Re: [OAUTH-WG] OAuth Digest, Vol 146, Issue 67
Faisal Rachman <milkfabrication@gmail.com> Thu, 17 December 2020 16:29 UTC
Return-Path: <milkfabrication@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 010953A0DBE for <oauth@ietfa.amsl.com>; Thu, 17 Dec 2020 08:29:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xAQRtR9XZK8Y for <oauth@ietfa.amsl.com>; Thu, 17 Dec 2020 08:29:27 -0800 (PST)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D965C3A0E3D for <oauth@ietf.org>; Thu, 17 Dec 2020 08:29:20 -0800 (PST)
Received: by mail-lf1-x12d.google.com with SMTP id a12so58891002lfl.6 for <oauth@ietf.org>; Thu, 17 Dec 2020 08:29:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=Bkae0XAdXq5M7jswtjfyfpgY/ZCKaA5XSBrDKLxfDXo=; b=s0Vk+IJ0cntTTph4VoLjv9mgBeZCXYJd1JJ9KWeJ6d3g9LS9Ria98o+4uzLI0KAjah sVZNC/nvIc2eGcs9xvFt0f6vbv6X4vCyFWqn2UsNjbgq8mHkn1OfFmmrBZdpd/HBSLrI JqvWs2/0z6SuwFimB4//1TKUNC7zdHvLRSJo6dL0Yy8d8FNN4vitMTxffl4VfXbNQqf9 9cTnQ4499CCPmNUfrNOAGw62UNtAr/XYQFBcvJJLlSCPJ2v6OTtl86URQDuY0KNEjLyc QE73OPIbw801TIOBQ4sVpiuhXEbUR0nxhLgnvvDF/3/EA4dFIZj945RTKKKTn7NBB8f4 SIXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=Bkae0XAdXq5M7jswtjfyfpgY/ZCKaA5XSBrDKLxfDXo=; b=FTEYCL/VAwGQ0M5KdldIpW7PVDAQKJDF0qVrcKuvRn8DkmL8A2Px8CY1Zw4a5X9Qit gUG0m0Yka3o7TlPOk+hrquZ3KRk9qgX9KQbXaWsnzHQsW0D7sPRIIfdlEBghemJXp0M0 QgutdqXnzF66GMsTpqgoe4Ba5M9lhZRO5KV0ClzOdPrOxRx6Lk6fi17EjrNSvM2rYnLn ell4dTclVtX82C4JEJA5J0cnhUKi/ATSCCnjzIcCMPPDZEIYsK7GDjWzvm3bzgNxPp6D qak6LxP9a3mVYAfKz+OR+NwdeXMBqw/cT0QoUqSZlK/Jt/3gU/WUOd8yzZe4/J5eKQ+6 uTGg==
X-Gm-Message-State: AOAM5311hQW5SDlTu3Vgo640r6Q4ijstQ3o2+HJXSxtaEQOVbTr4JFj3 n70/HoYhW1q/XgNdtukqShjIsLh4s0biFNdKztbYql/tpbU=
X-Google-Smtp-Source: ABdhPJyKdlJku25vbNOH5fogai8fzJ52bI8PujOd6rqXQ43ntmtBTI2iskQwPKj6xT++UK83H3RhvxwqSZUpBd3lXwQ=
X-Received: by 2002:a19:8116:: with SMTP id c22mr15930903lfd.211.1608222557245; Thu, 17 Dec 2020 08:29:17 -0800 (PST)
MIME-Version: 1.0
References: <mailman.101.1608148813.26870.oauth@ietf.org>
In-Reply-To: <mailman.101.1608148813.26870.oauth@ietf.org>
From: Faisal Rachman <milkfabrication@gmail.com>
Date: Thu, 17 Dec 2020 23:29:04 +0700
Message-ID: <CAKY=D=p2d=u+a6w2DfOf==JhKue+u30D3TzXgPW4kPxuJL8nTQ@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="0000000000003e95b705b6ab7eb4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/XB45Z7clAr8-LZEq5DPy5dXgINc>
Subject: Re: [OAUTH-WG] OAuth Digest, Vol 146, Issue 67
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2020 16:29:31 -0000
On Thu, Dec 17, 2020, 03:02 <oauth-request@ietf.org> wrote: > Send OAuth mailing list submissions to > oauth@ietf.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.ietf.org/mailman/listinfo/oauth > or, via email, send a message with subject or body 'help' to > oauth-request@ietf.org > > You can reach the person managing the list at > oauth-owner@ietf.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of OAuth digest..." > > > Today's Topics: > > 1. Re: Secdir last call review of draft-ietf-oauth-jwsreq-30 > (Watson Ladd) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 15 Dec 2020 21:01:29 -0800 > From: Watson Ladd <watsonbladd@gmail.com> > To: Nat Sakimura <nat@nat.consulting> > Cc: secdir <secdir@ietf.org>, IETF oauth WG <oauth@ietf.org>, > last-call@ietf.org, draft-ietf-oauth-jwsreq.all@ietf.org > Subject: Re: [OAUTH-WG] Secdir last call review of > draft-ietf-oauth-jwsreq-30 > Message-ID: > < > CACsn0cnBbb7MO4u0mytq350oAoR44omdkjMA5EA37QupprrQYw@mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > On Sat, Oct 31, 2020 at 6:13 AM Nat Sakimura <nat@nat.consulting> wrote: > > > > Hi Watson, > > > > Thanks very much for the review. I thought I have sent my response > > earlier, which I actually did not. It was sitting in my draft box. I > > apologize for it. > > My apologies for missing it in my inbox for a number of months. > > > > My responses inline: > > > > On Sat, Sep 26, 2020 at 9:46 AM Watson Ladd via Datatracker > > <noreply@ietf.org> wrote: > > > > > > Reviewer: Watson Ladd > > > Review result: Serious Issues > > > > > > I generated this review of this document as part of the security > directorate's > > > ongoing effort to