Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-jwsreq-11.txt> (The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)) to Proposed Standard

Nat Sakimura <sakimura@gmail.com> Mon, 06 February 2017 14:08 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29BAF129D9E; Mon, 6 Feb 2017 06:08:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MGFlx4iSpGID; Mon, 6 Feb 2017 06:08:51 -0800 (PST)
Received: from mail-wm0-x241.google.com (mail-wm0-x241.google.com [IPv6:2a00:1450:400c:c09::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92370129D9B; Mon, 6 Feb 2017 06:08:47 -0800 (PST)
Received: by mail-wm0-x241.google.com with SMTP id u63so22148660wmu.2; Mon, 06 Feb 2017 06:08:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=A4rhqcW25zvyCoENP7OoIdv6Zho/7dwIh2/yN0yP9BY=; b=q4AA87o5KvhbPCo8DNGGh35B0t7pl5B1SxCZafGGlsoSIGuequFnZXlPLjgi0IyCuz JXwZCeTs2b2FvI8C45ouwsOIBWDJWoQE6CD1TGE6pbCTmZDVeyMoSdkiFDBDik2cxOZu VZrYtjSfB0KBnQ+P44Uyv69vQcqn40ZKgc7GfD6R25A4FxdVM/kBZOqCOyfdUbICM7xV TY9ij9MaFVP4V5JbOsH92EMZv/BsVhd2zOMwxlubz1TNxq3swoKPfwe+30XYQqMk9/dk kz9ctqdWokjuCRkk8FRetjBpU2Lefcn+gmEN+T6NIodCA/UEYQx7bkWRKsmAwhFQgtyr Sp1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=A4rhqcW25zvyCoENP7OoIdv6Zho/7dwIh2/yN0yP9BY=; b=nFdbVyrJpt8rZvUcesUa70gniScSQ0jrQgvl0WgZpxmUSJ/NHvTGM8JeY/gMuLmXlx eEOfTVdOYW6ZhYFxNMmlJhmdi1c9FMjfqD80/locfoncuYpT2mIr1j9jDOLvx0mxdUl7 IA89x6pg7KLF95k4ql5ljHkyMCIhw5nNUcpP33iagsOWrReJydu8RahJ2Si6rJCrZmJD da3K9h3phKzQfgBymw1hmrJ4UUpyiimavI9YNBFr1Nt5oTLo/2xWPzUObc6buNd7y/ft THJ+kIsEwLcLTxNMPLwZHSs/q04/slXYT2RgevS7Q0pxIb0e75s4x3M7lYRtW7K7Wbr5 HhVA==
X-Gm-Message-State: AMke39mzS1mywk73Y8lVg7I6TGXxeOPlc5V1fx/MVFI+0TjEU0CwjNtRhg7z2pS5gPFc4wXbzLQH5UUvPr2Zaw==
X-Received: by 10.28.38.2 with SMTP id m2mr8390283wmm.44.1486390125875; Mon, 06 Feb 2017 06:08:45 -0800 (PST)
MIME-Version: 1.0
References: <148581788158.29828.4591033587037530374.idtracker@ietfa.amsl.com> <3a6b8cee-ff29-323e-9042-5df6e71a8d81@free.fr>
In-Reply-To: <3a6b8cee-ff29-323e-9042-5df6e71a8d81@free.fr>
From: Nat Sakimura <sakimura@gmail.com>
Date: Mon, 06 Feb 2017 14:08:34 +0000
Message-ID: <CABzCy2DuPPoBn-3gwjsKpBhR=mqbh08Mn0ST1zBc2vpyMULQPA@mail.gmail.com>
To: Denis <denis.ietf@free.fr>, ietf@ietf.org, IETF-Announce <ietf-announce@ietf.org>
Content-Type: multipart/alternative; boundary=94eb2c03fb967359de0547dd2b76
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/beBW2YhFh-YbVgBHXjMpW8nfIaI>
Cc: draft-ietf-oauth-jwsreq@ietf.org, oauth-chairs@ietf.org, oauth@ietf.org
Subject: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-jwsreq-11.txt> (The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)) to Proposed Standard
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Feb 2017 14:08:54 -0000

Thanks Denis. Here is my proposed disposition on your comments.

On Fri, Feb 3, 2017 at 8:11 PM Denis <denis.ietf@free.fr>; wrote:

> *Comments on I-D Action: draft-ietf-oauth-jwsreq-11.txt*
>
>
>
> Two editorial comments first :
>
>
>
> 1. Guidance is a mass noun, not a count noun, plural doesn't make sense.
> Please change "guidances" into "guidance" twice in Section 11.
>

Accepted.
Thanks.

>
>
> 2. In Section 12 : Please remove my name (Denis Pinkas) from this section.
>

Accepted.

