Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt

Torsten Lodderstedt <torsten@lodderstedt.net> Fri, 22 November 2019 13:37 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6690120856 for <oauth@ietfa.amsl.com>; Fri, 22 Nov 2019 05:37:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HrFU6xZ_2WLY for <oauth@ietfa.amsl.com>; Fri, 22 Nov 2019 05:37:23 -0800 (PST)
Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55802120859 for <oauth@ietf.org>; Fri, 22 Nov 2019 05:37:23 -0800 (PST)
Received: by mail-pl1-x629.google.com with SMTP id o9so3130694plk.6 for <oauth@ietf.org>; Fri, 22 Nov 2019 05:37:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=vaDFbrCnVDuIV37UHtX6PUGffrypYgzJbF4rGSnHe4o=; b=2RqrFPECJauTzMLRGESrBjuoqFhJa/R/HZFYNglrioKm3VpWmT6R4tmlreoKpgxRwL 8Ga3STYlRQqKEoI/ez31rZv3ZshHbo+Erjlxl0zTZ97Lk0tOXVSYGcN5pN3qgT9gv1or OJEd7RRf15WlUTCyheymC8T6PmRVubZRkbdEVDmKMun2F6/dM8h4VpMgPQ6jxowoPVSu Kg5M7ar0Iz+Io/2InLyqRMr7lT3vZopaE2F8qiPWDyoRYlUYQftiBQ7Q9/vDS4N+R5WS UrR1feoucU3GL9opyMDf1yYYGi5TnD8cfl9MBGDYzuqSvceqjE9t5GGNx12MvJJf4Bk3 XhiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=vaDFbrCnVDuIV37UHtX6PUGffrypYgzJbF4rGSnHe4o=; b=l8nKKLZFJgq8pDILBz51/6H8jEoM1jGMSqH2WFCIcGWrbcB2/qYSKDlrfawtys7swX Aesb2kvunLbsEeZRU8n+aj02ruX1SxeT6SvIbstuk81XBmFkU+qHFCjhNS017sEFumrK xXAtQT4GBWP1qqIKrRJyBZEwgakiy0qeu23AJeU1iJTyG9pyPFFIAOq1lM1kmmzd899p YDEITsDpkQBuRXZ7fWqUcLrtXt5OQvQAb0hNm8eDVHjPdV5HPp6hmToKP6Bmusallpbc gEBJApp88/2Mj+nYXZj7v2M+iQJ4L4EGimMyB7qyWFwttkc+TPRN4q7h/D/qoTXro8Cs AB1g==
X-Gm-Message-State: APjAAAXreJrk93G/Mhh4C1iUAcD/jYu4E58o8uCWF0eyd4mdT9hDY9It u+g1ZQ+dS8f5uUlfR4JKCRkmt1fQmAJZ4p2K
X-Google-Smtp-Source: APXvYqwJoNYMCez85N8EWQkqPHvSDYNZMAG7mr0yWgOPJfhNKoxwRAtusmRvkD9y2ZQ6pMb4uRZYeQ==
X-Received: by 2002:a17:902:8c85:: with SMTP id t5mr14217804plo.290.1574429842584; Fri, 22 Nov 2019 05:37:22 -0800 (PST)
Received: from [10.84.13.52] ([103.137.210.94]) by smtp.gmail.com with ESMTPSA id t8sm4892649pgr.38.2019.11.22.05.37.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 22 Nov 2019 05:37:21 -0800 (PST)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <36707A3C-788D-4ACF-AAEF-35582BFB89B7@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_001DC751-70AF-4928-9F51-F160C325B7B4"; protocol="application/pkcs7-signature"; micalg=sha-256
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3601.0.10\))
Date: Fri, 22 Nov 2019 21:37:15 +0800
In-Reply-To: <D6F0034F-7F70-442C-8334-733359DE44A9@amazon.com>
Cc: Neil Madden <neil.madden@forgerock.com>, oauth <oauth@ietf.org>
To: "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>
References: <2EF412B8-AF8C-4642-9BE0-1B528B0C63D5@amazon.com> <288343F2-ACF0-43E0-8577-26AF45330E5C@forgerock.com> <CAD9ie-u_SM+1hRuBWR7zBGSi4Ex59Ht0SzoVTeFuWTRc3cFJXw@mail.gmail.com> <6DECA422-AACC-4DAA-8CD2-FF57CE02DE3E@mit.edu> <0235F8A2-83C4-4804-8805-F50305E263BB@lodderstedt.net> <D43D3929-F1B7-4A2C-ABEC-1326F3F0926C@forgerock.com> <1FD6E2DF-013A-4F42-862B-ADEF45EAE689@lodderstedt.net> <D6F0034F-7F70-442C-8334-733359DE44A9@amazon.com>
X-Mailer: Apple Mail (2.3601.0.10)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/f72PJiLgnj2hyM9oTSDgbjaTaU4>
Subject: Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Nov 2019 13:37:26 -0000


> On 22. Nov 2019, at 21:21, Richard Backman, Annabelle <richanna=40amazon.com@dmarc.ietf.org> wrote:
> 
> The dichotomy of "TLS working" and "TLS failed" only applies to a single TLS connection. In non-end-to-end TLS environments, each TLS terminator between client and RS introduces additional token leakage/exfiltration risk, irrespective of the quality of the TLS connections themselves. Each terminator also introduces complexity for implementing mTLS, Token Binding, or any other TLS-based sender constraint solution, which means developers with non-end-to-end TLS use cases will be more likely to turn to DPoP.