review all IETF documents being processed by the > IESG. These > > > comments were written with the intent of improving security > requirements and > > > considerations in IETF drafts. Comments not addressed in last call > may be > > > included in AD reviews during the IESG review. Document editors and > WG chairs > > > should treat these comments just like any other last call comments. > > > > > > Two minor issues: On page 4, "This offers an additional degree of > privacy > > > protection." should be reworded. I don't think it makes sense in > context, where > > > authenticity was discussed. > > > > > > In the course of the edit, explanation about two distinct privacy > > benefits was collated in one sentence and has become very difficult to > > parse. > > > > What it is trying to express as privacy benefits are the following. > > > > 1) The authorization request content is sent to the AS in the > > backchannel so it will not be exposed through the browser to the eyes > > of an active or passive outsider observing what is going on in the > > browser. In the RFC6749 framework case, the authorization request > > goes through the browser redirect and it could leak to the adversary > > via WPAD/PAC Attack, referrer, browser history, etc. Also, if the > > browser was infected by an adversary controlled malware, the content > > can be sniffed by the adversary. In the case of JAR, it does not > > happen. This is one privacy benefit it is trying to explain. > > > > 2) The location that the authorization request is getting pushed to > > does not have to be the AS. A trusted third party that examines the > > content for the conformance to the collection minimization principle > > may act as the party that accepts the authorization request and issues > > the request_uri. AS can then just evaluate the domain part of > > request_uri to evaluate that the authorization request is conformant > > to this principle. This is another privacy benefit from the point of > > view of the individual user. > > I'm fine with any fix to the sentence that makes sense. Don't think we > need to insert the above but I very much appreciate the explanation. > > > > > > > > It took me a while to understand what the by reference method is: > maybe the > > > intro should say via URL instead of by reference. > > > > > > request_uri can be URL or a handle such as URN. That is why the "by > > reference" word is being used, per the suggestion of the WG. > > I'm fine with that, just noting my confusion. > > > > > > > > > > > > And now for the thorny issues with this draft. Signatures and > encryption are > > > different. And encrypting a signed blob doesn't mean the signer > encrypted it. > > > Then there are a plethora of methods specified in the draft to > authenticate > > > the blob, which will give different results in maliciously constructed > > > examples. The security considerations section should discuss what the > encrypted > > > vs signed choices give in the way of security, and it doesn't. This > makes me > > > worry. > > > > We don?t expect the encryption to ensure authenticity, that?s what the > > signatures are used for. > > This needs to be very clearly spelled out in the text. Lots of people > will not understand this. The wording of section 10.2 is at best > ambivalent, with multiple alternatives presented as acceptable. > > > > <chop> > > > > I didn't quite get what is meant by "plethora of methods specified in > > the draft to authenticate the blob ... " > > There is a bit of text about authenticating the source (=client) but > > not much on the blob itself. > > The discussion around the signature and/or encryption is covered in > > RFC7519 (JWT), the format that the request object assumes. > > This is required reading when implementing this spec, so WG thought it > > is not worth repeating here. > > Attacks etc. on the signature and encryption are covered in RFC7515 > > and RFC7516 respectively. > > Well, the draft happens to include the following text: > "The Authorization Server MUST validate the signature of the JSON Web > Signature [RFC7515] signed Request Object. The signature MUST be > validated