Re: [OAUTH-WG] Benjamin Kaduk's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)
Vladimir Dzhuvinov <vladimir@connect2id.com> Sat, 15 August 2020 09:08 UTC
Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83E493A0BB3 for <oauth@ietfa.amsl.com>; Sat, 15 Aug 2020 02:08:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.846
X-Spam-Level:
X-Spam-Status: No, score=-2.846 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.949, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gaxBl8xrXLTC for <oauth@ietfa.amsl.com>; Sat, 15 Aug 2020 02:08:15 -0700 (PDT)
Received: from p3plsmtpa11-01.prod.phx3.secureserver.net (p3plsmtpa11-01.prod.phx3.secureserver.net [68.178.252.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3647B3A03F6 for <oauth@ietf.org>; Sat, 15 Aug 2020 02:08:15 -0700 (PDT)
Received: from [192.168.88.250] ([94.155.17.31]) by :SMTPAUTH: with ESMTPSA id 6sAfkxyBbHQQg6sAfkNmFD; Sat, 15 Aug 2020 02:08:14 -0700
X-CMAE-Analysis: v=2.3 cv=dP7YZ9Rb c=1 sm=1 tr=0 a=+I3yL00+yDwT8KNLgfs+4A==:117 a=+I3yL00+yDwT8KNLgfs+4A==:17 a=q0rX5H01Qin5IyBaTmIA:9 a=r77TgQKjGQsHNAKrUKIA:9 a=48vgC7mUAAAA:8 a=xtERp6CFAAAA:8 a=LS6YZpeZAAAA:8 a=CkCSO0AFltHdHg0NKiIA:9 a=UR4Lg1ZIErWInBm7:21 a=3IWyPOl_RQVtTCPE:21 a=QEXdDO2ut3YA:10 a=pGLkceISAAAA:8 a=H9G8NMRP0_dzQifCOcoA:9 a=QJSBtuG2y9jNsrI-:21 a=_VuVndoiVJT99tJ2:21 a=kDDuPKFVSR0Q3G_W:21 a=_W_S_7VecoQA:10 a=D8lnhvtxf0AONpHuB7QA:9 a=ZVk8-NSrHBgA:10 a=30ssDGKg3p0A:10 a=w1C3t2QeGrPiZgrLijVG:22 a=IRr2vCDBpksuBOXhfkKu:22
X-SECURESERVER-ACCT: vladimir@connect2id.com
To: oauth@ietf.org
References: <MN2PR00MB06863A1064A05D8029C44788F5431@MN2PR00MB0686.namprd00.prod.outlook.com> <CALAqi_9M40enpWOMO2h5rVdiveOxh6hnA1ZLc9EJJ-H_Fp59+g@mail.gmail.com>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Autocrypt: addr=vladimir@connect2id.com; prefer-encrypt=mutual; keydata= mQENBFQZaoEBCACnP2YMDex9fnf+niLglTHGKuoypUSVKPQeKDHHeFQVzhRke+HBEZBwmA9T kZ+kEhyrNqibDPkPYVPmo23tM8mbNcTVQqpmN7NwgMpqkqcAqNsIyBtt09DjWOQVm57A3K+y uXI7SdNErdt79p2xQseOhqSC9+LgWuyh+mZsl2oFD4glFFfKSCMp2jATXrAMeGzigTnW+Xe0 tRzrwFN9zqykKxhUq9oHg1cNvoDtfxgsc9ysVHbxM/PM8o9lgj3YTQwKMBcCFclTqohji7ML fQ08eQo+acKTwC1WRzeLt9PknGt3C4TmvdCl0c1BQTTTNiF96Hu4kbaiBIbsfxJOR8+VABEB AAG0LFZsYWRpbWlyIER6aHV2aW5vdiA8dmxhZGltaXJAY29ubmVjdDJpZC5jb20+iQE+BBMB AgAoBQJUGWqBAhsjBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAZ0vUyOqri Ql62B/wOO0s2JC/QvO6w9iSsRhCOa/JZi+wO+l01V7eGCQ1cYf1W26Y7iKiUlY4/Kz+cr69D pMtkv3UpDTGejKEfspLUxz5Vo3T4oAKbTtNtVIZL/XxH3/JhJ719Jj4eLoe9/djKkGYTX2O5 bMk8TpO1DDjbIw4r9XKI9ZIk96zlKnZvrg7Ho7oOl0ZIf8AzcvdqZEUogDwyr8uwOU+jIyux mOTthepBzXCNjjBjnc8I1//9YppAIaGJ5nnXelVVD1/dyOszogervzFNANEIOvNvCd9G5u4e s7qkDKWKY7/Lj1tF+tMrDTrOh6JqUKbGNeTUB8DlPvIoNyqHUYfBELdpw1Nd
X-Enigmail-Draft-Status: N11100
Organization: Connect2id Ltd.
Message-ID: <c9620f5f-55f2-9b85-61ad-bac5dc1e9877@connect2id.com>
Date: Sat, 15 Aug 2020 12:08:12 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <CALAqi_9M40enpWOMO2h5rVdiveOxh6hnA1ZLc9EJJ-H_Fp59+g@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms050908070906080700000000"
X-CMAE-Envelope: MS4wfPHXgaYTr2x/Eq8ARmtBPlecj7FGU41plCkoARC/9CIMIz/vTbduDyFD1vxXt1PwRh66GcHXf7xhMQ4gikkyBWxkFiN0hJVQG9kes36NjbwLM/UXPg0k eGSZS52jcPpwEyQC1d+A3WC4vv4oSTxhm3t4pdPNUOH+kJ1mPbGemX7/
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/XqoB09pcpIOOfa1C9zAyHcB-xds>
Subject: Re: [OAUTH-WG] Benjamin Kaduk's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Aug 2020 09:08:18 -0000
+1 to make the "typ" check, as Filip suggested, normative, as existing client and RP deployments with undefined "typ" will not be affected. New deployments should be encouraged to type the JWT, and thus be made safer. Regarding the "sub != client_id" check -- could a simple rejection of all JWTs with "sub" present suffice? I find it difficult to imagine what else a client could end up setting the "sub" claim to, if it does end up populating it for some reason. Rejecting JWTs with "sub=client_id" or "sub" present will break deployments where a client for some reason sets the "typical" JWT claims, and "sub" is a typical one, but if those deployments happen to accept client_secret_jwt or private_key_jwt client authentication, they could well be vulnerable to cross-JWT confusion attacks. Vladimir On 14/08/2020 13:58, Filip Skokan wrote: > Hi Mike, Nat, > > I thought we would go as far as making these normative requirements > > * if the Request Object includes a sub claim with the value of the > client_id the AS MUST reject the request > * if the Request Object is explicitly typed (typ) its value MUST be ... > > First rejects client assertions to be passed as Request Objects. > Second rejects all future typed JWT profiles from being used as > Request Objects without worrying about the claims they may or may not > contain. > > Or is that breaking? > > S pozdravem, > *Filip Skokan* > > > On Fri, 14 Aug 2020 at 00:59, Mike Jones > <Michael.Jones=40microsoft.com@dmarc.ietf.org > <mailto:40microsoft.com@dmarc.ietf.org>> wrote: > > At Nat's request, I've created a pull request addressing Cross-JWT > Confusion security considerations. It addresses both Brian's > comment and the IESG comments about explicit typing. See the full > PR at https://bitbucket.org/Nat/oauth-jwsreq/pull-requests/10. > See the source diffs at > https://bitbucket.org/Nat/oauth-jwsreq/pull-requests/10/address-iesg-and-working-group-comments/diff#chg-draft-ietf-oauth-jwsreq.xml. > Please review! > > This is only the first commit, albeit, one that addresses some of > the must substantive issues. More commits will follow addressing > additional IESG comments. > > -- Mike > > -----Original Message----- > From: OAuth <oauth-bounces@ietf.org > <mailto:oauth-bounces@ietf.org>> On Behalf Of Benjamin Kaduk > Sent: Thursday, August 13, 2020 2:59 PM > To: Brian Campbell <bcampbell@pingidentity.com > <mailto:bcampbell@pingidentity.com>> > Cc: draft-ietf-oauth-jwsreq@ietf.org > <mailto:draft-ietf-oauth-jwsreq@ietf.org>; oauth-chairs@ietf.org > <mailto:oauth-chairs@ietf.org>; The IESG <iesg@ietf.org > <mailto:iesg@ietf.org>>; oauth <oauth@ietf.org > <mailto:oauth@ietf.org>> > Subject: Re: [OAUTH-WG] Benjamin Kaduk's No Objection on > draft-ietf-oauth-jwsreq-26: (with COMMENT) > > Oops, that's my bad. Thanks for the correction -- I've linked to > your message in the datatracker (but didn't bother to have the > datatracker send a third copy of my updated-again ballot position). > > -Ben > > On Thu, Aug 13, 2020 at 03:00:33PM -0600, Brian Campbell wrote: > > While some discussion of why explicit typing was not used might be > > useful to have, that thread started with a request for security > > considerations prohibiting use of the "sub" with a client ID value. > > Because such a request JWT could be repurposed for JWT client > > authentication. And explicit typing wouldn't help in that situation. > > > > On Tue, Aug 11, 2020 at 2:50 PM Benjamin Kaduk via Datatracker < > > noreply@ietf.org <mailto:noreply@ietf.org>> wrote: > > > > > > > > > -------------------------------------------------------------------- > > > -- > > > COMMENT: > > > > -------------------------------------------------------------------- > > > -- > > > > > > [updated to note that, per > > > > https://mailarchive.ietf.org/arch/msg/oauth/Lqu15MJikyZrXZo5qsTPK2o0 > > > eaE/ and the JWT BCP (RFC 8725), some discussion of why explicit > > > typing is not used would be in order] > > > > > > > > > > -- > > _CONFIDENTIALITY NOTICE: This email may contain confidential and > > privileged material for the sole use of the intended > recipient(s). Any > > review, use, distribution or disclosure by others is strictly > > prohibited. If you have received this communication in error, > please > > notify the sender immediately by e-mail and delete the message > and any > > file attachments from your computer. Thank you._ > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- Vladimir Dzhuvinov
- [OAUTH-WG] Benjamin Kaduk's No Objection on draft… Benjamin Kaduk via Datatracker
- Re: [OAUTH-WG] Benjamin Kaduk's No Objection on d… Brian Campbell
- Re: [OAUTH-WG] Benjamin Kaduk's No Objection on d… Benjamin Kaduk
- Re: [OAUTH-WG] Benjamin Kaduk's No Objection on d… Mike Jones
- Re: [OAUTH-WG] Benjamin Kaduk's No Objection on d… Filip Skokan
- Re: [OAUTH-WG] Benjamin Kaduk's No Objection on d… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Benjamin Kaduk's No Objection on d… Warren Parad
- Re: [OAUTH-WG] [EXTERNAL] Re: Benjamin Kaduk's No… Mike Jones
- Re: [OAUTH-WG] Benjamin Kaduk's No Objection on d… Brian Campbell
- Re: [OAUTH-WG] [EXTERNAL] Re: Benjamin Kaduk's No… Brian Campbell
- Re: [OAUTH-WG] [EXTERNAL] Re: Benjamin Kaduk's No… Joseph Heenan