>
>
> Other comments:
>
>
>
> 3. Section 1.1 (from boiler plate) states: The key words "MUST", "MUST
> NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
> "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to
> be interpreted as described in RFC 2119 [RFC2119].
>
> There is not a single other occurrence of the word SHALL within this
> document. In such case, I wonder how this document can be normative.
> There are however many (useful) "non-normative examples. A non-normative
> example does not replace requirements.
>
> Noted.
There are bunch of MUST. At IETF we usually prefer MUST to SHALL, unlike in
ISO.

>
>
> Section 4 states:
>
>
>
> *   A Request Object (Section 2.1) is used to provide authorization*
>
> *   request parameters for an OAuth 2.0 authorization request.  It*
>
> *   contains OAuth 2.0 [RFC6749] authorization request parameters*
>
> *   including extension parameters**.  *
>
>
>
> RFC 6749 contains 75 pages, but does not contain a single occurrence of
> the wording "authorization request parameter" nor of "extension parameter".
> There should be either references to one or more specific sections of this
> document or, even better, a list of the mandatory/recommended/possible
> authorization request parameters as well as a list of
> mandatory/recommended/possible extension parameters should be included in
> this document.
>
>
> A clear distinction should be made between the parameters used to
> authenticate the request and the other ones.
>

Reject.
There are 4 flows in RFC6749. In each flow, there is a sub-section
dedicated to the Authorization request.
In them, the parameters used in the authorization request are very clearly
indicated. For example,

4.1.1 <https://tools.ietf.org/html/rfc6749#section-4.1.1>;.
Authorization Request

   The client constructs the request URI by adding the following
   parameters to the query component of the authorization endpoint URI ...


It is very difficult to miss.

Then, the possibility for the extension parameters are discussed in 8.2.
Needless to say, those extension parameters are going to be discussed in
other specifications.
Thus, it would be misleading just to say the parameters defined in 4.1.1,
4.2.1, etc.
As an editor, I feel better with the current language because it is at
least not wrong nor misleading.


>
>
> 4. The introduction states on page 4:
>
>
>
>      (a) (integrity protection) The request can be signed so that the
> integrity of the request can be checked ;
>
>
>
> This should be changed into:
>
>
>
>      (a) (integrity protection) The request can be authenticated either
> using a digital signature or using encryption under a secret key
>           so that the integrity of the request can be checked ;
>

Reject.
This paragraph is talking about the integrity protection and not the source
authentication.
And even for source authentication, saying that encryption under a secret
key is not accurate as it was discussed earlier in the WG mail.

I am not sure if "Introduction" needs to state everything that is explained
later. The idea of introduction probably is to give main points. The list
is not an exhaustive list of the benefit of using JWT as the authorization
request format. For example, being able to encrypt the request, which is
not listed there, has an advantage of preventing MITB to eavesdrop the
request. So I think it is ok as is.



>
>
> 5. The introduction states on page 4:
>
>
>
> (d) (collection minimization) The request can be *signed* by a third
> party attesting that the authorization request is compliant to certain
> policy.
>
> The request is not *signed* by a third party.
>
However, later on, there is the following explanation:
>
>
>
>    In addition, it allows requests to be prepared by a third party so
> that a client application cannot request
>    more permissions than previously agreed.
>
>
>
> If it is the intent, the sentence should be rephrased as:
>
>
>
> (d) (collection minimization) The request can be *verified* by a third
> party attesting that the authorization request is compliant to certain
> policy.
>
>
>
Reject
The third party indeed signs the request on behalf of the client as the
result of verification that the permission is the same as previously
agreed.

>
>
> 6. Section 10.1. the text states:
>
>
>
> *   When sending the authorization request object through "request"*
>
> *   parameter, it MUST either be signed using JWS [RFC7515] or encrypted*
>
> *   using JWE [RFC7516] with then considered appropriate algorithm.*
>
>
>
> The wording" with then considered appropriate algorithm" is too vague.
> This should be changed into:
>
>
>
> *   When sending the authorization request object through "request"*
>
> *   parameter, it MUST either be signed using JWS [RFC7515] or encrypted*
>
> *   using JWE [RFC7516] using a symmetric key algorithm.*
>
>
>
Reject.
In the above sentence, "*with then considered appropriate algorithm*"
 applies both on JWS and JWE.
The intent of the phrase is that a vulnerable algorithm should not be used.

Also, I do not understand why the algorithm has to be symmetric key
algorithm.

>
>
> 7. Section 10.2 states:
>
>
>
>    This means that the request object is going to be prepared fresh each
>
>    time an authorization request is made and caching cannot be used.
>
>
>
> What are the implications ? Is it required/recommended to use a nonce ?
> The text should be made clearer.
>
> Reject.
The implication is given right after the sentence. There is no variable
called "nonce" in RFC6749. Since this document is just defining another
encoding method for OAuth 2.0 authorization request as a framework, it does
not mandate these. An extension specification should define those
requirements.

