IETF Logo Mail Archive

Re: [OAUTH-WG] Fwd: New Version Notification for draft-sakimura-oauth-tcse-02.txt

Torsten Lodderstedt <torsten@lodderstedt.net> Sun, 10 November 2013 08:58 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 134AA11E8143 for <oauth@ietfa.amsl.com>; Sun, 10 Nov 2013 00:58:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.015
X-Spam-Level:
X-Spam-Status: No, score=-2.015 tagged_above=-999 required=5 tests=[AWL=0.233, BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 95qcJ4DipPym for <oauth@ietfa.amsl.com>; Sun, 10 Nov 2013 00:58:06 -0800 (PST)
Received: from smtprelay05.ispgateway.de (smtprelay05.ispgateway.de [80.67.31.94]) by ietfa.amsl.com (Postfix) with ESMTP id 1B63A21F9DC9 for <oauth@ietf.org>; Sun, 10 Nov 2013 00:58:05 -0800 (PST)
Received: from [79.253.35.208] (helo=android-7beef8dd1ccd7199.fritz.box) by smtprelay05.ispgateway.de with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1VfQqJ-0002kn-AJ; Sun, 10 Nov 2013 09:58:03 +0100
User-Agent: K-9 Mail for Android
In-Reply-To: <BA036ED4-4918-4897-80EA-85CD313C3556@ve7jtb.com>
References: <20131019101348.9565.3370.idtracker@ietfa.amsl.com> <CABzCy2Ai6W3XRLzXTGQB8vS40V6QTsoa6Q+7uq4zMftgnZkc7g@mail.gmail.com> <527E376C.2010205@lodderstedt.net> <001C64DB-2DD0-4740-8C9A-B7A0445F68CD@ve7jtb.com> <fcf385e3-9ab3-4f9e-8b5e-e729d0218699@email.android.com> <78E2CDE2-D49B-423E-AF13-097660FFB03F@ve7jtb.com> <AFF3FFE8-9C7A-448C-B3A4-A7F56D976B99@gmail.com> <AC6D6C2B-F2D4-4D28-9308-6863FA910564@lodderstedt.net> <81C0B993-31B3-4591-8C91-9214AD90B26F@oracle.com> <BA036ED4-4918-4897-80EA-85CD313C3556@ve7jtb.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----74ZCJE1FORAPD2K696QSLC5LQFN6BT"
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Date: Sun, 10 Nov 2013 09:57:57 +0100
To: John Bradley <ve7jtb@ve7jtb.com>, Phil Hunt <phil.hunt@oracle.com>
Message-ID: <2086f475-8ad1-4263-93c4-33a8e47e51de@email.android.com>
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-sakimura-oauth-tcse-02.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Nov 2013 08:58:11 -0000

One can relate all instances of the same app using an initial access token. So doing per client instance registration does not preclude to manage grants per app.



