IETF Logo Mail Archive

Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)

Phil Hunt <phil.hunt@oracle.com> Thu, 16 October 2014 16:57 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47B091A0195; Thu, 16 Oct 2014 09:57:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aQOQinjX8pk4; Thu, 16 Oct 2014 09:57:27 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B81EE1A00E9; Thu, 16 Oct 2014 09:57:10 -0700 (PDT)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s9GGv8qp000916 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 16 Oct 2014 16:57:09 GMT
Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s9GGv73x014817 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 16 Oct 2014 16:57:08 GMT
Received: from abhmp0015.oracle.com (abhmp0015.oracle.com [141.146.116.21]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s9GGv7Zv002171; Thu, 16 Oct 2014 16:57:07 GMT
Received: from [192.168.1.133] (/24.87.24.131) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 16 Oct 2014 09:57:07 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail=_5AFC13B7-50E7-4EB6-B5E3-11BC40117701"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <CA+k3eCQKxWri1kjjig90AhrsQ=D0H=CLfKGuSa513sKDar52Rw@mail.gmail.com>
Date: Thu, 16 Oct 2014 09:57:05 -0700
Message-Id: <A9B4CF00-6D06-4FE1-83EE-CC0D141C9AD3@oracle.com>
References: <20141016034735.18695.61014.idtracker@ietfa.amsl.com> <CA+k3eCQKxWri1kjjig90AhrsQ=D0H=CLfKGuSa513sKDar52Rw@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
X-Mailer: Apple Mail (2.1878.6)
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Y6ztw4E__NmLr_-A7wO8V2RlI8k
Cc: Richard Barnes <rlb@ipv.sx>, "draft-ietf-oauth-assertions@tools.ietf.org" <draft-ietf-oauth-assertions@tools.ietf.org>, "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, The IESG <iesg@ietf.org>, oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Oct 2014 16:57:33 -0000

It is also important for a non-protocol purpose. Liability.

If a 3rd party uses an assertion that was not intended for it, it cannot obviously hold the asserting party responsible.  

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com



On Oct 16, 2014, at 8:43 AM, Brian Campbell <bcampbell@pingidentity.com> wrote:

> Thanks for your review and feedback, Richard. Replies are inline below...
> 
> On Wed, Oct 15, 2014 at 9:47 PM, Richard Barnes <rlb@ipv.sx> wrote:
> Richard Barnes has entered the following ballot position for
> draft-ietf-oauth-assertions-17: Discuss
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> http://datatracker.ietf.org/doc/draft-ietf-oauth-assertions/
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> "The assertion MUST contain an Audience that identifies the Authorization
> Server as the intended audience.  Assertions that do not identify the
> Authorization Server as an intended audience MUST be rejected."
> 
> Could you please identify the threat model within which this "MUST" is
> required?  This requirement doesn't follow from any of the threats
> elaborated in Section 8.
> 
> The Audience is only necessary if the Issuer wishes to constrain the set
> of Authorization Servers with which an assertion may be used.  So ISTM
> that this should be "MAY contain..."
> 
> 
> 
> The audience restriction let's the issuer say specifically what relying party is allowed to consume the assertion, which ensures that the client can't use it somewhere else that it wasn't intended and that the relying party that receives the assertion can't turn around and use it to access some other service.
> 
> Strictly speaking, you are right that the audience is only necessary if the Issuer wishes to constrain the set of Authorization Servers with which an assertion may be used. But the Issuer really really really should make that constraint and fully understanding the implications of not doing so is difficult and unlikely. 
> 
> There was a vulnerability in Google apps SAML a few years back that demonstrates how important audience restriction is and how it can be difficult for even very sophisticated providers to get it all right. I haven't had time to read it again to make sure but I think that this is the paper http://www.ai-lab.it/armando/pub/fmse9-armando.pdf
> 
> I don't see what value allowing audience to be omitted brings other than that it is academically a possibility. But requiring it (hopefully, if the requirement is followed) helps reduce the possibility of a whole bunch of security problems that folks likely won't foresee.
> 
>  
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> "keyed message digest" -> "Message Authentication Code"
> 
> That's the proper terminology [RFC4949], especially since there are MACs
> that are not based on digests.
> 
> OK
>  
> 
> "This mechanism provides additional security properties." -- Please
> delete this or elaborate on what security properties it provides.
> 
> Will delete.
>  
> 
> Section 8.2 should note that "Holder-of-Key Assertions" are also a
> mitigation for this risk.
> 
> 
> OK
>  
>  
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email