Re: [OAUTH-WG] OAuth Security -- Next Steps
Brian Campbell <bcampbell@pingidentity.com> Wed, 27 July 2016 21:54 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38D1A12D966 for <oauth@ietfa.amsl.com>; Wed, 27 Jul 2016 14:54:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IMa9voc_U_T6 for <oauth@ietfa.amsl.com>; Wed, 27 Jul 2016 14:54:06 -0700 (PDT)
Received: from mail-it0-x22b.google.com (mail-it0-x22b.google.com [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D546012D1AE for <oauth@ietf.org>; Wed, 27 Jul 2016 14:54:05 -0700 (PDT)
Received: by mail-it0-x22b.google.com with SMTP id u186so153764026ita.0 for <oauth@ietf.org>; Wed, 27 Jul 2016 14:54:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=UZ5chlatvSYXgfsV8vMsPc7jqgiV91GHVUtJstGxeC8=; b=AxS5oFqjytQjfNHW8u3DnJxa4Zdsf7/WFWksMquA09loCgPEU+brR/0U3PMOsgDjmc NSu2SASlYNtw99oOaYstrtgdSxCN8oSAypo/fSqxw1evRuEmwpnHT1sVJNXOj0wE9Due loZL+gXeidm9S/2W9wb7SanNngBlDqDQYVGwQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=UZ5chlatvSYXgfsV8vMsPc7jqgiV91GHVUtJstGxeC8=; b=k8Ov6PQtfCAEBY/FXaqEiGbmPWBWiUV1gWThftEPF8lUNtfJmAhuPraAC/hdczD1yC hGpRmnavAzpkVJBR/6TOd6ABW4RZIqcsA4pXzY41TXu9VHO4KKwpwjHIXoVr8bBGzD9Y cNYTtruKd58Uj59Ln6wQ2M4DJcrtwkTR4KDcKxgldOTq7JJvcu7tX+Qn6k8cqnZEq2qT ZdVeIQ7l/db7v1plNkKIipHDirtCy0cq2lOWp+qIJhItk+4ZfIMfIfwa5RM+hMwUeIHU FeJd8Ca4VURkv6yt4hgecwmPpJIgHxlR3OkODzje1AGRj4nsRxbgPB5rF09y9xc86bJd C2vQ==
X-Gm-Message-State: ALyK8tKAjw+HUnVpHTZYXbqRBS6tco0klMQk43v1o/Mn+y2+ZwUnwClrTWsD9Y1sEnsfzZoYfpM7HDx1QN/Ro1eY
X-Received: by 10.36.206.129 with SMTP id v123mr105440164itg.11.1469656445075; Wed, 27 Jul 2016 14:54:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.28.149 with HTTP; Wed, 27 Jul 2016 14:53:35 -0700 (PDT)
In-Reply-To: <DM5PR03MB2441ACA5B240108C320DFABAA60D0@DM5PR03MB2441.namprd03.prod.outlook.com>
References: <5795F109.9040403@gmx.net> <DM5PR03MB2441ACA5B240108C320DFABAA60D0@DM5PR03MB2441.namprd03.prod.outlook.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 27 Jul 2016 15:53:35 -0600
Message-ID: <CA+k3eCR_EFdA4Zdiwfm65nq99gVYg8eKrC6x7EB_OG=20y4=WA@mail.gmail.com>
To: Anthony Nadalin <tonynad@microsoft.com>
Content-Type: multipart/alternative; boundary="94eb2c0af9fc59dd9e0538a50e26"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/bqwxxmXBPJbpJ_jBYtekrV1-mlk>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Security -- Next Steps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2016 21:54:08 -0000
Agree. The BCP would be larger in scope than just mix-up. And given that approach, I don't know if it makes sense to have a document specific to mix-up. On Mon, Jul 25, 2016 at 11:43 AM, Anthony Nadalin <tonynad@microsoft.com> wrote: > Sounds about right, but I would imagine that the BCP would cover any issue > that arises not just mix-up > > -----Original Message----- > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig > Sent: Monday, July 25, 2016 3:59 AM > To: oauth@ietf.org > Subject: [OAUTH-WG] OAuth Security -- Next Steps > > Hi all, > > We had two working group sessions at the Berlin IETF meeting and I am > happy about the progress on many of the subjects. We managed to progress > token exchange, native apps, AMR, and authorization server meta-data. We > also identified new use cases to explore with the device flow document. > > We also did a call for adoption of the OAuth token binding functionality, > which still needs to be confirmed on the mailing list. > (Further emails will follow.) > > There are, however, aspects I am not happy with. I was hoping to make some > progress on the mix-up mitigation and on the wider range of security > documents. > > Here is how I see the story after talking to some meeting participants. > > 1) It seems that the solution approach to deal with the mix-up attack > (only mix-up) described in draft-ietf-oauth-mix-up-mitigation-01 needs to > be modified to reflect the preference of the working group. My impression > (from speaking with participants at the meeting last week > privately) is that there is interest in a solution that does not require > protocol changes but rather relies on configuration. This may include a > combination of exact redirect_URI matching + per-AS redirect_URI + session > state checking. There are also other attacks described in > draft-ietf-oauth-mix-up-mitigation-01, which need to be moved elsewhere to > avoid confusion. > > 2) We need a new document, ideally a BCP, that serves as a high-level > write-up describing various security issues with OAuth that points to the > mostly existing documents for those who want to read the background > information. Torsten has posted a mail to the list providing one possible > outline of such a document. > > How does this sound? > > Ciao > Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- Re: [OAUTH-WG] OAuth Security -- Next Steps Anthony Nadalin
- [OAUTH-WG] Using IdToken instead of Access token Sergey Beryozkin
- [OAUTH-WG] OAuth Security -- Next Steps Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security -- Next Steps Vladimir Dzhuvinov
- Re: [OAUTH-WG] OAuth Security -- Next Steps Brian Campbell