Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-15.txt

Daniel Fett <fett@danielfett.de> Thu, 07 May 2020 08:23 UTC

Return-Path: <fett@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD9ED3A0A4D for <oauth@ietfa.amsl.com>; Thu, 7 May 2020 01:23:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WJrVm0Tb3EVF for <oauth@ietfa.amsl.com>; Thu, 7 May 2020 01:23:55 -0700 (PDT)
Received: from d3f.me (redstone.d3f.me [5.9.29.41]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E0D83A0955 for <oauth@ietf.org>; Thu, 7 May 2020 01:23:55 -0700 (PDT)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by d3f.me (Postfix) with ESMTPA id B51C82539 for <oauth@ietf.org>; Thu, 7 May 2020 08:23:51 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1588839831; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=T9e5AzItTXxK2hP99gQdeqPDZTON7V6mgex143y3Vqc=; b=jpCB+hPgQIZiPaoKEJlgUEHfR3WYcpykSTP9avtKMlGWzp03480oamaOHiQKk1Ex22iQYF JNyD5XBGiR2v/OejVUsB5d8eNhd9mxa/WABW7JY6Cdvei4wfKcYDuuV0FXBq/0BbJciKHH eFVMX5vwWaYXLCM+t4zjt2lJ1WuglR8=
To: oauth@ietf.org
References: <158608868945.18323.557347538112056951@ietfa.amsl.com> <51f42eb9-9f6a-6fb1-e01e-2bba7688bcb9@free.fr>
From: Daniel Fett <fett@danielfett.de>
Message-ID: <a36b5a22-533a-6320-055b-d3f5af8f79cb@danielfett.de>
Date: Thu, 07 May 2020 10:23:50 +0200
MIME-Version: 1.0
In-Reply-To: <51f42eb9-9f6a-6fb1-e01e-2bba7688bcb9@free.fr>
Content-Type: multipart/alternative; boundary="------------A1CF9FCE2247BD84AF84F95E"
Content-Language: de-DE
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1588839831; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=T9e5AzItTXxK2hP99gQdeqPDZTON7V6mgex143y3Vqc=; b=HlxGRBv/xRudyhvmSPzKAkZ82FCmE57Fx0ZbYlojjMucv4VZKwhp27fEZdsZC+G/Immbip 5Ru3CaF3750+Fx7nn7IiJJqJPTq57WOGx0JsgKxDVqgBU4SvvhNOHIOz2/ZuJaRM4mG40t AisoKTLCcr+uMDKhTqlb6ZiVQhVvE64=
ARC-Seal: i=1; s=dkim; d=danielfett.de; t=1588839831; a=rsa-sha256; cv=none; b=S+GFScKxPXMfjKs1aDxpOrEc6Xdqfzh9LFA9LEC8BWgNMni4bjqt+mxTsOVI5K01eExHqH fqq2lo+e8/Ceq5C+RrR0HTGJDBm1zCkclox9euA8qAgCkmi6VDRKyOAcGuxJRTO/24dgd6 ZqIAsVb/cdZkq1W34+KrM8+XHEdpPkg=
ARC-Authentication-Results: i=1; d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
Authentication-Results: d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
X-Spamd-Bar: /
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/YUDx8bomP6imVP103UKcoZSYJw0>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-15.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 May 2020 08:23:58 -0000

Hi Denis,

Am 05.05.20 um 17:19 schrieb Denis:
> Comments on draft-ietf-oauth-security-topics-15
>
> 1) Historically, the acronym RO (Resource Owner) has been used but is
> still used in this document.
>     Since a client is not necessarily any more a RO, it would be more
> adequate to use the word "Client"
>     instead of "RO"  in this document.
>
The terms Resource Owner and Client are clearly defined in RFC6749 and
refer to two different entities.
>
>
> 2) The structure of the document is the following:
>
>    1.  Introduction
>    2.  Recommendations
>    3.  The Updated OAuth 2.0 Attacker Model
>
> It is rather odd to have recommendations placed before the Attacker
> Model. Before providing solutions to some problems,
> it is important to understand what the problems are. The Updated OAuth
> 2.0 Attacker model should be placed after the introduction.
>
> The "most important recommendations of the OAuth working group for
> every OAuth implementor" should be placed after the "Attacks and
> Mitigations" section.
>
This structure was chosen specifically to have the recommendations -
arguably the most important section for everyday users of OAuth - in the
front.
>
>
> 3) The "_Updated _OAuth 2.0 Attacker Model" is supposed to have been
> "updated to account for the potentially _dynamic relationships
> involving multiple parties_".
> However, it still misses to address the case of _dynamic relationships
> between clients_, which include scenarios of _collaborative clients_.
>
That is not correct. Web attackers (A1) can participate in the protocol
as one or more users (resource owners) or clients. Of course, these can
collaborate between each other.

> Such a collaboration between clients is possible and should be
> considered in the "updated model".
>
This is considered in the model.
>
> which are human beings, it cannot be assumed that all the human beings
> in the world will necessary be honest. Whether or not Auth 2.0 is able
> or not
> to counter such an attack is another issue.
>
This as well.
>
> In another section, it should be mentioned that OAuth 2.0 is unable to
> counter such an attack.
>
The problem is not that this type of collusion attack is not possible
under the model. The problem is it is not commonly expected that OAuth
protects against this type of attack.

-Daniel

> Stating that such an attack is "out of the scope" of OAuth 2.0 would
> not be an appropriate statement.
>
> It should not be forgotten, that the purpose of this document is to
> inform the reader about _all_ the relevant security issues.
>
> Denis
>
>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>> This draft is a work item of the Web Authorization Protocol WG of the IETF.
>>
>>         Title           : OAuth 2.0 Security Best Current Practice
>>         Authors         : Torsten Lodderstedt
>>                           John Bradley
>>                           Andrey Labunets
>>                           Daniel Fett
>> 	Filename        : draft-ietf-oauth-security-topics-15.txt
>> 	Pages           : 46
>> 	Date            : 2020-04-05
>>
>> Abstract:
>>    This document describes best current security practice for OAuth 2.0.
>>    It updates and extends the OAuth 2.0 Security Threat Model to
>>    incorporate practical experiences gathered since OAuth 2.0 was
>>    published and covers new threats relevant due to the broader
>>    application of OAuth 2.0.
>>
>>
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/
>>
>> There are also htmlized versions available at:
>> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15
>> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-15
>>
>> A diff from the previous version is available at:
>> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-security-topics-15
>>
>>
>> Please note that it may take a couple of minutes from the time of submission
>> until the htmlized version and diff are available at tools.ietf.org.
>>
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth