IETF Logo Mail Archive

Re: [OAUTH-WG] security considerations for draft-ietf-oauth-mtls-12

Nomad On Walkabout <carl@carlsue.com> Fri, 02 November 2018 23:41 UTC

Return-Path: <carl@carlsue.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97FAF127333 for <oauth@ietfa.amsl.com>; Fri, 2 Nov 2018 16:41:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=carlsue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cx6XO_rXvL95 for <oauth@ietfa.amsl.com>; Fri, 2 Nov 2018 16:41:32 -0700 (PDT)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8770126BED for <oauth@ietf.org>; Fri, 2 Nov 2018 16:41:31 -0700 (PDT)
Received: by mail-ed1-x533.google.com with SMTP id f8-v6so3018315edt.13 for <oauth@ietf.org>; Fri, 02 Nov 2018 16:41:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=carlsue-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language :content-transfer-encoding:mime-version; bh=B1KpbqCJh6HWYxQuYqIDoD1GX7b3Vy0OwzM+W6dUjYQ=; b=QsnwlIK6SWnJ93n3uk5e6skgNssQyKb1Gf8EED/AH2xqcGRSN0HUlz3pwNu6cNRsAp 5ZlwoCjGIBUQ2fHJwY7rZx+G7uO3fy87r4SjpnzkEoT10jss9AkA3qYefyH3mx56emim 4anzf6BvVr3ptKK36ZcAyv0cOc6N9i24F7CGRRoIIbwU1PzUZtCg3yJ2u26APd1xlKfo cg0jh9jnfiqnJpYIsyJPkq6SdVYpVqydQKwIaDMX1WHLj8VC11LXoRTB3mFWu4KmVxmS pVoQV/JirreNdJ8CAyZCpGe2jLYdv/rNbkphpDgtG2IkqKUM/4XZ2Ceh/nmIgsMKDrkr utWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index :date:message-id:references:in-reply-to:accept-language :content-language:content-transfer-encoding:mime-version; bh=B1KpbqCJh6HWYxQuYqIDoD1GX7b3Vy0OwzM+W6dUjYQ=; b=saoYdJQN0g6P98HbnBN/Qpozuef1mQNpzkGIDvfTBQl2/9eV0Mo3TPLGm1pGMuMX4f +KPBGES1Y77eoRe83Rlv33ELyFBfhd6eq9WFucUJx82TvyQvUxdAE4XCWO1CjeifZJVz zcFEr6k95rj57AvkPiIHCunxFNtKEkL2LMqAfGkmTIgZVCWBWsXIfnWnIpA+x0jXwXeu DsTAuIW2RW6pGCa70DqVLTz45DOJhkjJhUCxVVGr4Rudb/BKknyabGIeegntdtEbhtpr BUp+iUVsfaZG6+q+IHMoML2bm8HTepXh4ELAUw/bUZa9420LZaqDNxV4m9/6oLGc/LC3 3Hqw==
X-Gm-Message-State: AGRZ1gI5Vc8fIm1vGxUszUGKZYQTR91pQ1atuMgzZDg4b8p2Hl3F7lTF rqoQ0TLhKkUdVTfEU75yjMhdrQ==
X-Google-Smtp-Source: AJdET5cxdNALCuWku/Ye7RIEc2tVv/mHHYIigXk0NnbWJlBN43um6OK1EPkPl7VZBqWzjngJxrSl9g==
X-Received: by 2002:a50:fc17:: with SMTP id i23-v6mr1958295edr.153.1541202090147; Fri, 02 Nov 2018 16:41:30 -0700 (PDT)
Received: from LNXP265MB0203.GBRP265.PROD.OUTLOOK.COM ([40.100.174.109]) by smtp.gmail.com with ESMTPSA id o10-v6sm6060057ejc.18.2018.11.02.16.41.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 02 Nov 2018 16:41:29 -0700 (PDT)
From: Nomad On Walkabout <carl@carlsue.com>
To: John-Mark Gurney <jmg+oauth@newcontext.com>, "bcampbell@pingidentity.com" <bcampbell@pingidentity.com>
CC: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] security considerations for draft-ietf-oauth-mtls-12
Thread-Index: AVFTOGE5+Qcq0LkzstDLCUif3cxEqGdYaFpWd1dVcTX/Shx0mg==
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Fri, 02 Nov 2018 23:41:28 +0000
Message-ID: <LNXP265MB0203CC244B1A4E87B67B755EF0CF0@LNXP265MB0203.GBRP265.PROD.OUTLOOK.COM>
References: <CALgdmdsoj9uaVyha5x7anxt4iU_0f8FqyfjNH00Syd-MKSQ_UQ@mail.gmail.com> <CA+k3eCT78Vszyh4Ue+yZ+5pK22yxrhHMwEGty=sXTDs5ttOvVg@mail.gmail.com> <CALgdmdu+H5vbjTj9W=kq1JL3i_UvvURR=A6N7WEW4P3evxR3yw@mail.gmail.com>
In-Reply-To: <CALgdmdu+H5vbjTj9W=kq1JL3i_UvvURR=A6N7WEW4P3evxR3yw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:
X-MS-Exchange-Organization-RecordReviewCfmType: 0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/JCuhIz0bUDfPOR0_aNV1A04xGpE>
Subject: Re: [OAUTH-WG] security considerations for draft-ietf-oauth-mtls-12
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Nov 2018 23:41:35 -0000

