[OAUTH-WG] Rate limiting in Dyn-Reg-Management
Justin Richer <jricher@MIT.EDU> Fri, 03 April 2015 20:20 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45DA31A039C for <oauth@ietfa.amsl.com>; Fri, 3 Apr 2015 13:20:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FQjsNKjhZq48 for <oauth@ietfa.amsl.com>; Fri, 3 Apr 2015 13:20:38 -0700 (PDT)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) by ietfa.amsl.com (Postfix) with ESMTP id 7B4BF1A006F for <oauth@ietf.org>; Fri, 3 Apr 2015 13:20:37 -0700 (PDT)
X-AuditID: 12074422-f79cb6d000000d7b-0f-551ef6144cfc
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 27.6B.03451.416FE155; Fri, 3 Apr 2015 16:20:36 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id t33KKaWN026218; Fri, 3 Apr 2015 16:20:36 -0400
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t33KKYZI014711 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 3 Apr 2015 16:20:35 -0400
From: Justin Richer <jricher@MIT.EDU>
X-Pgp-Agent: GPGMail 2.5b6
Content-Type: multipart/signed; boundary="Apple-Mail=_8E691AF7-FECE-4ED9-B20B-3150B64B1CC9"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Date: Fri, 03 Apr 2015 16:20:33 -0400
Message-Id: <D26B0844-431B-4A14-8B9F-BAF1A2D55444@mit.edu>
To: "<oauth@ietf.org>" <oauth@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
X-Mailer: Apple Mail (2.2070.6)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrNKsWRmVeSWpSXmKPExsUixCmqrSvyTS7UYP07a4uGnfkWJ9++YnNg 8tg56y67x5IlP5kCmKK4bFJSczLLUov07RK4Mk6tPsFWsEarYn/3F/YGxpsqXYwcHBICJhIf LrF2MXICmWISF+6tZ+ti5OIQEljMJNG77i+Us4FR4vTKI8wQzgMmie8rv4G1sAmoSsxfeYsJ ol1Koun1MUaQImaBKYwSX57tZQdJCAvoSLy5fZERxGYRUJE41DUPLM4rYCVxatInMJtZwEJi 2/L3bCC2iIC6xJrzP5kgagwk5p76wgRxqrxEz6b0CYz8s5CtmIWkbBZQGbNAksTrTRWzwKZq Syxb+JoZwtaU2N+9nAVTXEOi89tEVghbXmL72zlQcUuJxTNvQNXbStzqW8AEYdtJPJq2iHUB I/cqRtmU3Crd3MTMnOLUZN3i5MS8vNQiXVO93MwSvdSU0k2MoHhid1HawfjzoNIhRgEORiUe 3geBcqFCrIllxZW5hxglOZiURHk17wCF+JLyUyozEosz4otKc1KLDzGqAO16tGH1BUYplrz8 vFQlEd7Hj4HqeFMSK6tSi/JhyqQ5WJTEeTf94AsREkhPLEnNTk0tSC2CycpwcChJ8JZ/AWoU LEpNT61Iy8wpQUgzcXAeYpTg4AEaPh2khre4IDG3ODMdIn+KUVFKnDcdJCEAksgozYPrhaXB V4ziQG8J8waDVPEAUyhc9yugwUxAgx3mSYMMLklESEk1MC7iWy+7I8tKbAHL4Wmfyq3fNzWn P5r/YHd/1LQl/hduzMuYu9dVlNfbJPLvyaXFdmveesfN0Z3NdOOqYszubwLcVsYTimNXX92Y fGaXWGpX//6f9qsYTgnkPAmsVe410ny+oXD66k27LddFnZqZ90T/UOyHk2/3rCh/UL/TI0Xv CoeTwo0rwvJKLMUZiYZazEXFiQCTPmajXgMAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/gLpcKqXKNG3SaE8qdYCL7hvagIs>
Subject: [OAUTH-WG] Rate limiting in Dyn-Reg-Management
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2015 20:20:41 -0000
In the current draft of Dyn-Reg-Management (https://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-management-12 <https://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-management-12>) there’s a clause that’s causing some consternation in the general review: Since the client configuration endpoint is an OAuth 2.0 protected resource, it SHOULD have some rate limiting on failures to prevent the registration access token from being disclosed though repeated access attempts. A comment has been raised arguing that this text isn’t helpful to implementors as it doesn’t tell them what kind of rate limiting to do or how to accomplish it. It has also been pointed out that there’s not an obvious need for this recommendation if there’s enough entropy in the registration access token to begin with. The suggestion has been made to drop the above text, and potentially to add a reference to the sections on token complexity in 6750 §5.2 and 6819 §5.1.4.2.2. My suggested text in that regard is: Since possession of the registration access token authorizes the holder to potentially read, modify, or delete a client’s registration (including its credentials such as a client_secret), the registration access token MUST contain sufficient entropy such as described in [RFC6750] Section 5.2 and [RFC6819] Section 5.1.4.2.2. I would add this as the last sentence to the first paragraph in the security considerations section. What does the WG think of this suggested change? — Justin
- [OAUTH-WG] Rate limiting in Dyn-Reg-Management Justin Richer
- Re: [OAUTH-WG] Rate limiting in Dyn-Reg-Management John Bradley
- Re: [OAUTH-WG] Rate limiting in Dyn-Reg-Management Benjamin Kaduk
- Re: [OAUTH-WG] Rate limiting in Dyn-Reg-Management Justin Richer
- [OAUTH-WG] The best method to get generated beare… Sergey Beryozkin
- Re: [OAUTH-WG] The best method to get generated b… John Bradley
- Re: [OAUTH-WG] The best method to get generated b… Sergey Beryozkin
- Re: [OAUTH-WG] The best method to get generated b… John Bradley