IETF Logo Mail Archive

Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)

Richard Barnes <rlb@ipv.sx> Fri, 17 October 2014 00:04 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2C9C1A87E0 for <oauth@ietfa.amsl.com>; Thu, 16 Oct 2014 17:04:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ejA7EDKJvWx for <oauth@ietfa.amsl.com>; Thu, 16 Oct 2014 17:03:58 -0700 (PDT)
Received: from mail-vc0-f171.google.com (mail-vc0-f171.google.com [209.85.220.171]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DA561A7D83 for <oauth@ietf.org>; Thu, 16 Oct 2014 17:03:58 -0700 (PDT)
Received: by mail-vc0-f171.google.com with SMTP id hy10so3575673vcb.30 for <oauth@ietf.org>; Thu, 16 Oct 2014 17:03:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=doZq152jcDCKwBdX12651DShbUaGQis2KH1yzpZ96fg=; b=UywfN2S9pfzPNoFz8unjoyci1phGXKOavFFIwXYfGoNzZlD4gA1uAClpv3y2to6e2I MJqMJYYRVSgEh8KgXPizkWfbMIu++edU3SrQvMluCtGcswORNwDuYnnn3fHzVgwiS97b qh7jDnIc87vbHi9BjJpIBUr5RJa9ELKK5WT5E1yNInxqOoUr3Cy64fjevuhJ8RmxEIwQ 03Eu/EwGcDfRksDvpwMNq+0B+jUG4pc2Mh/1Xcnt221ylzTKneKMlX1ZBup1w55Ktzy8 lGvrMVPmgHbr1cFo3Nvm2DYzee0/DQfpgJutHYJUQ7JSTRReynaxIsm0pbuGC1bRmTe6 O5vg==
X-Gm-Message-State: ALoCoQl436nl6Fdro+BYDtScEcGAcm41093nQa5wa+MAkrUrbgH4om8ywmp7jtDsavzt7ugjZQG2
MIME-Version: 1.0
X-Received: by 10.220.76.71 with SMTP id b7mr18443vck.55.1413504237495; Thu, 16 Oct 2014 17:03:57 -0700 (PDT)
Received: by 10.31.149.205 with HTTP; Thu, 16 Oct 2014 17:03:57 -0700 (PDT)
In-Reply-To: <CAL02cgQO1nuozW-F6riDgo4QFkp3Gv89SSWzJcbO-0eayyGufg@mail.gmail.com>
References: <20141016034735.18695.61014.idtracker@ietfa.amsl.com> <CA+k3eCQKxWri1kjjig90AhrsQ=D0H=CLfKGuSa513sKDar52Rw@mail.gmail.com> <A9B4CF00-6D06-4FE1-83EE-CC0D141C9AD3@oracle.com> <CAL02cgQO1nuozW-F6riDgo4QFkp3Gv89SSWzJcbO-0eayyGufg@mail.gmail.com>
Date: Thu, 16 Oct 2014 17:03:57 -0700
Message-ID: <CAL02cgSk8xGLRb2cEDRqWtWmACfUC0erukPJN9x=JLM8E0fLPw@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="001a11c21538f701bf05059319b7"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/afzxXu6BXa-gnCErMbn075CHFnw
Cc: "draft-ietf-oauth-assertions@tools.ietf.org" <draft-ietf-oauth-assertions@tools.ietf.org>, "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, The IESG <iesg@ietf.org>, oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Oct 2014 00:04:02 -0000

On Thu, Oct 16, 2014 at 3:20 PM, Richard Barnes <rlb@ipv.sx> wrote:

> You guys are all arguing that having an Audience can be useful.  I don't
> disagree.  I disagree that it should be REQUIRED in all cases.
>
> The Google vulnerability that Brian raised was an interesting read, but as
> John points out, it only applies to Bearer Assertions.  There's no security
> requirement at all for holder-of-key assertions to have an audience, since
> they can't be replayed by someone who doesn't hold the key.
>
> I could agree that an audience should be REQUIRED for bearer assertions.
> Since they are vulnerable to replay, Audience protects against the
> Authorization Server re-using the token.  (It would be good to say this
> explicitly in the doc, actually.)  But for holder-of-key assertions, the
> Audience should be OPTIONAL.  Note that this requires that instance
> documents define the difference between bearer assertions and holder-of-key
> assertions, so that implementations can enforce these requirements.
>
> So it seems like there are two solutions here:
> 1. Scope the document to bearer assertions only, and keep the MUST
> 2. Keep the current scope, make Audience OPTIONAL for holder-of-key
> assertions, and define the difference in the instance docs.
>

I'll also offer a third resolution:
3. Show me that the WG discussed this question and made the decision to
forbid holder-of-key assertions without an Audience parameter.

