB0298833CAEA7EA389FB935F5F5780@MW2PR00MB0298.namprd00.prod.outlook.com>
References: <CABcZeBOwbN9-Yjoshc-NW7Px_c5RkVQg_8P3dHpZnRszNuJtQg@mail.gmail.com> <CABcZeBPHdQFY-CoWnuqwrwh7ERptDFHBZ4SkwUoLgwGEL3pajw@mail.gmail.com>
In-Reply-To: <CABcZeBPHdQFY-CoWnuqwrwh7ERptDFHBZ4SkwUoLgwGEL3pajw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=mbj@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-02-23T00:26:05.4470465Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=0aaf7f4a-3dcc-425d-be56-e398b6573d10; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic
x-originating-ip: [2001:4898:80e8:b:e160:ebcf:ab0e:5b5]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 21cc8090-6bb9-43f9-bb79-08d699258162
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600126)(711020)(4605104)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:MW2PR00MB0425;
x-ms-traffictypediagnostic: MW2PR00MB0425:
x-ms-exchange-purlcount: 2
x-microsoft-exchange-diagnostics: 1;MW2PR00MB0425;23:6A+G3CxO9WGbQ3m/xf/s31ugn7N0F3vlXJeRSdP05z07D+kBi2R4r/ZPAv5AAt5Y6sUqcFLSp03A2goPgQCajhjh1A07dYS06G4/g3qdCIr8KEkKOi3+bd4yVBKWCx2f1YbpfJobpItvnC723nfTfsIHz5T4TKS5Cw1iFNR3UVth2iGgvEMdXKVZ0GiAMr5S3w/LuXmeChggJMKWCNOxL9ebjST6o+l7B8AnrCiRbz/2iiZ3W6ZXOqSlp2oAvc4fjIl6frDDlr7j5Onq1z0791BA0/lAUffK0TqFAzgPMI/4haGTuUMyOyZJVqvPlAE/Owc6NDadWtYln2UYpPbqwWFYlcmuluBETfwMdvJZKz/BZU8PIe4NDoVxVw7h7uXkSX9UtltKFRVjqyGHoZ1LnTzI0I+SpRHuyG+0yoEXrFcav0cnzg4P5ORgs7lRLkO/ToWIvnqYH1QsQ7nVc3vZDr4U+3kuXd1zYxwGlCiC3oC9krulFLlRCRLgBJvZpUDqZz2QqYvNBI3BqOc018Zp2uJAHwD2UV3xTyrJeSMDCRpYndM5fp2f/Np15D0ctTd4fqUDiHjscDvDF7MgUjPcJNOTp1IV5f+hJBQao+JfQhnNl78cLeJgjFNfgPYpdeC9Ev2NejD9xoOS4lmwoA0xR37qKFd9Wc3LAA7+GAnOflTjDwsAbca1SaH3yGJg52utQB5vEt1EangHRvCyINw9F0xDCZW1+gajtMaN2TLIjCMnpOFnG3k5BNqI1IPrFhIT29UjifwMo75EDcPvaS0GNZfz60//Vwpws3ZjG4p1dPzvxajZXk+GqTdQsJj5h1uNiP7TPQ2pdW5woNm4CP0PvCPQGGaIfZvs/roRMNT8bRz1KJPLSrUDyC0juioLXdPz46hnC0oLPv+kQTbk7f9z/fJE1hFVzvkKCKpdqFw7Rgm12ZAWGpWeH0OyQzVafoZ8gZocvJ1+X8s8QIX9y5tDxYjEzK1rdJtAAvdAznrndROx2VwufCHbThy3qrul7BNDmIESL0s94tTezE+COOBng0aN0wdVJDPjXceTpfIfyGgrcOdKT+7bn98JXSufcMlNSixO0Om41vA93i3w5dKbsCuPKJTv66lUGnPpMGZBsttsAl/YTSPjhLbprFDu8hVwDpykwDqMRu1Tki8ZP3wIpY+qBqADXQoP72aEhpMUZ318waWVc66SXct42kGt0ob/UKfOsmO54HbaRZ4OGV0p1z3Kj7r2iy2h7kY7y6tSo2S330dAVhY1EZoes3ZNk3GOKbpBQ4XsvufMhGPrzUJtHJQ0nbPXXGa60bBAIDNmAVcLPsQPXNmQxDrE84MoGJXwAwIE6tBvUl1XGfdyftjV2438ZwZ4DlSS7Q4qsviUUwu1tgXMH2vRgkclNElOyBq9grSDCXYKqnV7wA8JUVFzZZ+ovJhdHSt26uUxPJUpNVhafgrGRX4Q+JhYZExjqt+C
x-microsoft-antispam-prvs: <MW2PR00MB04258412BC602A77E662E543F5780@MW2PR00MB0425.namprd00.prod.outlook.com>
x-forefront-prvs: 0957AD37A0
