Re: [OAUTH-WG] DPoP - Document Shepherd Review
Daniel Fett <fett@danielfett.de> Wed, 27 July 2022 23:53 UTC
Return-Path: <fett@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B504FC13CCDC for <oauth@ietfa.amsl.com>; Wed, 27 Jul 2022 16:53:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.808
X-Spam-Level:
X-Spam-Status: No, score=-2.808 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l8taDczSw3iH for <oauth@ietfa.amsl.com>; Wed, 27 Jul 2022 16:53:37 -0700 (PDT)
Received: from mout-p-102.mailbox.org (mout-p-102.mailbox.org [80.241.56.152]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97FEBC14CF1C for <oauth@ietf.org>; Wed, 27 Jul 2022 16:53:35 -0700 (PDT)
Received: from smtp202.mailbox.org (smtp202.mailbox.org [10.196.197.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4LtVwV22STz9sZJ for <oauth@ietf.org>; Thu, 28 Jul 2022 01:53:30 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=MBO0001; t=1658966010; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=f6qVzMc4WJ/lZrVgOJvQ0seKE9si6/JpnQEaOmsnPrc=; b=zEWwLZCAYZLcOSL0YzH76hpPvvR7xWcYE1XCs2xQGjKmR9i6ACz0o2Tq4pNsUfbNmdKUvk Uxrb26Eir8r2QSPR9sbcZV2ZfXOruleTHod4mgpmDW4lRqUOA5Jk5jiE2TsGW8+Dns80w1 t4hmm2/I994gBwQIWEH2vzVw2w6yafPJNAEu0+GCu+MSOSML7r/aWWWDLC8rqwHSL3i8px 0l4WuSaANEF02np49ZcUL3q+bRUgW69lGItlWChwBMQpWCR1sz4H8hWFoRY00QEWwIoQB3 cUrVqMm5durdKQ16Uc06dvlE8qzSkh9HAkJ2SueYBtUf3TQmhLxp1WsSBccPmg==
Content-Type: multipart/alternative; boundary="------------ZUzLGP4TO9gfG0DDejDg71Ok"
Message-ID: <6c5275da-8876-e64d-b081-b250feb4fd46@danielfett.de>
Date: Thu, 28 Jul 2022 01:53:25 +0200
MIME-Version: 1.0
Content-Language: de-DE
To: oauth@ietf.org
References: <CADNypP_0LLLmwdPa2sjsp8mmjOO2woQbdLf3XyPzUsJ_CuogXQ@mail.gmail.com> <CA+k3eCRyoncwUGu3cpnsXut6t8u2UUD9ZmBYYTCf7J9e3tpfzQ@mail.gmail.com> <CADNypP-nrgPHHbmxUZke=9UdpHWhv9wnd-v5vdC-36jgSSNBUw@mail.gmail.com> <CA+k3eCR5uZwGnnqN13WpPOeE0TseCACi=K3NDwu5k4NWtfex8A@mail.gmail.com> <CA+k3eCS4WjaW3A7VUnkb+Wtq3HTogqi2uG6EQppcKOkC9r7d2w@mail.gmail.com> <CA+k3eCRzXnWo-P3UHrmyOHm3etx+afH8MUsqne20s2B2q8J0NA@mail.gmail.com>
From: Daniel Fett <fett@danielfett.de>
In-Reply-To: <CA+k3eCRzXnWo-P3UHrmyOHm3etx+afH8MUsqne20s2B2q8J0NA@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Zg9rt028P3WxukDJ7cb5Vl1-XEQ>
Subject: Re: [OAUTH-WG] DPoP - Document Shepherd Review
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2022 23:53:42 -0000
Apologies accepted! :-) Am 28.07.22 um 01:11 schrieb Brian Campbell: > I need to make one more apology - this time for the incorrect spelling > of Dr. Fett's name (should be Daniel not Danial). My apologies. > > On Wed, Jul 27, 2022 at 6:43 PM Brian Campbell > <bcampbell@pingidentity.com> wrote: > > Thanks Rifaat and others for the vibrant* discussions about the > DPoP draft in the side meeting yesterday. > > I thought it'd be appropriate to share/reiterate the three action > items we'd agreed on during the meeting (as I remember anyway): > > 1. Justin to review the text about why we have the AT hash and > either create a PR adding additional motivations or say that > what we have is already sufficient > 2. Danial to add some text to further explain decisions with > respect to PAR > 3. Brian (aka me) to add a parenthetical remark to the Signature > Algorithms subsection listing 'ES256' > > PR's for the latter two are here > <https://github.com/danielfett/draft-dpop/pull/165> and here > <https://github.com/danielfett/draft-dpop/pull/166> respectively. > And yes, this message is, at least in part, a passive-aggressive > reminder to Justin about #1. > > The slides that I used to try and help guide the discussions are > attached. They are admittedly rather suboptimal but I'm including > them for the sake of transparency (and because they have a couple > of photos). > > > * my apologies for being overly vibrant at times > > > > > On Wed, Jul 6, 2022 at 4:32 PM Brian Campbell > <bcampbell@pingidentity.com> wrote: > > Thanks Rifaat! > I will make those changes in the document source and come to > Philly prepared to discuss the other items. One of the side > meetings seems like a good forum for that, good idea. > > On Tue, Jul 5, 2022 at 11:14 AM Rifaat Shekh-Yusef > <rifaat.s.ietf@gmail.com> wrote: > > Thanks Brian! > See my replies inline below. > > > On Thu, Jun 30, 2022 at 6:52 PM Brian Campbell > <bcampbell@pingidentity.com> wrote: > > Thanks for shepherding Rifaat. And apologies for the > slow reply. My attempts at answering questions and > responding to comments are inline below. > > > On Fri, Jun 3, 2022 at 11:55 AM Rifaat Shekh-Yusef > <rifaat.s.ietf@gmail.com> wrote: > > The following is my review as a document shepherd: > > Section 4.3 > > Last sentence > > Since the document uses “SHOULD”, this implies > that there are some valid cases where this is not > needed. > > Should a text be added to explain when this is not > needed? > > > > What about giving a bit more context about why they > should? Changing that sentence to say, "To reduce the > likelihood of false negatives, servers SHOULD employ > Syntax-Based Normalization (Section 6.2.2 > <https://rfc-editor.org/rfc/rfc3986> of [RFC3986]) and > Scheme-Based Normalization (Section 6.2.2 > <https://rfc-editor.org/rfc/rfc3986> of [RFC3986]) > before comparing the |htu| claim." And also maybe > changing it to a little "should". > > Yes, that works. > I suggest keeping it as "SHOULD" to encourage implementers > to use this, unless they have a really good reason not to. > > > Section 6.1 > > 1. > > First sentence - what is the reason for using > “SHOULD”, instead of “MUST” in this case? > > > > Good question. I think it was a bit of carryover from > OAuth in general not strictly defining access token > format or content. And wanting to not encroach on > that. But that's kinda covered/allowed for in general > by Section 6 already. And Section 6.2 is effectively > the same as 6.1 but for introspection and it doesn't > use "SHOULD". I think the “SHOULD” in the first > sentence of 6.1 should be removed thereby making it an > implicit must - like "when using JWT, this is how it > is". That would align with the way it's described for > introspection. Also leaves some room for hash > algorithm agility via a new confirmation method member > (described in > https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-09.html#name-access-token-and-public-key) > without going against a "MUST" > > I am fine with removing the "SHOULD" to make it an > implicit must. > > > > > 2. > > The DPoP Proof contains a hash of the Access > Token, and the Access Token contains a hash of > the public key in the DPoP Proof. > > Why do you need both? Would one of these be > sufficient? > > > > The latter (AT containing a hash of the public key in > the DPoP Proof) is needed and largely sufficient for > the main goals of binding the AT to a key held by the > client. The former (DPoP Proof containing a hash of > the AT) was added later via very rough WG consensus - > it can prevent some esoteric swapping of tokens that I > never really understood to be honest and also limits > the impact of using maliciously precomputed and > exfiltrated proofs > (https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-09.html#section-2-6 > talks about it a bit). Use of the nonce mechanism, > which was added to the draft even later, also (and > better) protects against precomputed and exfiltrated > proofs. The value of the AT hash in the proof seems > somewhat questionable. To me anyway. But removing it > at this point is potentially problematic due to > inertia, existing implementations/deployments, rough > WG consensus, and more. > > I think that at least a text is needed to justify this, > and explain the "it can prevent some esoteric swapping of > tokens" issue. > Maybe we can discuss this during one of the side meetings > in Philly. > > > Section 7.1 > > 1. > > “if the request does not include valid > credentials or does not contain an access > token sufficient for access, the server > canrespond with a challenge to the client to > provide DPoP authentication information.” > > > Should the “can” be replaced with a “SHOULD”? > > > > FWIW, there was some discussion around that sentence > that included some pushback on dropping the "can". > https://github.com/danielfett/draft-dpop/issues/119 > and https://github.com/danielfett/draft-dpop/pull/122 > have the conversation. I'm rather hesitant to try and > change it after all that. > > Ok > > > 2. > > Also, I think it would be clearer if you can > explicitly state what the authorization server > should do when it does not challenge the > client, which I am assuming will be something > along the lines of: “the authorization server > issues an error response per Section 5.2 of > RFC6749“ > > > > The section in question is about protected resource > access so anything about the authorization server > wouldn't be appropriate there. The protected resource > / RS always has the option to simply fail the request > and can do that however it sees fit. I'm not sure how > to state that in the document text. Or if anything > should be stated, honestly. > > Ok > > > Section 7.2 > > 1. > > “Specifically, such a protected resource MUST > reject a DPoP-bound access token received as a > bearer token per [RFC6750 > <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-08.html#RFC6750>].” > > > I think that I understand what you are trying to > say with this sentence, but the way the sentence > reads is confusing to me. > > I am assuming what you are trying to say is > something along the lines of “a dpop protected > resource must reject a request that provides a > bearer token”. Is that correct? If so, can you > please rephrase the sentence to make it clearer? > > > > That's not quite correct. That paragraph > <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-09.html#section-7.2-1> > (copied below) is attempting say that a protected > resource that will accept either "Authorization: > Bearer <bearer token>" or "Authorization: DPoP > <dpop-bound token>" is required to reject a request > that uses the Bearer scheme with a DPoP-bound access > token. This is to prevent downgraded usage of a bound > access token without demonstrating possession of the > key to which it is bound. > "Protected resources simultaneously supporting both > the |DPoP| and |Bearer| schemes need to update how > evaluation of bearer tokens is performed to prevent > downgraded usage of a DPoP-bound access token. > Specifically, such a protected resource MUST reject a > DPoP-bound access token received as a bearer token per > [RFC6750 > <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-09.html#RFC6750>]." > > Got it. > > > 2. > > “A protected resource that supports only > [RFC6750 > <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-08.html#RFC6750>] > and is unaware of DPoP would most presumably > accept a DPoP-bound access token as a bearer > token” > > > Wouldn't such a resource server check the value of > the WWW-Authenticate header to make sure it > contains the Bearer scheme, which means that the > request is most likely to be declined? > > > > What that is trying to say is that a protected > resource that only does or knows about the RFC6750 > Bearer scheme ("Authorization: Bearer <token>") will > almost certainly accept a bound access token sent via > the Bearer scheme. > > Ok > > > Section 10.1 > > Why define two different mechanisms to achieve the > same thing? > > This seems to add complexity without an obvious > benefit. > > > > This is a bit of a tricky area. The benefit with PAR > is the direct request from client to AS, which allows > for an actual DPoP proof to be used for the eventual > binding of the authorization code to the key. Also the > client doesn't have to do the JWK hash in that case. > Whereas the normal authorization request is indirect > via the browser and just a hash of the key is given > for the code binding with the dpop_jkt parameter. And > the client has to compute the hash. But PAR is just an > alternative way to pass the authorization parameters > (like dpop_jkt) so it's kinda awkward to use things > together like this. > https://github.com/danielfett/draft-dpop/issues/103 > and https://github.com/danielfett/draft-dpop/pull/111 > have some discussion around this but there was some in > person talk too so that's not complete. > > I don't love that there's two different mechanisms > here. But it's what we were able to come up with given > all the factors. Certainly open to considering > improvements but am pretty much at a loss of what that > might be. > > Let's discuss this during one of the side meetings in Philly > > > Section 11.6 > > Should the algorithms be explicitly called out? Or > at least reference a document that calls out such > algorithms? > > > > There isn't a single such document and it's not > necessarily a static list of algorithms. I was about > to say we could point to the JOSE alg registry but > glancing again at it > https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms > and I suspect that'd confuse more than help. We could > perhaps list some/many of the algs with the > qualification that it's not an exclusive or complete > list? But I'm not sure how useful that would be, to be > honest. > > If you do not specify any algorithm, how do you ensure > interop? > I think this is worth a discussion in Philly > > > Section 11.7 > > Why is OAuth Token Binding included? > > > > Yeah, that doesn't make sense to encourage its use > because it's not a viable thing to use. OAuth Token > Binding should be removed from Section 11.7. Was that > what you were getting at? That particular text in the > paragraph that mentions token binding has been in the > draft for a long time and honestly never made a lot of > sense to me. So I could envision removing more. But > that's maybe more than you were aiming for. > > I am actually in favor of removing it > > > > Section 11.8 > > Why not include algorithm agility to make sure the > mechanism is ready to allow for more secure > algorithms in the future? > > > Algorithm agility is a whole can of worms that can be > accomplished in different ways with different amounts > of added complexity and potential vulnerabilities and > issues of interop and MTI. Section 11.8 describes how > DPoP allows for algorithm agility (without using the > exact words) by suggesting that new dpop binding cnf > method and/or AT hash claim be defined using a > "better" hash algorithm if/when the need arises (OAuth > 2.0 Mutual-TLS takes a similar approach FWIW). The > intent of doing it that way was to keep things as > simple as possible in the spec right now without > completely closing the door on future needs. . > > This is another topic that is worth a discussion in Philly. > > Regards, > Rifaat > > > /CONFIDENTIALITY NOTICE: This email may contain > confidential and privileged material for the sole use > of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly > prohibited. If you have received this communication > in error, please notify the sender immediately by > e-mail and delete the message and any file attachments > from your computer. Thank you./ > > > /CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly > prohibited. If you have received this communication in error, please > notify the sender immediately by e-mail and delete the message and any > file attachments from your computer. Thank you./ > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] DPoP - Document Shepherd Review Rifaat Shekh-Yusef
- Re: [OAUTH-WG] DPoP - Document Shepherd Review Brian Campbell
- Re: [OAUTH-WG] DPoP - Document Shepherd Review Rifaat Shekh-Yusef
- Re: [OAUTH-WG] DPoP - Document Shepherd Review Brian Campbell
- Re: [OAUTH-WG] DPoP - Document Shepherd Review Brian Campbell
- Re: [OAUTH-WG] DPoP - Document Shepherd Review Brian Campbell
- Re: [OAUTH-WG] DPoP - Document Shepherd Review Daniel Fett
- Re: [OAUTH-WG] DPoP - Document Shepherd Review Rifaat Shekh-Yusef
- Re: [OAUTH-WG] DPoP - Document Shepherd Review Justin Richer
- Re: [OAUTH-WG] DPoP - Document Shepherd Review Justin Richer
- Re: [OAUTH-WG] DPoP - Document Shepherd Review Brian Campbell
- Re: [OAUTH-WG] DPoP - Document Shepherd Review Rifaat Shekh-Yusef