Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

Hannes Tschofenig <hannes.tschofenig@gmx.net> Sat, 20 February 2016 09:46 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15A8E1A3BA3 for <oauth@ietfa.amsl.com>; Sat, 20 Feb 2016 01:46:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.606
X-Spam-Level:
X-Spam-Status: No, score=-2.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sPiYWyqEAfsX for <oauth@ietfa.amsl.com>; Sat, 20 Feb 2016 01:46:49 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5054A1A1BE5 for <oauth@ietf.org>; Sat, 20 Feb 2016 01:46:49 -0800 (PST)
Received: from [192.168.10.140] ([195.149.218.208]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0LgZRV-1aCWd50bTR-00nwh0; Sat, 20 Feb 2016 10:46:42 +0100
To: William Denniss <wdenniss@google.com>, "Phil Hunt (IDM)" <phil.hunt@oracle.com>
References: <56C7702B.2000401@gmx.net> <BY2PR03MB442E9BF84AFA890378C5116F5A00@BY2PR03MB442.namprd03.prod.outlook.com> <56C77D92.5050203@pingidentity.com> <88DE9988-2CDB-4206-86CE-E7EFF93FB27A@oracle.com> <CAAP42hD96u0Nepdo8YcHeXEo2v1Mo=a_Zo4OcS9ppu7rU-=8Ag@mail.gmail.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
X-Enigmail-Draft-Status: N1110
Message-ID: <56C8360C.8010203@gmx.net>
Date: Sat, 20 Feb 2016 10:46:52 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <CAAP42hD96u0Nepdo8YcHeXEo2v1Mo=a_Zo4OcS9ppu7rU-=8Ag@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="CiaBpSqnAoJMDHv3bJ53cXEg6NpQ3StTr"
X-Provags-ID: V03:K0:2tFXdpT5bERSOS2/Dkc8QanhONNpknxnO0AeOXyDt1Lsw06CjJh uyFmI94sGW4E1WXiV2E1Ln0LP0cRWLEKZVfS8+rM694NXptP17F97noR3kdECfo8GEAS2Ay 7ReuBukCcTlxSwbNTyNnpbfQZfDRc2wLK+K4977f3KGC3s4FgjF96FbBSgkxMKALjqPaerg yEOmSWzdMXoUXQNkcAgTQ==
X-UI-Out-Filterresults: notjunk:1;V01:K0:/tg89MnhD40=:UiGXv0ExQejAY4XmN2dsig L0gvM1H9YUJiLP7dYsGE+lYlbk7m9AafCNyxfy33TM0V9PWbZGajaRNqpM0RCCWbe5Vikgfjg 0OeebD01FOtAp0DXLh7CIVv/Z05qtcJZFO2PGhKbezD60x0PJ2L9LDYDdG8A9bV1wnIjBb10p FAZyCaIbTmB3iRnc1REvqs2ndhr365Xhx7+rL29Nd34qRejmQi4c9vBhrYm2oQ3Kh2F+bwP7l Z+lluSXbeUT1WYW8CLhciiuW3DfmNJ6DD/SsQNy/rCjK///2SwIgJatfDZkNUSouwf+1fmD+1 ftzzms/CEwYzzDUgZrz7UfjzJGMgRQ2BzXYAlqt39nIVRUGPL0FfuDGvpKo4VhE2iroF1J3Xo 09RmNuPas7P7Dxv4OeDyFZDdAZLUKJWYqa7sDrlhakcziyFtQOSp75XVi0m1KPyRZk6FSiQk2 wFnYDmjFNFpry22m+WqUwZOt3F3l570ZiK5625DfOL5955qmp2KAsRwTi9AsxvU3cKrkkhABa fy2Fmirq/Gyl7dqE3hTsAZdAmJnazCNKC5zFdUaLjQJ8y1PZNqgEfWcNFkvqCP4tszMdfss0I HleZT7BPI8iltEBLj1nMrsePPwXRkQzP4xqHHkXy+zsZ2QTZc0gFzLjJg9S8jUWEDYVqIHrJp w2yARZOEuMlOz4mE1qT9GMADj7YC3JFfQPLXnXZEFyt6x3vKqe+yMO6zMcmNqkS76He58bSWC hYGgzu8WSw7qHbas+Gp/Ay9ttq2SFyLecbpdgPbUxh7hPj3bYN3acQGAs6s=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/XzjeovOOx5vEXaLvx1x-R09GTp0>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Feb 2016 09:46:52 -0000

Just a quick reply to two of your remarks:

On 02/20/2016 09:49 AM, William Denniss wrote:
> The security researcher documents are only informative references

I think they should be informative references since the motivate the
reason for doing the work but there is nothing in these publications
that raises interoperability concerns.

I believe the solution documents need to be descriptive enough that they
explain the threats so that a reader who does not read through the
informative reference section still understands what's going on.

> For my own knowledge: what are some of the use-cases that are subject
> to these attacks? I'm not convinced every RP that talks to more than
> 1 AS is at risk today. What are some risky situations that exist
> which are mitigated by this draft?

This is something I criticized in my review as well. IMHO the documents
could do a better job in describing the threats and particularly the
assumptions that need to hold in order for the attacks to work. Without
those it will be difficult to inform readers when this is a concern and
what level of risk this represents.

Ciao
Hannes