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(346002)(396003)(376002)(366004)(136003)(22974007)(199004)(189003)(256004)(86362001)(71190400001)(74316002)(8936002)(9326002)(106356001)(33656002)(86612001)(105586002)(71200400001)(53546011)(5660300002)(14444005)(10290500003)(6506007)(68736007)(72206003)(102836004)(76176011)(6346003)(790700001)(6116002)(22452003)(316002)(110136005)(8990500004)(606006)(7696005)(966005)(6246003)(478600001)(53936002)(97736004)(99286004)(81156014)(81166006)(229853002)(186003)(236005)(11346002)(6436002)(9686003)(54896002)(46003)(6306002)(486006)(446003)(476003)(8676002)(55016002)(10090500001)(25786009)(14454004)(7736002)(2906002)(52536013); DIR:OUT; SFP:1102; SCL:1; SRVR:MW2PR00MB0425; H:MW2PR00MB0298.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 5WJ/sQ8cXMUMTfGivttjMu1byEV2Wxh7H9xDyf0QCF69ZUQzWi1UUgFAhXxMIqM8ynuLY6HpCko+Coxfs6FIhruJdFApTdNSvya+EO5i5VgBo/nLTDoezPszpWpKY6PQ/LNKU5d21tTtL8sktJ5/FYvcGpJs7VoAvjzGtSSKJmCM++LJKD/FHUAIh+ZqYTSi7go4GXIqMNl0zj2/brtRfUMA68UP1A17CVzx84JgOzftsssLUXeSJmxigC1NIn4H4r7Jsv8JnsLzsB13cGCNVUyEidHwhXEOdgNLitdPUWSfkW+EzS91sVx/hAcIBdxZPCxyevXq6jOkq+wIhaobTonwmoCXfx0xi3rWMkCghY6z0ZHX+UXDdsvKnKdoElRyEESweFWWJk1RgVdyPKtZEW/hoy68QldB2hYBzUlfLbI=
Content-Type: multipart/alternative; boundary="_000_MW2PR00MB0298833CAEA7EA389FB935F5F5780MW2PR00MB0298namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 21cc8090-6bb9-43f9-bb79-08d699258162
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Feb 2019 00:26:08.1715 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR00MB0425
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ccj4llP2Ga8z_QUAc-2JKDukMdw>
Subject: Re: [OAUTH-WG] Fwd: AD Review of draft-ietf-oauth-jwt-bcp
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Feb 2019 00:26:24 -0000
Hi Eric,
Replies are inline below, prefixed by “Mike>”. In summary, unless you want to see additional text added giving examples of substitution attacks, I believe that -04 addressed all of your review comments. Let us know, and if so, we’ll turn the crank and publish an -05 doing so.
Thanks again,
-- Mike
From: OAuth <oauth-bounces@ietf.org> On Behalf Of Eric Rescorla
Sent: Saturday, December 22, 2018 6:42 AM
To: oauth <oauth@ietf.org>
Subject: [OAUTH-WG] Fwd: AD Review of draft-ietf-oauth-jwt-bcp
CCing the WG because I was wrong about the aliases.
---------- Forwarded message ---------
From: Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>>
Date: Sun, Aug 26, 2018 at 2:02 PM
Subject: AD Review of draft-ietf-oauth-jwt-bcp
To: oauth <oauth@ietf.org<mailto:oauth@ietf.org>>
Rich version of this review at:
https://mozphab-ietf.devsvcdev.mozaws.net/D4649
COMMENTS
S 1.2.
> 1.2. Conventions used in this document
>
> The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
> "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
> "OPTIONAL" in this document are to be interpreted as described in
> [RFC2119].
You will want to cite 8174 here.
Mike> This was done in https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-04.
S 2.6.
>
> 2.6. Substitution Attacks
>
> There are attacks in which one recipient will have a JWT intended for
> it and attempt to use it at a different recipient that it was not
> intended for. If not caught, these attacks can result in the
I don't understand this attack. Can you go into more detail?