using the key for that "client_id" and the algorithm > specified in the "alg" Header Parameter." > > Shouldn't the key be associated with a single algorithm? How do we > ensure that the common attack of telling the server to use hmac to > verify the signature doesn't work here? > > > > > > > > > Looking at the cited reference for attacks, I see the fix is to include > > > information about which IPD was used by the RP. But the draft before > us doesn't > > > mandate that. It's not clear than how the cited attack is prevented by > the > > > draft. Saying that the communication through the user-agent is subject > to > > > > The mention of mix-up attack was introduced after the Last call by one > > of the comment. It just added it in the sentence with a reference. I > > am ok to remove it. > > That works for me. > > > > > Having said that, the heart of mix-up attack is that the combination > > of the client believes that it is communicating with the > > attacker-controlled AS (AAS) while it in-fact is talking to Honest AS > > (HAS), AND HAS unable to find out that the client is thinking that it > > is talking to AAS not him. > > > > OAuth JAR seems to mitigate it in two ways: > > > > a) Use request_uri which is hosted by the AS. Then, if the client is > > thinking that it is talking to the AAS, then it will push it to AAS > > and when the user is redirected to HAS, HAS will find out that the > > request_uri is not created by herself and return an error, making the > > mix-up attack fail. > > > > b) Include `aud` in the request. Then, when the HAS will find that the > > request was minted to AAS and not her. So, it will result in an error, > > making the mix-up attack fail. > > If the draft mandates doing this it addresses the attack and the > sentence can stay. > > > > > So, I added mix-up attack to the sentence thinking the commenter's > > request to add it is fine, but I am fine with removing it. > > > > > manipulation, and this prevents it, ignores that the attacker in that > position > > > sees a lot more. The user-agent as resource owner modifying the > requested > > > resources is a very funny sort of attack: can't they do what they want > with the > > > resources since they control the access? > > > > If the client is in the browser, yes. > > But in the mainstream case, the client is not in the browser but the > > web-server that the browser is communicating with and the resource > > access happens without being mediated by the browser. > > My concern on this point is resolved. > > > > > > > > > > > > Key management is ignored. This is a very important issue, especially > > > > A lot of ground is covered by RFC 7515, 7516, 7517, 7518, 7519, 7591, > > and 8414 so this document is not specifically restating them. > > > > > > > > considering the potential problems with the reuse of JWT. I'd like to > see a > > > > Are you talking about the reuse of the request object by an adversary > > trying to act as an honest client? > > Even if it happens, the malicious client does not have the proper > > client credential so it cannot redeem the code it obtained with the > > token. It is no different than RFC6749 code grant. Protocols that > > extend it, such as OpenID Connect, have introduced nonce to prevent > > the reuse and used JAR (it is called request object there) to further > > protect tampering and achieve client authentication even in the front > > channel. > > > > > recommendation that keys be separated by intended uses, rather than > limiting > > > particular fields in an ad-hoc manner. > > > > Could you kindly elaborate on the "ad-hoc manner" part so that I can > > understand it more fully? > > 10.8, Cross-JWT Confusion discusses avoiding signing certain fields, > rather than suggesting good key usage as a solution. > > > > > > > > > > > > Then we have section 11. What section 11 introduces is an entire new > dramatis > > > personae, the Trust Framework Provider, with no prior discussion of > what it is > > > or a reference to where it is defined and a good number of statements > about how > > > it works that aren't really clear what they mean from the document to > me. > > > > Trust