--Richard




> --Richard
>
>
>
>
>
>
> On Thu, Oct 16, 2014 at 9:57 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
>
>> It is also important for a non-protocol purpose. Liability.
>>
>> If a 3rd party uses an assertion that was not intended for it, it cannot
>> obviously hold the asserting party responsible.
>>
>> Phil
>>
>> @independentid
>> www.independentid.com
>> phil.hunt@oracle.com
>>
>>
>>
>> On Oct 16, 2014, at 8:43 AM, Brian Campbell <bcampbell@pingidentity.com>
>> wrote:
>>
>> Thanks for your review and feedback, Richard. Replies are inline below...
>>
>> On Wed, Oct 15, 2014 at 9:47 PM, Richard Barnes <rlb@ipv.sx> wrote:
>>
>>> Richard Barnes has entered the following ballot position for
>>> draft-ietf-oauth-assertions-17: Discuss
>>>
>>> When responding, please keep the subject line intact and reply to all
>>> email addresses included in the To and CC lines. (Feel free to cut this
>>> introductory paragraph, however.)
>>>
>>>
>>> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
>>> for more information about IESG DISCUSS and COMMENT positions.
>>>
>>>
>>> The document, along with other ballot positions, can be found here:
>>> http://datatracker.ietf.org/doc/draft-ietf-oauth-assertions/
>>>
>>>
>>>
>>> ----------------------------------------------------------------------
>>> DISCUSS:
>>> ----------------------------------------------------------------------
>>>
>>> "The assertion MUST contain an Audience that identifies the Authorization
>>> Server as the intended audience.  Assertions that do not identify the
>>> Authorization Server as an intended audience MUST be rejected."
>>>
>>> Could you please identify the threat model within which this "MUST" is
>>> required?  This requirement doesn't follow from any of the threats
>>> elaborated in Section 8.
>>>
>>> The Audience is only necessary if the Issuer wishes to constrain the set
>>> of Authorization Servers with which an assertion may be used.  So ISTM
>>> that this should be "MAY contain..."
>>>
>>>
>>
>> The audience restriction let's the issuer say specifically what relying
>> party is allowed to consume the assertion, which ensures that the client
>> can't use it somewhere else that it wasn't intended and that the relying
>> party that receives the assertion can't turn around and use it to access
>> some other service.
>>
>> Strictly speaking, you are right that the audience is only necessary if
>> the Issuer wishes to constrain the set of Authorization Servers with which
>> an assertion may be used. But the Issuer really really really should make
>> that constraint and fully understanding the implications of not doing so is
>> difficult and unlikely.
>>
>> There was a vulnerability in Google apps SAML a few years back that
>> demonstrates how important audience restriction is and how it can be
>> difficult for even very sophisticated providers to get it all right. I
>> haven't had time to read it again to make sure but I think that this is the
>> paper http://www.ai-lab.it/armando/pub/fmse9-armando.pdf
>>
>> I don't see what value allowing audience to be omitted brings other than
>> that it is academically a possibility. But requiring it (hopefully, if the
>> requirement is followed) helps reduce the possibility of a whole bunch of
>> security problems that folks likely won't foresee.
>>
>>
>>
>>> ----------------------------------------------------------------------
>>> COMMENT:
>>> ----------------------------------------------------------------------
>>>
>>> "keyed message digest" -> "Message Authentication Code"
>>>
>>> That's the proper terminology [RFC4949], especially since there are MACs
>>> that are not based on digests.
>>>
>>
>> OK
>>
>>
>>>
>>> "This mechanism provides additional security properties." -- Please
>>> delete this or elaborate on what security properties it provides.
>>>
>>
>> Will delete.
>>
>>
>>>
>>> Section 8.2 should note that "Holder-of-Key Assertions" are also a
>>> mitigation for this risk.
>>>
>>>
>> OK
>>
>>
>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>

v2.23.0 | Report a Bug | By Email