[OAUTH-WG] Proposed text for a Privacy considerations section in draft-ietf-oauth-dpop-02

Denis <denis.ietf@free.fr> Wed, 02 December 2020 15:47 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0F543A160B for <oauth@ietfa.amsl.com>; Wed, 2 Dec 2020 07:47:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.399, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L6lO5UrRnI-M for <oauth@ietfa.amsl.com>; Wed, 2 Dec 2020 07:47:32 -0800 (PST)
Received: from smtp.smtpout.orange.fr (smtp09.smtpout.orange.fr [80.12.242.131]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B9183A1596 for <oauth@ietf.org>; Wed, 2 Dec 2020 07:47:14 -0800 (PST)
Received: from [192.168.1.11] ([90.91.135.71]) by mwinf5d17 with ME id zTnA2300N1Ybo4i03TnAdq; Wed, 02 Dec 2020 16:47:10 +0100
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Wed, 02 Dec 2020 16:47:10 +0100
X-ME-IP: 90.91.135.71
To: oauth <oauth@ietf.org>
From: Denis <denis.ietf@free.fr>
Message-ID: <9619c66e-a19c-d3b2-3026-9755a6249d50@free.fr>
Date: Wed, 2 Dec 2020 16:47:14 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------299B9F48ADDCE2948137038E"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/fmEdQkFFj94qkpIzu_TNmGWnO9g>
Subject: [OAUTH-WG] Proposed text for a Privacy considerations section in draft-ietf-oauth-dpop-02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2020 15:47:36 -0000

This is the development of the 18 th comment from my previous email.

Proposed text:

9. Privacy considerations

The document does not specify how the public key used to compute the 
signature of the DPoP proof JWT is generated or comes from. Different 
scenarios are possible.
They are addressed with respect to the ability of RSs or other servers 
being able to link the users using the DPoP proof JWTs and the 
associated access tokens they receive.

In order to limit attacks to impersonation attacks, an access token must 
include either a "sub" claim or other claims allowing to unambiguously 
identify the user to a RS.
When a "sub" claim is being used, RFC 7519 states in section 4.1.2 that 
"the subject value MUST either be scoped to be locally unique in the 
context of the issuer or be globally unique".

When the subject value is globally unique, RSs usually do not learn more 
than they already knew but since that subject value may be shared and 
compared with globally unique identifiers
stored by other servers that are not part of the OAuth framework this 
may be considered as a problem but this has nothing to do with the DPoP 
mechanism.

The case where the subject value is locally unique in the context of the 
AS or other claims incorporated into an access token allow to 
unambiguously identify the user to a RS is addressed below.


9.1 Use of a single asymmetric key pair for all ASs

All the "DPoP" access tokens issued by all the ASs, will include the 
same public key.

When the subject value is locally unique in the context of the issuer 
(i.e. an AS) or other claims allow to unambiguously identify the user to 
a RS,
RSs may learn more than they already knew since a locally unique 
identifier used by one AS may be different from another locally unique 
identifier used by another AS.
The same applies for other claims allowing to unambiguously identify the 
user to a RS. In this case, this allows RSs to link a "sub" claim or 
other claims allowing
to unambiguously identify the user to a RS with another "sub" claim or 
other claims allowing to unambiguously identify the user to another RS.

While this method may not be a problem when it is only used within an 
Intranet context, this method may be a problem as soon as it is used 
over the Internet,
because RSs will be able to link the access tokens they receive. This 
method is strongly deprecated when used over the Internet. It may be 
used with great care
within an Intranet as long as the network is kept isolated from the 
Internet since it may affect the privacy of the users.

9.2 Use of a static asymmetric key pair between a client and each AS

All the "DPoP" access tokens issued by one AS for one user, will include 
the same public key. This allows each RS to know whether the access tokens
it receives are coming from the same AS and from the same user.

Using this method, RSs are able to know that the access tokens they 
receive have been issued for the same user whatever claims have been 
incorporated
into the access token. This method may affect the user's privacy.

9.3 Use of a static asymmetric key pair between a client and each RS

All the "DPoP" access tokens issued for one RS, will include the same 
public key, no matter which AS has generated the access token.
This allows each RS to know that the access tokens it receives are 
coming from the same user. Using this method, RSs are unable to link the 
access tokens
they receive when receiving a DPoP proof JWT.

 From a security point of view, this method has a side benefit since all 
access tokens that contain the same public key that are received by a 
given RS are indeed
issued for the same user.

9.4 Use of an ephemeral asymmetric key pair for every "DPoP" access token

When only using the public key placed in a "DPoP" access token, RSs are 
unable to link the access tokens they receive.  However, this method has 
the disadvantage
to require the generation of a different key pair for every "DPoP" 
access token.  This may be time and resource consuming.  When this 
method is being used,
it is recommended to generate key pairs in advance, whenever it is 
possible.

Denis