The point is we are talking about different developers here. The client developer does not need to care about the connection between proxy and service. She relies on the service provider to get it right. So the developers (or DevOps or admins) of the service provider need to ensure end to end security. And if the path is secured once, it will work for all clients. 

> If DPoP is intended to address "cases where neither mTLS nor OAuth Token Binding are available" [1], then it should address this risk of token leakage between client and RS. If on the other hand DPoP is only intended to support the SPA use case and assumes the use of end-to-end TLS, then the document should be updated to reflect that.

I agree. 

> 
> [1]: https://tools.ietf.org/html/draft-fett-oauth-dpop-03#section-1
> 
> – 
> Annabelle Richard Backman
> AWS Identity
> 
> 
> On 11/22/19, 8:17 PM, "OAuth on behalf of Torsten Lodderstedt" <oauth-bounces@ietf.org on behalf of torsten=40lodderstedt.net@dmarc.ietf.org> wrote:
> 
>    Hi Neil,
> 
>> On 22. Nov 2019, at 18:08, Neil Madden <neil.madden@forgerock.com> wrote:
>> 
>> On 22 Nov 2019, at 07:53, Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org> wrote:
>>> 
>>> 
>>> 
>>>> On 22. Nov 2019, at 15:24, Justin Richer <jricher@mit.edu> wrote:
>>>> 
>>>> I’m going to +1 Dick and Annabelle’s question about the scope here. That was the one major thing that struck me during the DPoP discussions in Singapore yesterday: we don’t seem to agree on what DPoP is for. Some (including the authors, it seems) see it as a quick point-solution to a specific use case. Others see it as a general PoP mechanism. 
>>>> 
>>>> If it’s the former, then it should be explicitly tied to one specific set of things. If it’s the latter, then it needs to be expanded. 
>>> 
>>> as a co-author of the DPoP draft I state again what I said yesterday: DPoP is a mechanism for sender-constraining access tokens sent from SPAs only. The threat to be prevented is token replay.
>> 
>> I think the phrase "token replay" is ambiguous. Traditionally it refers to an attacker being able to capture a token (or whole requests) in use and then replay it against the same RS. This is already protected against by the use of normal TLS on the connection between the client and the RS. I think instead you are referring to a malicious/compromised RS replaying the token to a different RS - which has more of the flavour of a man in the middle attack (of the phishing kind).
> 
>    I would argue TLS basically prevents leakage and not replay. The threats we try to cope with can be found in the Security BCP. There are multiple ways access tokens can leak, including referrer headers, mix-up, open redirection, browser history, and all sorts of access token leakage at the resource server
> 
>    Please have a look at https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-4.
> 
>    https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-4.8 also has an extensive discussion of potential counter measures, including audience restricted access tokens and a conclusion to recommend sender constrained access tokens over other mechanisms.
> 
>> 
>> But if that's the case then there are much simpler defences than those proposed in the current draft:
>> 
>> 1. Get separate access tokens for each RS with correct audience and scopes. The consensus appears to be that this is hard to do in some cases, hence the draft.
> 
>    How many deployments do you know that today are able to issue RS-specific access tokens?
>    BTW: how would you identify the RS?
> 
>    I agree that would be an alternative and I’m a great fan of such tokens (and used them a lot at Deutsche Telekom) but in my perception this pattern needs still to be established in the market. Moreover, they basically protect from a rough RS (if the URL is used as audience) replaying the token someplace else, but they do not protect from all other kinds of leakage/replay (e.g. log files).
> 
>> 2. Make the DPoP token be a simple JWT with an "iat" and the origin of the RS. This stops the token being reused elsewhere but the client can reuse it (replay it) for many requests.
>> 3. Issue a macaroon-based access token and the client can add a correct audience and scope restrictions at the point of use.
> 
>    Why is this needed if the access token is already audience restricted? Or do you propose this as alternative? 
> 
>> 
>> Protecting against the first kind of replay attacks only becomes an issue if we assume the protections in TLS have failed. But if DPoP is only intended for cases where mTLS can't be used, it shouldn't have to protect against a stronger threat model in which we assume that TLS security has been lost.
> 
>    I agree. 
> 
>    best regards,
>    Torsten. 
> 
>> 
>> -- Neil
> 
> 
>