Hi John,

I suggest you read the first few sections of the OAuth spec as it may explain better the use of terms in OAuth as they are a little different due to implementation. In this case I believe you mean "Resource Owner" as the "Client"'s certificate is not going to be a privacy issue unless as stated before the "client" is a third party entity and is likely not going to be effected by privacy concerns as I understand the in this case. Also in the first few sections of the OAuth RFC, security (and privacy) concerns are addressed stating that the latest version of SSL/TLS possible should be in use. (At the time of writing TLSv1.2 was the latest)

Cheers,
Carl
carl@carlsue.com

On 11/1/18, 9:01 PM, "OAuth on behalf of John-Mark Gurney" <oauth-bounces@ietf.org on behalf of jmg+oauth@newcontext.com> wrote:

    I do not have a good enough understanding of OAuth nor how it is used
    in this draft to be able to write a proper security considerations
    section about it.  You mention that the OAuth certification is
    different than one for client cert authentication, but as I don't know
    the standard well enough, I do not know the implications of it.
    
    Even if the paragraph reads something like: Though client certs are
    public in TLS versions 1.2 and before, they are not a privacy concern
    because of x, y and z.  This would allow people who are reviewing it
    to understand why it is not a privacy issue.
    
    I only briefly reviewed this document because a coworker asked about
    it, but I raised this concern because it was not mentioned in the
    security considerations section.
    On Thu, Nov 1, 2018 at 7:37 AM Brian Campbell
    <bcampbell@pingidentity.com> wrote:
    >
    > To be honest, I thought that was a relatively well known aspect of TLS 1.2 (and prior) and a noted difference of the new features in TLS 1.3. Also, I'd note that we're well past WGCL for this document. But, with that said, I suppose adding some privacy considerations text on the subject is worthwhile. Would you propose some text for the WG to consider, John-Mark? Bearing in mind that the implications of a certificate presented by, and representing, an OAuth client are somewhat different than for an end-user doing client cert authentication.
    >
    >
    >
    >
    > On Wed, Oct 31, 2018 at 4:12 PM John-Mark Gurney <jmg+oauth@newcontext.com> wrote:
    >>
    >> I would suggest that the security considerations section of
    >> draft-ietf-oauth-mtls-12 be expanded to include the privacy
    >> implications of using this on versions of TLS before 1.3.  On all
    >> versions of TLS before 1.3, the client cert is not encrypted and can
    >> be used by third parties to monitor and track users.  I recently
    >> posted a blog entry about this:
    >> https://blog.funkthat.com/2018/10/tls-client-authentication-leaks-user.html
    >>
    >> Thanks.
    >>
    >> John-Mark Gurney
    >>
    >> _______________________________________________
    >> OAuth mailing list
    >> OAuth@ietf.org
    >> https://www.ietf.org/mailman/listinfo/oauth
    >
    >
    > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
    
    _______________________________________________
    OAuth mailing list
    OAuth@ietf.org
    https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email