Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-15.txt
Jared L Jennings <jaredljennings@gmail.com> Sat, 16 May 2020 03:48 UTC
Return-Path: <jaredljennings@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B81D3A0967 for <oauth@ietfa.amsl.com>; Fri, 15 May 2020 20:48:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hobhXbVna5ir for <oauth@ietfa.amsl.com>; Fri, 15 May 2020 20:48:13 -0700 (PDT)
Received: from mail-qv1-xf2c.google.com (mail-qv1-xf2c.google.com [IPv6:2607:f8b0:4864:20::f2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 164C33A0966 for <oauth@ietf.org>; Fri, 15 May 2020 20:48:13 -0700 (PDT)
Received: by mail-qv1-xf2c.google.com with SMTP id 59so2135870qva.13 for <oauth@ietf.org>; Fri, 15 May 2020 20:48:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=/n7JiTvJ8bIRz2tU8Y4AzyC+YsuTr8V8puv3Os+dE+s=; b=B8avaRK7Et0K7q+JTjg/GQfMYGU1K7QhM28ER4RMOfXl7v4tT4U5M09IJK+2qhBs6f /zFs2Q8CyQa75GYiGJdQdKNMJYBDlJbQ/EHl42chEbr2dGGnA/lDvbzQr0kvXkEUZp1Y AqcJ/hkVbdT7iw3AUINlyF1VLY8Yez1Ao8inxWNiQa9p31o2cn4LZeVVLHL8IhNLN3FO yl3UFG7gOahDSvISv1R8/uLN8dUXXLPNne+IA6hL8zckzE8uguFIMByq7DOYtBaEXjPw Dfx/WyYaFu73UHwalUR6vhhRfAP7z4ykg27vVL0mfoIJ+EIUoZF1aIUZ28u8IqxIgaUe 6dUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=/n7JiTvJ8bIRz2tU8Y4AzyC+YsuTr8V8puv3Os+dE+s=; b=k8SSGh5vjmxHkpr/3cCSu23zrP6B/BdG6HfDF+qPiFc3gl+puZ8/ZzfyWNvsvWvFfa irns9uml9F5220lWZEF9yx4vYbn9YfGYqDT4gFhQpc7SMJycclB57MKJw9ECskDDgJrS 9Q3eidBo2Kj9BtzXwirVzPO9VvU/W2SZEMT9yWCKmAZZk2zP0Jlx0QTBPh0caW5P4i6O NozQal1zy1KwI0dMJLUjfbs8V4COQ/ORXA3+2iHihznheGbL9VjmITHUtLt6txNxl6ld G3o5p5XDf33YCxpy5CNJ/WJWG8TqvMqWNewTJOqFhKKwNrbbz5B5bJ1HDrxINgf6anbB T32w==
X-Gm-Message-State: AOAM532idQlTW4qNFNzVavFUwt7q0+iBWCqovH9+AnoFymhDCWwYv2va Rbo6EIm9MVPMSwhjMuR6WrQ=
X-Google-Smtp-Source: ABdhPJygDgOnIcBzPr+Fwa2EdEaevDoPy37WD4lWKh2Cb6pa556Z06cbJdvRprml3PxwSZ46OgDIyQ==
X-Received: by 2002:a0c:f054:: with SMTP id b20mr6364016qvl.112.1589600891749; Fri, 15 May 2020 20:48:11 -0700 (PDT)
Received: from jareds-mbp-2.lan ([72.214.174.120]) by smtp.gmail.com with ESMTPSA id h12sm3905594qte.31.2020.05.15.20.48.10 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 15 May 2020 20:48:10 -0700 (PDT)
To: Janak Amarasena <janakama360@gmail.com>, Denis <denis.ietf@free.fr>
Cc: oauth <oauth@ietf.org>, Vittorio Bertocci <vittorio.bertocci@auth0.com>
References: <158608868945.18323.557347538112056951@ietfa.amsl.com> <51f42eb9-9f6a-6fb1-e01e-2bba7688bcb9@free.fr> <a36b5a22-533a-6320-055b-d3f5af8f79cb@danielfett.de> <cb1a1af0-947d-3d6f-a280-c7579ad2494a@free.fr> <18e38735-ae9f-c41b-0cda-b2818a1038dc@danielfett.de> <7c27543f-6d14-2a5c-8a00-8b7d5baf17b1@free.fr> <CAM7dPt3B-BAzpvtZT9qsL8p1M9h9wmrdfK5pbhL4eOVBWym+Jg@mail.gmail.com>
From: Jared L Jennings <jaredljennings@gmail.com>
Message-ID: <6a8f47c9-6a38-b14c-ba0f-a3d70033db17@gmail.com>
Date: Fri, 15 May 2020 22:48:05 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.8.0
MIME-Version: 1.0
In-Reply-To: <CAM7dPt3B-BAzpvtZT9qsL8p1M9h9wmrdfK5pbhL4eOVBWym+Jg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------4FB95D0ABD1107BBC032B73E"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/c9DSS_5sF4xrl0WLlw1RfKZ3WHY>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-15.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 May 2020 03:48:15 -0000
To add to that, should it include the words "case sensitive" (if that is what is meant by exact), Although, URL's are not case sensitive in all cases, (IIS vs. Tomcat) which makes me think that specifying the case sensitivity is wise. On 5/13/20 00:50, Janak Amarasena wrote: > Hi All, > > In section *4.1.3. Countermeasures > <https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-4.1.3>* > related to *4.1. Insufficient Redirect URI Validation* it states > > The complexity of implementing and managing pattern matching > correctly obviously causes security issues. This document therefore > advises to simplify the required logic and configuration by using > exact redirect URI matching only. This means the authorization > server MUST compare the two URIs using simple string comparison as > defined in[RFC3986], Section 6.2.1 <https://tools.ietf.org/html/rfc3986#section-6.2.1>. > Does this mean that the authorisation server MUST NOT use pattern > matching at all and MUST do simple string comparison for redirect URI? > If that is the case can we change the wording a bit in this section as > having "...therefore *advises* to simplify the required logic..." > gives the impression that the AS has the choice to decide whether or > not to use pattern matching. And then when we have "...authorization > server *MUST* compare the two URIs using simple string..." give the > impression that the AS should absolutely not(MUST NOT) use pattern > matching. -- ----- Jared L Jennings
- [OAUTH-WG] I-D Action: draft-ietf-oauth-security-… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Denis
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Daniel Fett
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Denis
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Daniel Fett
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Denis
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Janak Amarasena
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Jared L Jennings