>
>
> 8. Section 10.3 states:
>
>
>
> 10.3.  Request Source Authentication
>
>
>
>    The source of the Authorization Request MUST always be verified.
>
>    There are several ways to do it in this specification.
>
>
>
>    (a)  Verifying the JWS Signature of the Request Object.
>
>
>
> It seems that the case of using a JWE encrypted using a secret key
> algorithm has been forgotten here. Please add it.
>
Accepted with modification.
You mean, symmetric key algorithm, is that right? I would add "or verifying
that the symmetric key for the JWE encryption is a correct one"

>
>
> 9. Section 10.3 states at its very end:
>
>
>
>    An extension specification
>
>    should be created as a preventive measure to address potential
>
>    vulnerabilities that have not yet been identified.
>
>
>
> Writing a document for vulnerabilities that have not yet been identified
> is speculative. It would rather be better
> either to remove this sentence or to explain what is meant by it.
>
Reject.
It is referring to the first paragraph of the sub-section. Also, precaution
when security is in question is a good thing.

> 10. Section 11.1 states:
>
>
>
> *11.1.  Collection limitation*
>
>
>
> *   When the Client is being granted access to a protected resource*
>
> *   containing personal data, the Client SHOULD limit the collection of*
>
> *   personal data to that which is within the bounds of applicable law*
>
> *   and strictly necessary for the specified purpose(s).*
>
>
>
> The *presentation* of personal data should be limited whether or not the
> protected resource contains personal data.
>

> It is proposed to change this text into:
>
>
>
> *   When the Client requests an access to a protected resource, the Client*
>
> *   SHOULD limit the presentation of personal data to that which is within
> *
>
> *   the bounds of applicable law and strictly necessary for the specified *
>
> *   purpose(s).*
>
Reject.
You are not getting what OAuth does. The party that holds personal data is
the authorization server / resource.
It is not the client. The client is the party who is getting those
"resources" which may contain personal data.
Yes, the client can provide some personal data to the resource depending on
what that resource endpoint is, but that is out of scope for OAuth.
As far as OAuth is concerned, what is being sent from the client to the
resource is the access token.

>
>
> 11. Section 11.2.1 states:
>
>
>
> 11.2.1.  Request Disclosure
>
>
>
>    This specification allows extension parameters.
>
>
>
> It would be useful to name either all of them or some of them. RFC 6749 is
> not crystal clear about this.
>
Noted.
RFC6749 only defines how to define extension parameters.
This specification draws from OpenID Connect for some examples of extension
parameters such as nonce.
See section 4 for example.

>
>
>
> Denis Pinkas (DP Security Consulting SAS)
>
>
> ==============================================================
>
>
>
> The IESG has received a request from the Web Authorization Protocol WG
> (oauth) to consider the following document:
> - 'The OAuth 2.0 Authorization Framework: JWT Secured Authorization
>    Request (JAR)'
>   <draft-ietf-oauth-jwsreq-11.txt> as Proposed Standard
>
> The IESG plans to make a decision in the next few weeks, and solicits
> final comments on this action. Please send substantive comments to theietf@ietf.org mailing lists by 2017-02-13. Exceptionally, comments may be
> sent to iesg@ietf.org instead. In either case, please retain the
> beginning of the Subject line to allow automated sorting.
>
> Abstract
>
>
>    The authorization request in OAuth 2.0 described in RFC 6749 utilizes
>    query parameter serialization, which means that Authorization Request
>    parameters are encoded in the URI of the request and sent through
>    user agents such as web browsers.  While it is easy to implement, it
>    means that (a) the communication through the user agents are not
>    integrity protected and thus the parameters can be tainted, and (b)
>    the source of the communication is not authenticated.  Because of
>    these weaknesses, several attacks to the protocol have now been put
>    forward.
>
>    This document introduces the ability to send request parameters in a
>    JSON Web Token (JWT) instead, which allows the request to be JWS
>    signed and/or JWE encrypted so that the integrity, source
>    authentication and confidentiality property of the Authorization
>    Request is attained.  The request can be sent by value or by
>    reference.
>
>
>
>
> The file can be obtained viahttps://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
>
> IESG discussion can be tracked viahttps://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ballot/
>
>
> No IPR declarations have been submitted directly on this I-D.
>
>
> The document contains these normative downward references.
> See RFC 3967 for additional information:
>     rfc6234: US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF) (Informational - IETF stream)
>     rfc6819: OAuth 2.0 Threat Model and Security Considerations (Informational - IETF stream)
>     rfc6973: Privacy Considerations for Internet Protocols (Informational - IAB stream)
> Note that some of these references may already be listed in the acceptable Downref Registry.
>
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
-- 

Nat Sakimura

Chairman of the Board, OpenID Foundation