Re: [OAUTH-WG] WGLC review of OAuth 2.0 Security Best Current Practice by Mike Jones

Daniel Fett <fett@danielfett.de> Mon, 25 November 2019 20:50 UTC

Return-Path: <fett@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DB9E120F71 for <oauth@ietfa.amsl.com>; Mon, 25 Nov 2019 12:50:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RvZh9i4y34Xf for <oauth@ietfa.amsl.com>; Mon, 25 Nov 2019 12:49:58 -0800 (PST)
Received: from d3f.me (redstone.d3f.me [5.9.29.41]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29E33120F6C for <oauth@ietf.org>; Mon, 25 Nov 2019 12:49:57 -0800 (PST)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by d3f.me (Postfix) with ESMTPA id DA7E41B46; Mon, 25 Nov 2019 20:49:54 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1574714995; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9jKoc77Co40pdEWvwS6sZtoTPAwKOrLGVL7G0NTjEbE=; b=nniH6S8rDGjzHXD/K4ZkF2BPIcMj4LD3Eaj63ALBhyoxk41gARVzeiKVXn5cGpjwjnVij/ HF/UN6ip9H5KMJzjWbpP5hd1cZc9cUyLQQ9YB5AcN7hczQvm6wbvkYMW/WOBImFrPuKjYZ 9zB/BEF49KL7Y3Gycv1EPXNYamU0C1A=
Date: Mon, 25 Nov 2019 21:49:55 +0100
In-Reply-To: <CA+k3eCS1iZ2J_owo627WFuBY=0pYUuQpjRUzq4hpTEHkJPsAQA@mail.gmail.com>
References: <BN8PR00MB056369C04536770FF5B90512F54F0@BN8PR00MB0563.namprd00.prod.outlook.com> <20191123064612.GI32847@mit.edu> <CA+k3eCS1iZ2J_owo627WFuBY=0pYUuQpjRUzq4hpTEHkJPsAQA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----BLSOMZZL69UCJO7XBD2LE8HXYHI0PX"
Content-Transfer-Encoding: 7bit
To: oauth@ietf.org, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, Benjamin Kaduk <kaduk@mit.edu>
CC: Andrey Labunets <isciurus@fb.com>, "ve7jtb@gmail.com" <ve7jtb@gmail.com>, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
From: Daniel Fett <fett@danielfett.de>
Message-ID: <206E3AEC-7152-465F-B78E-7BF91B6E3D59@danielfett.de>
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1574714995; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9jKoc77Co40pdEWvwS6sZtoTPAwKOrLGVL7G0NTjEbE=; b=gz0mYjqqIAlwU3tG/YDdjmUCD3MwSVbQo+feWlUxptbauuf6xClxaZlb8YRNwc8vg68t8+ XpfTfPSRJOUq0LV1sijZrbflCiWxCXfcXqvM7++wmBplyQPO4GhRXoFlxzq0opLvWWCs/n BneljQi0Yo5uiA3KcBrpW9cOFPW1DJk=
ARC-Seal: i=1; s=dkim; d=danielfett.de; t=1574714995; a=rsa-sha256; cv=none; b=a0SJQ74c55wJeluNMLgvoH6Xgh/n90WCLaO+zCrYV4/ARhPcySq97VWXQ1BDuijHqNAnO3Q6rsi31r+7L471yQZ9s8WAtXu5Jg41zjuUSyTQO1X4NVdcUAJ9g09Lyvprd8YYsskEj+yqVEhxZJdIwkz/uNhM6gAqWlpzc+9Ye0w=
ARC-Authentication-Results: i=1; d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
Authentication-Results: d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
X-Spamd-Bar: /
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/XVAf5J4AFU08-eMwLv9Ngd0tfYM>
Subject: Re: [OAUTH-WG] WGLC review of OAuth 2.0 Security Best Current Practice by Mike Jones
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Nov 2019 20:50:00 -0000

+1. We should only discuss solutions if we would be okay with people actually implementing them. (See also my feedback to Guido's review.)

-Daniel

Am 25. November 2019 20:41:45 MEZ schrieb Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>rg>:
>On Fri, Nov 22, 2019 at 11:46 PM Benjamin Kaduk <kaduk@mit.edu> wrote:
>
>> On Wed, Nov 20, 2019 at 03:40:34AM +0000, Mike Jones wrote:
>> > SUBSTANTIVE
>> >
>> [...]
>> >
>> > 4.8.1.1. Metadata - This section suggests the use of a
>> "resource_servers" metadata value.  This isn't defined by RFC 8414
>nor do I
>> see it the IANA OAuth Authorization Server Metadata registry at
>>
>https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#authorization-server-metadata.
>> Is this something that's been standardized elsewhere?  If so, please
>add a
>> citation.  If not, please clearly say that this metadata value is not
>> standardized, and is therefore unlikely to be interoperable.
>>
>> I would go further and say that we should not document "best
>practices"
>> that involve non-standardized values.
>>
>> > 4.8.1.1. Metadata - This section suggests the use a
>> "access_token_resource_server" token response value.  Please likewise
>> clearly say that this parameter isn't a standard.
>>
>> (ditto)
>>
>
>The document has a number of occurrences similar to these where a
>particular solution is discussed even though it's not been standardized
>and/or isn't actually a recommendation of the document. Such
>discussions
>can instructive and have valuable information. But I wonder if it might
>be
>more appropriate to omit them from the BCP? When the document is read
>and
>understood in its full context, I do think the scope and intent of such
>discussions are made reasonably clear. However, they could be pretty
>easily
>misunderstood by someone just reading individual subsections or from
>citing
>parts of the document text without the larger context. I guess I'm
>thinking/suggesting that it'd be better if the BCP only focused on the
>actionable recommendations it is making. And omit background type
>discussion of alternative approaches that didn't get used for whatever
>reason. Or, if they do stay in the document, de-emphasize them even
>further
>like maybe moving them into an appendix rather than the main body of
>the
>doc.
>
>-- 
>_CONFIDENTIALITY NOTICE: This email may contain confidential and
>privileged 
>material for the sole use of the intended recipient(s). Any review,
>use, 
>distribution or disclosure by others is strictly prohibited.  If you
>have 
>received this communication in error, please notify the sender
>immediately 
>by e-mail and delete the message and any file attachments from your 
>computer. Thank you._

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.