Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)
Richard Barnes <rlb@ipv.sx> Fri, 17 October 2014 00:04 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2C9C1A87E0 for <oauth@ietfa.amsl.com>; Thu, 16 Oct 2014 17:04:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ejA7EDKJvWx for <oauth@ietfa.amsl.com>; Thu, 16 Oct 2014 17:03:58 -0700 (PDT)
Received: from mail-vc0-f171.google.com (mail-vc0-f171.google.com [209.85.220.171]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DA561A7D83 for <oauth@ietf.org>; Thu, 16 Oct 2014 17:03:58 -0700 (PDT)
Received: by mail-vc0-f171.google.com with SMTP id hy10so3575673vcb.30 for <oauth@ietf.org>; Thu, 16 Oct 2014 17:03:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=doZq152jcDCKwBdX12651DShbUaGQis2KH1yzpZ96fg=; b=UywfN2S9pfzPNoFz8unjoyci1phGXKOavFFIwXYfGoNzZlD4gA1uAClpv3y2to6e2I MJqMJYYRVSgEh8KgXPizkWfbMIu++edU3SrQvMluCtGcswORNwDuYnnn3fHzVgwiS97b qh7jDnIc87vbHi9BjJpIBUr5RJa9ELKK5WT5E1yNInxqOoUr3Cy64fjevuhJ8RmxEIwQ 03Eu/EwGcDfRksDvpwMNq+0B+jUG4pc2Mh/1Xcnt221ylzTKneKMlX1ZBup1w55Ktzy8 lGvrMVPmgHbr1cFo3Nvm2DYzee0/DQfpgJutHYJUQ7JSTRReynaxIsm0pbuGC1bRmTe6 O5vg==
X-Gm-Message-State: ALoCoQl436nl6Fdro+BYDtScEcGAcm41093nQa5wa+MAkrUrbgH4om8ywmp7jtDsavzt7ugjZQG2
MIME-Version: 1.0
X-Received: by 10.220.76.71 with SMTP id b7mr18443vck.55.1413504237495; Thu, 16 Oct 2014 17:03:57 -0700 (PDT)
Received: by 10.31.149.205 with HTTP; Thu, 16 Oct 2014 17:03:57 -0700 (PDT)
In-Reply-To: <CAL02cgQO1nuozW-F6riDgo4QFkp3Gv89SSWzJcbO-0eayyGufg@mail.gmail.com>
References: <20141016034735.18695.61014.idtracker@ietfa.amsl.com> <CA+k3eCQKxWri1kjjig90AhrsQ=D0H=CLfKGuSa513sKDar52Rw@mail.gmail.com> <A9B4CF00-6D06-4FE1-83EE-CC0D141C9AD3@oracle.com> <CAL02cgQO1nuozW-F6riDgo4QFkp3Gv89SSWzJcbO-0eayyGufg@mail.gmail.com>
Date: Thu, 16 Oct 2014 17:03:57 -0700
Message-ID: <CAL02cgSk8xGLRb2cEDRqWtWmACfUC0erukPJN9x=JLM8E0fLPw@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="001a11c21538f701bf05059319b7"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/afzxXu6BXa-gnCErMbn075CHFnw
Cc: "draft-ietf-oauth-assertions@tools.ietf.org" <draft-ietf-oauth-assertions@tools.ietf.org>, "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, The IESG <iesg@ietf.org>, oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Oct 2014 00:04:02 -0000
On Thu, Oct 16, 2014 at 3:20 PM, Richard Barnes <rlb@ipv.sx> wrote: > You guys are all arguing that having an Audience can be useful. I don't > disagree. I disagree that it should be REQUIRED in all cases. > > The Google vulnerability that Brian raised was an interesting read, but as > John points out, it only applies to Bearer Assertions. There's no security > requirement at all for holder-of-key assertions to have an audience, since > they can't be replayed by someone who doesn't hold the key. > > I could agree that an audience should be REQUIRED for bearer assertions. > Since they are vulnerable to replay, Audience protects against the > Authorization Server re-using the token. (It would be good to say this > explicitly in the doc, actually.) But for holder-of-key assertions, the > Audience should be OPTIONAL. Note that this requires that instance > documents define the difference between bearer assertions and holder-of-key > assertions, so that implementations can enforce these requirements. > > So it seems like there are two solutions here: > 1. Scope the document to bearer assertions only, and keep the MUST > 2. Keep the current scope, make Audience OPTIONAL for holder-of-key > assertions, and define the difference in the instance docs. > I'll also offer a third resolution: 3. Show me that the WG discussed this question and made the decision to forbid holder-of-key assertions without an Audience parameter. --Richard > --Richard > > > > > > > On Thu, Oct 16, 2014 at 9:57 AM, Phil Hunt <phil.hunt@oracle.com> wrote: > >> It is also important for a non-protocol purpose. Liability. >> >> If a 3rd party uses an assertion that was not intended for it, it cannot >> obviously hold the asserting party responsible. >> >> Phil >> >> @independentid >> www.independentid.com >> phil.hunt@oracle.com >> >> >> >> On Oct 16, 2014, at 8:43 AM, Brian Campbell <bcampbell@pingidentity.com> >> wrote: >> >> Thanks for your review and feedback, Richard. Replies are inline below... >> >> On Wed, Oct 15, 2014 at 9:47 PM, Richard Barnes <rlb@ipv.sx> wrote: >> >>> Richard Barnes has entered the following ballot position for >>> draft-ietf-oauth-assertions-17: Discuss >>> >>> When