Framework Provider first appears in 5.2.1. > > At the time of writing the related text, it was a pretty well-known > > concept. In the United State, it was part of its National Strategy > > (NSTIC) and internationally, it was even taken up at WEF Davos > > meeting. It is quite surprising that such a mainstream concept faded > > into obscurity so quickly. The reason for introducing it was to a) > > justify request_uri as some WG members wanted it to be removed, b) > > justify that requst_uri to be served from a different domain. Now that > > people appreciate it, e.g., it can be seen from PAR, the justification > > for a) probably is no longer required. A full explanation for b) would > > probably be a much longer text but I doubt if it belongs to this > > document. I am fine with removing the reference to Trust framework > > etc. as long as the capability to push the authorization request to a > > place other than the client or the authorization server is not > > removed. > > Let's remove the text then, but keep the capability. > > > > > > > > > > My biggest concern is that these issues are signs that the problem > this draft > > > is trying to solve and the mechanisms to solve it haven't been > analyzed as > > > thoroughly as they should have been. Without that sort of thorough > analysis > > > it's not certain that the mechanisms actually solve the problem and > it's not > > > clear what the recommendations to implementers have to be to preserve > those > > > properties. > > > > OAuth JAR, as the name "The OAuth 2.0 Authorization Framework: JWT > > Secured Authorization Request (JAR)" suggests, is a framework and not > > a house itself. One such example is FAPI [1] which was formally > > verified [2]. > > "It's possible to use this draft security" I don't think should be > enough anymore. Rather it should be impossible to use insecurely. > > > > > [1] https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md > > [2] https://arxiv.org/abs/1901.11520 > > > > > > > > Obviously this draft has had a long and tortured history with multiple > reviews, > > > and what I'm suggesting needs to happen is a lot of work. But it's > essential > > > in any security protocol to do this analysis and be clear about what > is, and > > > what is not, protected by the protocol. > > > > OAuth JAR is nothing but just another binding to OAuth 2.0. Where RFC6749 > > binds it to form encoding, it provides two additional bindings: > > 1) binding to JWT, and > > 2) binding to the pushed authorization request that is referenced by > a URI. > > It is this simple. As such, it would also inherit some of the > > shortcomings in RFC6749. However, it is not this document to address > > them. It should be done by other documents so that the result can be > > encoded using the mechanisms provided in this document. > > This is not a simple matter. JWT has a long and twisted history with > some pervasive errors in common libraries, and is a fairly large > standard. OAuth 2.0 is also large. Ensuring that the mapping has the > right properties is going to be a mess. If the encoding does not > respect the semantics we have a serious security issue. If > implementors assume the encoding provides properties it does not, we > again have a security issue. > > > > > It is quite surprising that this fact is not getting appreciated and > > is taking such a long time to complete. > > Maybe I should delete all the explanation text and leave it with just > > the core text. Explanation and justification text for defining > > additional bindings probably are just distractions now as it is now > > appreciated and used all over the world unlike when the project was > > started. > > > > > > > > > Sincerely, > > > Watson Ladd > > > > > > > Thanks again for your detailed comments. > > > > Best wishes, > > > > -- > > Nat Sakimura > > NAT.Consulting LLC > > > > -- > Astra mortemque praestare gradatim > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > ------------------------------ > > End of OAuth Digest, Vol 146, Issue 67 > ************************************** >
- Re: [OAUTH-WG] OAuth Digest, Vol 146, Issue 67 Faisal Rachman