IETF Logo Mail Archive

Re: [OAUTH-WG] AD review of draft-ietf-oauth-pop-architecture

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Fri, 20 November 2015 16:37 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8C3A1B3879 for <oauth@ietfa.amsl.com>; Fri, 20 Nov 2015 08:37:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LeCd3Ge807Ca for <oauth@ietfa.amsl.com>; Fri, 20 Nov 2015 08:37:10 -0800 (PST)
Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3214E1B3865 for <oauth@ietf.org>; Fri, 20 Nov 2015 08:36:52 -0800 (PST)
Received: by wmww144 with SMTP id w144so28131086wmw.0 for <oauth@ietf.org>; Fri, 20 Nov 2015 08:36:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=dkYcSnMl/UrM4hBJXa8gRP8qTMRI0rpqD601GhGkudM=; b=MAB6NCQoIbum0pR8IIRVo1jeysUjswm17YE6tQVJTPRoXZ4Lj2oKFWd324/EU16vZx iQNHXCf4xGKkF8ydtPPqz+5UKCUWBTUhRpPhZqZPXPLu3g63XfEgX/ND1xK+mZLCjDEz wU3fjMxCd4H8MYt5g+0bp8kZ74GrVdZn1l/+ymoUSZr7tqBOAERHJOCSffG70Vc0PtCV 0CM8gnW9sf4G3lBqnIjSCn+Gz4yJrKD3B01FAk0wOe1h1rmiFryenlth3tx4NBbLB6OI Hb/xWrHGNPPz1FuVJ5HNEA+e6cIyS2mj0f9nafDsC5hzqtFZcEAFYIo1Gr36sHYFxDoU m/FQ==
MIME-Version: 1.0
X-Received: by 10.194.179.162 with SMTP id dh2mr15628580wjc.17.1448037410677; Fri, 20 Nov 2015 08:36:50 -0800 (PST)
Received: by 10.28.52.130 with HTTP; Fri, 20 Nov 2015 08:36:50 -0800 (PST)
In-Reply-To: <7028747C-88DD-43BD-B0A4-FDEB7662A208@oracle.com>
References: <CAHbuEH5nRQcKQMh8LDGdfBQ=Z4AWeKJxxCGV7V-gh_dSuSpb7w@mail.gmail.com> <7028747C-88DD-43BD-B0A4-FDEB7662A208@oracle.com>
Date: Fri, 20 Nov 2015 11:36:50 -0500
Message-ID: <CAHbuEH5X7kkQK=bhx8tHy7EBtYyfJfd-_ZSO=xY3iZ0MYOaquQ@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Phil Hunt <phil.hunt@oracle.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/by35741nFKJ5tIZEOc4N4q6YQug>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-pop-architecture
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2015 16:37:12 -0000

Hi Phil,

Thanks for your response on these questions, a few more comments
in-line and we should be able to wrap this up and move it to the next
phase quickly.

On Wed, Nov 18, 2015 at 4:03 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
> Comments inline.
>
> Phil
>
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
>
>> On Nov 16, 2015, at 12:37 PM, Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com> wrote:
>>
>> Hello,
>>
>> I reviewed draft-ietf-oauth-pop-architecture and have a few questions.
>>
>> 1. Section 6, Threat Mitigation:
>>
>> Last sentence of first paragraph, "To
>>   simplify the subsequent description we assume that the token itself
>>   is digitally signed by the authorization server and therefore cannot
>>   be modified."
>>
>> Since bearer tokens are not signed by default, is this proposing a
>> change?  If so, where will that change occur?  To state that "it is
>> assumed" without it being required anywhere is not a good assumption.
>> I'd still see this as a risk or security consideration.  When OAuth is
>> re-used by other protocols, I am seeing that re-use leave off basic
>> protections that should be assumed like TLS, let alone digital
>> signatures.  If this is required in the defined architecture (Section
>> 7 - it does show this, but there are no MUSTs that I can find), just
>> state that and refer to the requirement.
>
> [PH] I think the change is the point of the POP specifications. We are talking about a new class of tokens that are specifically not Bearer tokens thus the threat mitigation states that POP tokens are assumed to be digitally signed.

Sure, but that is not spelled out in the requirements section and
should be.  I think the issue may be that the requirements section
just says that the requirements are from RFC4962 and put into OAuth
terms.  There isn't any text or list that says the following
requirements are added for this architecture and I would expect to see
that.  Can you add that so you will be able to make such assumptions
with this architecture going forward and subsequent draft authors
would have clear guidance?

>
> Was that not clear from the introduction?

There should be something in the requirements section.  The phrasing
of this particular sentence could be changed as follows (in addition
to adding a requirement):

    "To
     simplify the subsequent description we assume in the POP
architecture that the token itself
     is digitally signed by the authorization server and therefore cannot
     be modified."

Or something like:
    "To
     simplify the subsequent description we assume in this
architecture that the token itself
     is digitally signed by the authorization server and therefore cannot
     be modified."

The second choice is added only because you don't seem to use the term
POP architecture in the draft, but it would be good to make it clear
that this draft adds this assumption, it is something new.


>>
>> 2. Section 6, Threat Mitigation
>>
>> Third paragraph, "As an example, TLS with a ciphersuite
>>   that offers confidentiality protection has to be applied (which is
>>   currently true for all ciphersuites, except for one).
>>
>> Please list a reference so the reader knows which ciphersuites are
>> acceptable from the recommended ones in RFC7525.  I don't recall there
>> being any MTI ciphersuites for OAuth (I'm pretty sure there aren't and
>> that we've discussed that already with previous drafts, so this should
>> be spelled out more).
> [PH] I think this can be simplified a bit. I think this was referring to a “NULL” ciphersuite which is what 7525 says should not be done.  We should also point to 7525.

That would take care of it and would be a minor and clear change.  Thank you!

>>
>> 3. (Nit) Section 6.2, add a comma to improve readability
>> From: "Instead of providing confidentiality protection the authorization
>>   server could also put the identifier of the client into the protected
>>   token with the following semantic:"
>> To: "Instead of providing confidentiality protection, the authorization
>>   server could also put the identifier of the client into the protected
>>   token with the following semantic:”
>>
> [PH] Will add to the next draft pending your comments on the above items.

Thank you!
Kathleen

>
>> Thank you all for your work on this draft!
>> --
>>
>> Best regards,
>> Kathleen
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>



-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email