Mike> In an OAuth context, an attacker can perform a substitution attack by obtaining a JWT access token for a resource that it legitimately has access to and presenting it to a different resource that it is not entitled to access. If the audience is not present or not checked and/or the issuer is not validated, this kind of attack can succeed.
Mike> Similarly, in an OpenID Connect context if the implicit flow is being used, the attacker can obtain a legitimate ID Token (which is a JWT) when the Identity Provider redirects to its redirection URI, with the ID Token passed as a fragment value. The attacker than then redirect to a different redirection URI for a different relying party that does not belong to the attacker. This can succeed if the signature isn’t checked or if the issuer isn’t checked.
Mike> Does this now make sense as-is or do you want additional text to be added to the specification – for instance, maybe something based on the descriptions above?
S 3.2.
> Therefore, applications MUST only allow the use of cryptographically
> current algorithms that meet the security requirements of the
> application. This set will vary over time as new algorithms are
> introduced and existing algorithms are deprecated due to discovered
> cryptographic weaknesses. Applications must therefore be designed to
> enable cryptographic agility.
Is this must normative?
Mike> Yes
S 3.2.
> may be no need to apply another layer of cryptographic protections to
> the JWT. In such cases, the use of the "none" algorithm can be
> perfectly acceptable. JWTs using "none" are often used in
> application contexts in which the content is optionally signed; then
> the URL-safe claims representation and processing can be the same in
> both the signed and unsigned cases.
I think you probably need to have a clearer "don't use none by
default" statement here.
Mike> Draft -04 added these statements in response to your comment:
“The "none" algorithm should only be used when the JWT is cryptographically protected by other means.”
“JWT libraries SHOULD NOT generate JWTs using "none" unless explicitly requested to do by the caller.”. (Reading this now, I see that we need to change “to do” to “to do so”.)
S 3.4.
> ECDH-ES ephemeral public key (epk) inputs should be validated
> according to the recipient's chosen elliptic curve. For the NIST
> prime-order curves P-256, P-384 and P-521, validation MUST be
> performed according to Section 5.6.2.3.4 "ECC Partial Public-Key
> Validation Routine" of NIST Special Publication 800-56A revision 3
> [nist-sp-800-56a-r3].
Is there an X25519 specification for JWE? If so, you should probably
specify the appropriate checks.
Mike> Draft -04 adds this statement:
“Likewise, if the "X25519" or "X448" {{RFC8037}} algorithms are used, then the security considerations in {{RFC8037}} apply.”
S 3.5.
> 3.5. Ensure Cryptographic Keys have Sufficient Entropy
>
> The Key Entropy and Random Values advice in Section 10.1 of [RFC7515]
> and the Password Considerations in Section 8.8 of [RFC7518] MUST be
> followed. In particular, human-memorizable passwords MUST NOT be
> directly used as the key to a keyed-MAC algorithm such as "HS256".
If you can't use them "directly" than how should you use them? Do you
want to say anything about password hashing (argon, etc.)?
Mike> Draft -04 adds this text in response to this comment:
“In particular, passwords should only be used to perform key encryption, rather than content encryption, as described in Section 4.8 of {{RFC7518}}. Note that even when used for key encryption, password-based encryption is still subject to brute-force attacks.”
S 3.12.
> of JWTs.
>
> Given the broad diversity of JWT usage and applications, the best
> combination of types, required claims, values, header parameters, key
> usages, and issuers to differentiate among different kinds of JWTs
> will, in general, be application specific.
I get that this is the state we find ourselves in, but it seems like
it's unfortunate. This might be a good time to re-emphasize the
recommendation for explicit types in 3.11.
Mike> Draft -04 adds this text in response to this comment:
“For new JWT applications, the use of explicit typing is RECOMMENDED.”
- [OAUTH-WG] AD Review of draft-ietf-oauth-jwt-bcp Eric Rescorla
- Re: [OAUTH-WG] AD Review of draft-ietf-oauth-jwt-… Mike Jones
- Re: [OAUTH-WG] AD Review of draft-ietf-oauth-jwt-… Mike Jones
- Re: [OAUTH-WG] AD Review of draft-ietf-oauth-jwt-… Eric Rescorla
- [OAUTH-WG] Fwd: AD Review of draft-ietf-oauth-jwt… Eric Rescorla
- Re: [OAUTH-WG] Fwd: AD Review of draft-ietf-oauth… Mike Jones