responding, please keep the subject line intact and reply to all >>> email addresses included in the To and CC lines. (Feel free to cut this >>> introductory paragraph, however.) >>> >>> >>> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html >>> for more information about IESG DISCUSS and COMMENT positions. >>> >>> >>> The document, along with other ballot positions, can be found here: >>> http://datatracker.ietf.org/doc/draft-ietf-oauth-assertions/ >>> >>> >>> >>> ---------------------------------------------------------------------- >>> DISCUSS: >>> ---------------------------------------------------------------------- >>> >>> "The assertion MUST contain an Audience that identifies the Authorization >>> Server as the intended audience. Assertions that do not identify the >>> Authorization Server as an intended audience MUST be rejected." >>> >>> Could you please identify the threat model within which this "MUST" is >>> required? This requirement doesn't follow from any of the threats >>> elaborated in Section 8. >>> >>> The Audience is only necessary if the Issuer wishes to constrain the set >>> of Authorization Servers with which an assertion may be used. So ISTM >>> that this should be "MAY contain..." >>> >>> >> >> The audience restriction let's the issuer say specifically what relying >> party is allowed to consume the assertion, which ensures that the client >> can't use it somewhere else that it wasn't intended and that the relying >> party that receives the assertion can't turn around and use it to access >> some other service. >> >> Strictly speaking, you are right that the audience is only necessary if >> the Issuer wishes to constrain the set of Authorization Servers with which >> an assertion may be used. But the Issuer really really really should make >> that constraint and fully understanding the implications of not doing so is >> difficult and unlikely. >> >> There was a vulnerability in Google apps SAML a few years back that >> demonstrates how important audience restriction is and how it can be >> difficult for even very sophisticated providers to get it all right. I >> haven't had time to read it again to make sure but I think that this is the >> paper http://www.ai-lab.it/armando/pub/fmse9-armando.pdf >> >> I don't see what value allowing audience to be omitted brings other than >> that it is academically a possibility. But requiring it (hopefully, if the >> requirement is followed) helps reduce the possibility of a whole bunch of >> security problems that folks likely won't foresee. >> >> >> >>> ---------------------------------------------------------------------- >>> COMMENT: >>> ---------------------------------------------------------------------- >>> >>> "keyed message digest" -> "Message Authentication Code" >>> >>> That's the proper terminology [RFC4949], especially since there are MACs >>> that are not based on digests. >>> >> >> OK >> >> >>> >>> "This mechanism provides additional security properties." -- Please >>> delete this or elaborate on what security properties it provides. >>> >> >> Will delete. >> >> >>> >>> Section 8.2 should note that "Holder-of-Key Assertions" are also a >>> mitigation for this risk. >>> >>> >> OK >> >> >> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >
- [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-… Richard Barnes
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Mike Jones
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Brian Campbell
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… John Bradley
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Phil Hunt
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… John Bradley
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Brian Campbell
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… John Bradley
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Phil Hunt
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Mike Jones
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Pete Resnick
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… John Bradley
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Phil Hunt
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Kathleen Moriarty
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Brian Campbell
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… John Bradley
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Mike Jones
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Mike Jones