Re: [OAUTH-WG] Call for Adoption

Mike Jones <> Thu, 21 January 2016 07:55 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 68BE71A01E7 for <>; Wed, 20 Jan 2016 23:55:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KZqfJ1hkI_hH for <>; Wed, 20 Jan 2016 23:55:23 -0800 (PST)
Received: from ( [IPv6:2a01:111:f400:fc10::795]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C39B81A0267 for <>; Wed, 20 Jan 2016 23:55:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=2Ta/NKsrmVxY9G0wGnROqLpePuM9hetZKYUDHpfZTVc=; b=T/8gF1x9aEBX5WbHefApIIFKL3WvU3dBCt+MVx46aZZC9T76P5INWeUJXbffP0fHzzTFBgeWd021Rf028/1TOyglLKGuHyMrukWVkr/Gw7O4NOyUzv6ox3/ajWWTciZD/lV/qeiuG8aBYycII0njN8qxbkF8YJbUd4ncQzdRq/A=
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.1.365.19; Thu, 21 Jan 2016 07:55:03 +0000
Received: from ([]) by ([]) with mapi id 15.01.0365.024; Thu, 21 Jan 2016 07:55:03 +0000
From: Mike Jones <>
To: Nat Sakimura <>, William Denniss <>, Justin Richer <>
Thread-Topic: [OAUTH-WG] Call for Adoption
Date: Thu, 21 Jan 2016 07:55:03 +0000
Message-ID: <>
References: <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-office365-filtering-correlation-id: 6579f31b-9bf4-4045-474b-08d322382bb3
x-microsoft-exchange-diagnostics: 1; BY2PR03MB441; 5:V765I9Tl7VAdVYD5IEBlssEYcQStP6FXgMPoWVm6VXUCgOccCWxGUGUvLNs2TslU2HewJBmgWvBgNIRZQ+zAFVrpSuItC1KtMXUjQNNeEx4PSj/Hn3kVwuFkj9antXvA368mG+g9edphh5sdyxROvQ==; 24:04hed5Y/9jmcspqqzWHQ/hehJrcWIhUcd95w/ZnRhnPJ+PNCrnZQYGM1iDHkKsBZtF+62hYwTS/rMjmlzgDQTWpk44gEOVnXXo+gY04r7mU=
x-exchange-antispam-report-test: UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB441; UriScan:;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(520078)(5005006)(8121501046)(3002001)(10201501046)(61426038)(61427038); SRVR:BY2PR03MB441; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB441;
x-forefront-prvs: 08286A0BE2
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(189002)(479174004)(53754006)(377454003)(199003)(24454002)(102836003)(790700001)(2900100001)(40100003)(5003600100002)(8990500004)(19580405001)(86362001)(77096005)(19617315012)(33656002)(93886004)(561944003)(19625215002)(5001960100002)(50986999)(19580395003)(76176999)(19300405004)(16236675004)(99286002)(74316001)(5002640100001)(15975445007)(81156007)(97736004)(122556002)(86612001)(54356999)(11100500001)(66066001)(106116001)(101416001)(92566002)(586003)(2171001)(19609705001)(3846002)(2950100001)(5008740100001)(105586002)(10290500002)(189998001)(1096002)(10090500001)(5001770100001)(6116002)(76576001)(4326007)(10400500002)(5005710100001)(5004730100002)(1220700001)(106356001)(2906002)(87936001); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB441;; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BY2PR03MB442EA7CE4F9728C2E39BBEAF5C30BY2PR03MB442namprd_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jan 2016 07:55:03.3710 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB441
Archived-At: <>
Cc: "" <>
Subject: Re: [OAUTH-WG] Call for Adoption
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 Jan 2016 07:55:29 -0000

My memory of the discussions of the oauth-meta draft in Yokohama were that many people felt that it was unnecessarily dynamically duplicating a lot of information that the client already had.  Most of us that were aware of the attacks then were in favor of a more targeted, minimal approach.  You were listened to in Yokohama, but that didn’t necessarily mean that people agreed with the approach.  Participants were already aware of the oauth-meta proposal in Darmstadt but no one spoke up in favor of it that I can recall.  Rather, I think people were thinking that “less is more”.

There have also been discussions in the last day about how dynamically returning a resource URL, which oauth-meta does, is both unnecessary (since the client initiated the resource authorization already knowing what resource it wants to access) and often problematic, since many authorization servers can authorize access to multiple resources.  If anything, the client should be telling the authorization server what resource it wants to access – not the other way around.

I’m not saying that there aren’t some good ideas in the oauth-meta draft – I’m sure there are, just as there are in the approach designed by the participants in Darmstadt.  While I volunteered to write the first draft of the mix-up-mitigation approach, it really reflects something a lot of people have already bought into – as evidenced in the passion in the high-volume “Mix-Up About The Mix-Up Mitigation” thread, and not just my personal project.