John Bradley <ve7jtb@ve7jtb.com> schrieb:
>Yes  tcse is a way to use the code flow without per instance
>registration, and better security than a plain public client.  
>Not every instance needs to needs registered as long as the
>redirect_uri is constant. 
>
>There is however a difference in how grants are treated then you have
>multiple instances with the same client_id.
>If you want all copies of a app that the user has installed across
>devices to have the same grants then use one client_id and tcse.
>
>If you want the grants to be separate so that one instance has RW and
>the other RO scopes for example then you need dynamic client
>registration or to re-confirm all scopes each time and not prompt only
>for new scopes for the client.   So there are legitimate reasons for
>doing both.
>
>John B.
>
>
>
>On Nov 9, 2013, at 12:32 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>
>> Sounds interesting. 
>> 
>> I wonder about why one might choose a public model with tcse vs
>stateless client reg?  
>> 
>> Eg. Tcse might be more important for transient clients. 
>> 
>> Phil
>> 
>> On Nov 9, 2013, at 12:27, Torsten Lodderstedt
><torsten@lodderstedt.net> wrote:
>> 
>>> Hi,
>>> 
>>> thanks for the explanation. Seems there is the simpler option
>sufficient to solve the original problem but it's not secure enough to
>be a general solution. 
>>> 
>>> Regarding implementation: The simpler option requires the developer
>to create a value of reasonable randomness and the second additionally
>requires to calculate the SHA correctly. I'm afraid client developers
>will have trouble implementing it correctly. That's why the idea of
>OAuth always was to push complexity to the server implementation.
>>> 
>>> While thinking about your proposal, I remembered a potential
>alternative. We initially discussed usage of dynamically issued client
>id/secrets (dyn. client registration) in order to mitigate the threat.
>This has two advantages:
>>> - it utilizes general OAuth functionality
>>> - usage of client credentials is easy from a client developers
>perspective
>>> 
>>> This idea was originally rejected due to the potential implications
>on scalability. The assumption was, potentially billions of client
>instances could not be managed by the AS in a reasonable way. Based on
>the outcome of the latest discussions around dynamic registration, we
>now know how to implement registration in a stateless way using client
>secrets as self-contained tokens. So this should not be a scalability
>issue any longer.
>>> 
>>> Should we reconsider this alternative?
>>> 
>>> regards,
>>> Torsten.
>>> 
>>> Am 09.11.2013 um 19:04 schrieb Nat Sakimura <sakimura@gmail.com>:
>>> 
>>>> And adding to it, it is Google's application team that needs to be
>persuaded. As usual, persuading application people to use crypto is
>hard. We have to strike a point that is acceptable to them as well as
>being somewhat sensible security-wise. Having option to bump up the
>security is important as a future migration path as well, hence the
>current design. 
>>>> 
>>>> =nat via iPhone
>>>> 
>>>> Nov 10, 2013 1:42、John Bradley <ve7jtb@ve7jtb.com> のメッセージ:
>>>> 
>>>>> Simplicity for clients that don't need the extra security.   I
>happen to agree with you but it is Google that needs the convincing, as
>they have deployed the non crypto version.
>>>>> As with many things getting people to adopt it is the trick.
>>>>> 
>>>>> John B.
>>>>> 
>>>>> On Nov 9, 2013, at 8:15 AM, Torsten Lodderstedt
><torsten@lodderstedt.net> wrote:
>>>>> 
>>>>>> Hi John,
>>>>>> 
>>>>>> why not make the more secure option the only one?
>>>>>> 
>>>>>> regards,
>>>>>> Torsten.
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> John Bradley <ve7jtb@ve7jtb.com> schrieb:
>>>>>> With a native app using a captive browser with no malware, only
>the response is susceptible to interception, making encrypting the
>request redundant.
>>>>>> In other environments and with some user groups the request's
>challenge needs to be protected from interception.  This may be more
>the case in a desktop environment where there is less control over the
>browser.
>>>>>> 
>>>>>> I expect that we will come to two options one unprotected
>requests and one for protected requests.
>>>>>> 
>>>>>> To Phil's point this is not about identifying the class of
>software this is about matching a response to an instance of software. 
> 
>>>>>> A software statement gives you a hint about the class of software
>but not the instance without per client registration.
>>>>>> 
>>>>>> This method gives you the ability to securely return the token to
>only the instance of the client that requested it without the overhead
>of per instance dynamic registration.
>>>>>> 
>>>>>> This is a practical solution to a real problem people are having
>today, and versions of this are in production now.   
>>>>>> 
>>>>>> Nat and I are trying to document it so that there can be
>interoperability rather than every AS doing something different.
>>>>>> 
>>>>>> John B.
>>>>>> 
>>>>>> On Nov 9, 2013, at 5:23 AM, Torsten Lodderstedt
><torsten@lodderstedt.net> wrote:
>>>>>> 
>>>>>>> Hi Nat,
>>>>>>> 
>>>>>>> what's the rationale for having different algorithms to produce
>a code challenges? As this may cause interop issues there should be
>good reasons to introduce variants.
>>>>>>> 
>>>>>>> regards,
>>>>>>> Torsten.
>>>>>>> 
>>>>>>> 
>>>>>>> Am 19.10.2013 12:15, schrieb Nat Sakimura:
>>>>>>>> Incorporated the discussion at Berlin meeting and after in the
>ML. 
>>>>>>>> 
>>>>>>>> Best, 
>>>>>>>> 
>>>>>>>> Nat
>>>>>>>> 
>>>>>>>> ---------- Forwarded message ----------
>>>>>>>> From: <internet-drafts@ietf.org>
>>>>>>>> Date: 2013/10/19
>>>>>>>> Subject: New Version Notification for
>draft-sakimura-oauth-tcse-02.txt
>>>>>>>> To: Nat Sakimura <sakimura@gmail.com>, John Bradley
><jbradley@pingidentity.com>, Naveen Agarwal <naa@google.com>
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> A new version of I-D, draft-sakimura-oauth-tcse-02.txt
>>>>>>>> has been successfully submitted by Nat Sakimura and posted to
>the
>>>>>>>> IETF repository.
>>>>>>>> 
>>>>>>>> Filename:        draft-sakimura-oauth-tcse
>>>>>>>> Revision:        02
>>>>>>>> Title:           OAuth Symmetric Proof of Posession for Code
>Extension
>>>>>>>> Creation date:   2013-10-19
>>>>>>>> Group:           Individual Submission
>>>>>>>> Number of pages: 8
>>>>>>>> URL:            
>http://www.ietf.org/internet-drafts/draft-sakimura-oauth-tcse-02.txt
>>>>>>>> Status:         
>http://datatracker.ietf.org/doc/draft-sakimura-oauth-tcse
>>>>>>>> Htmlized:       
>http://tools.ietf.org/html/draft-sakimura-oauth-tcse-02
>>>>>>>> Diff:           
>http://www.ietf.org/rfcdiff?url2=draft-sakimura-oauth-tcse-02
>>>>>>>> 
>>>>>>>> Abstract:
>>>>>>>>    The OAuth 2.0 public client utilizing authorization code
>grant is
>>>>>>>>    susceptible to the code interception attack.  This
>specification
>>>>>>>>    describe a mechanism that acts as a control against this
>threat.
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Please note that it may take a couple of minutes from the time
>of submission
>>>>>>>> until the htmlized version and diff are available at
>tools.ietf.org.
>>>>>>>> 
>>>>>>>> The IETF Secretariat
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> -- 
>>>>>>>> Nat Sakimura (=nat)
>>>>>>>> Chairman, OpenID Foundation
>>>>>>>> http://nat.sakimura.org/
>>>>>>>> @_nat_en
>>>>>>>> 
>>>>>>>> 
>>>>>>>> _______________________________________________
>>>>>>>> OAuth mailing list
>>>>>>>> OAuth@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>> 
>>>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email