If you think there are things missing or wrong in the mix-up-mitigation draft, please say what they are.  That will help us quickly converge on a solution that will work for everyone.

                                                          -- Mike

From: Nat Sakimura []
Sent: Wednesday, January 20, 2016 11:17 PM
To: Mike Jones <>; William Denniss <>; Justin Richer <>
Subject: Re: [OAUTH-WG] Call for Adoption

Hi Mike.

Conversely, I would like to ask why this approach does not work for Mix-up attack. As Nov stated, we in fact have discussed the approach in quite a length back in Yokohama. I really would like to know why it does not work.

Besides, for oauth-meta approach, mix-up attack is only one of the thing it solves.

Nat Sakimura

2016年1月21日(木) 16:02 Mike Jones <<>>:
Not to be negative, but I disagree with adopting draft-sakimura-oauth-meta.  We should define and promote one mitigation approach to the mix-up attacks.  Having two would confuse implementers and cause compatibility problems – reducing overall security.

The approach defined in draft-jones-oauth-mix-up-mitigation was created in collaboration with the security researchers who identified the problems in the first place, was vigorously discussed in the security meeting Hannes and Torsten held in Darmstadt, and has been since refined based on substantial input from the working group.  And at least three implementers have already stated that they’ve implemented it.  I’m not saying that it’s, but if there are things missing or things that need to be improved in our approach, we should do it there, rather introducing a competing approach.

Also, standard OAuth deployments register the client and then use the information gathered at registration time for subsequent protocol interactions.  They do not need all the configuration information for the authorization server to be retransmitted at runtime.  The oauth-meta draft goes too far in that direction, at least as I see it.  Returning things two ways creates its own problems, as discussed in the Duplicate Information Attacks security considerations section (7.2) of the mix-up-mitigation draft.

I’ll note that the mix-up-mitigation approach is compatible with existing practice in both static and dynamic metadata discovery.  Replying to Justin’s comment that “It's the pre-configured discovery document that's at the root of the mix-up attack in the first place” – this is not the case.  The attacks can be performed without either discovery or dynamic registration.

I would be interested in hearing a technical discussion on whether there are aspects of the oauth-meta approach that mitigate aspects of the attacks that the mix-up-mitigation approach does not.  That could help inform whether there are additional things we should add to or change in the mix-up draft.

                                                          -- Mike

From: OAuth [<>] On Behalf Of William Denniss
Sent: Wednesday, January 20, 2016 10:37 PM
To: Justin Richer <<>>
Subject: Re: [OAUTH-WG] Call for Adoption

+1 to adopt this, and I agree with Justin's comments.

On Wed, Jan 20, 2016 at 9:53 PM, Justin Richer <<>> wrote:

Inline discovery and pre-configured discovery (ie, .well-known) should at the very least be compatible and developed together. It's the pre-configured discovery document that's at the root of the mix-up attack in the first place.

 -- Justin

On 1/19/2016 10:30 PM, Nat Sakimura wrote:
Just to give more context, at IETF 94, I have done a presentation on discovery.

According to the minutes,

    (f) Discovery (Nat)

             Nat explains his document as an example of the work that has to be done

             in the area of discovery, which is a topic that has been identified

             as necessary for interoperability since many years but so far there

             was not time to work on it. Mike, John and Nat are working on a new

             document that describes additional discovery-relevant components.

             Poll: 19 for / zero against / 4 persons need more information.

The document discussed there was This is a simple (only 1-page!) but a very powerful document that nudges towards HATEOAS which is at the core of RESTful-ness. It also mitigates the Mix-up attack without introducing the concept of issuer which is not in RFC6749. It is also good for selecting different endpoints depending on the user authentication and authorization results and more privacy sensitive than pre-announced Discovery document. It also allows you to find to which protected resource endpoint you can use the access token against.

In the last sentence of the minutes, it talks about "a new document that describes additional discovery-relevant components". This is  It went for the call for adoption. However, it is only a half of the story. I believe that was discussed at IETF 94 and had support there should be adopted as well.

Nat Sakimura

2016年1月20日(水) 12:05 Nat Sakimura <<>>:
Thanks Hannes.

I did not find, which was discussed in Yokohama, and was largely in agreement if my recollection is correct. Why is it not in the call for adoption?

2016年1月19日(火) 20:39 Hannes Tschofenig <<>>:
Hi all,

we have submitted our new charter to the IESG (see and
since some IESG members like to see an updated list of milestones as
well. For this reason, based on a suggestion from Barry, we are also
starting a call for adoption concurrently with the review of the charter
text by the IESG.

We will post separate mails on the individual documents. Your feedback
is important! Please take the time to look at the documents and provide
your feedback.

Hannes & Derek

OAuth mailing list<>


OAuth mailing list<>

OAuth mailing list<>

OAuth mailing list<>