Re: [OAUTH-WG] Proposed changes to RFC 8705 (oauth-mtls)
Brian Campbell <bcampbell@pingidentity.com> Thu, 23 December 2021 00:07 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 499073A0E41 for <oauth@ietfa.amsl.com>; Wed, 22 Dec 2021 16:07:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x_CfPNaGANPL for <oauth@ietfa.amsl.com>; Wed, 22 Dec 2021 16:07:33 -0800 (PST)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7AF03A0E4A for <oauth@ietf.org>; Wed, 22 Dec 2021 16:07:32 -0800 (PST)
Received: by mail-lj1-x232.google.com with SMTP id r22so6233430ljk.11 for <oauth@ietf.org>; Wed, 22 Dec 2021 16:07:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LJ7rKlszG9H8PxpXyXRBID8cRd4SiPaa1gWlcmMlimE=; b=EPDQaeVsW3HFyLafcdeLmxhW56IGSPGRIF4r1HnmCweEq7dZqwumS60aTydGVM7s9N MA0b4ZX2VzAi9GIUnGCEikHrtJk1CpXotaszGZOoBKTfuVEGQn3/GiYXSBHttnIvAtPH uMMeBFYA1y/6du3Xqq7bEcLSGoX3c7vn5qcY6+vIZgEBNDG5Hw7Fz/xvRtafpyvIJeSe Y+6u+PGE8OvhWNz2zBETLSDhatmk1M37wRXfLiJNCxl40Bx8ap+8tXKWB4ndmM13icip iTqxr0sdLaq1IzlB2X/lHPx6xhjaRpREYBJAlYmOs2JvzySGmCj/UAXl1BRNHA9d3pr+ 1G8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LJ7rKlszG9H8PxpXyXRBID8cRd4SiPaa1gWlcmMlimE=; b=TV49XjT+K17nDAObxqnv5aeqxeb1spVq3DMr2a0kq1Pl1lc4K18bneUQFzD2z5iQ31 M3NxF1/jyUbrpX1l3HI9+iG8Ti6p5oLsNU/T+cOhMmMv2wiGw/uRKywlbRKCMub5stlZ 4tO9RMeZDVZWL2At6keGNk7xq7yixHW8UlARoa4Lkxu7R1DWAllJvxOR1rDtjqfvM9sz /ADl8AGJdR77yPcUskkDv/dnM1E4JdSO8g1aQv9OZiRJDuV+GBPS9jGis6NaEjOCHHiX zYOonFjM8gE1TcJkEQSLZLXh8jHGNU17//Zg1fujTayoadbfdg7Iutq7zImAtFYA41Lk +edw==
X-Gm-Message-State: AOAM531LAmNgLRbihhVSOSywybHzZJmBMheyUHYwqg2BmtEq6j0loH+L +FhdgmqwRsRRbsftJKHz6Xs8DP/FzJ8yW3MjQ4Y3lmGJRcNcbZHOUbUpT0jeGhhH52Si1MFB4+S nZ09ydAP/V4OYSQ==
X-Google-Smtp-Source: ABdhPJzv4ZNWlLR6oR+hJt3kS9v9IAx+br1J0+lF/vrQS6Vh8czKdV9ltILEbvgKEBfMUOVFhPqOtfWAte0cBgkmMac=
X-Received: by 2002:a2e:a404:: with SMTP id p4mr3918ljn.78.1640218049526; Wed, 22 Dec 2021 16:07:29 -0800 (PST)
MIME-Version: 1.0
References: <CAOtx8Dm_zbG-cosMELOkoDoCrJP=XGsazATSv7mLmpztj+qcvw@mail.gmail.com> <B77A2D8B-946D-4A71-8D2A-90C36FA94722@forgerock.com> <458129C5-F23C-465C-85ED-4CA939E60983@mit.edu> <E9926A47-5392-4822-9870-30CC8FF1319C@forgerock.com> <27F2DD3C-C77D-4256-ACD1-72EE03953F11@alkaline-solutions.com>
In-Reply-To: <27F2DD3C-C77D-4256-ACD1-72EE03953F11@alkaline-solutions.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 22 Dec 2021 17:07:03 -0700
Message-ID: <CA+k3eCRSFXhmsNGwC56_Wv24Z-BLfbfbgEEB5Up3Z8uBtMfjpQ@mail.gmail.com>
To: David Waite <david=40alkaline-solutions.com@dmarc.ietf.org>
Cc: Neil Madden <neil.madden@forgerock.com>, oauth <oauth@ietf.org>, Dmitry Telegin <dmitryt=40backbase.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="00000000000032638c05d3c506bc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/gs_60pDEBKD70Q8r3GYA1Yr7lGw>
Subject: Re: [OAUTH-WG] Proposed changes to RFC 8705 (oauth-mtls)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Dec 2021 00:07:38 -0000
I'd concur with much of what DW said. Also, for what it's worth, RFC 8705 not introducing a new auth scheme or token type was due, in part, to the hope/expectation that it'd allow for certificate-bound access token support to be layered on top of existing systems without needing changes to the software itself. From the deployments I've seen, I think that's played out pretty well. It might be a little clumsy but the content of RFC 8705 is intentional and was based on rough consensus. Updating/obsoleting an RFC is a substantial endeavor with potentially significant and costly ramifications. I don't see anywhere near sufficient justification to do so in this case. On Thu, Dec 9, 2021 at 3:25 PM David Waite <david= 40alkaline-solutions.com@dmarc.ietf.org> wrote: > > > On Dec 9, 2021, at 2:35 PM, Neil Madden <neil.madden@forgerock.com> wrote: > > On 9 Dec 2021, at 20:36, Justin Richer <jricher@mit.edu> wrote: > > > I disagree with this take. If there are confirmation methods at all, it’s > no longer a Bearer token, and pretending that it is doesn’t help anyone. I > think combining confirmation methods is interesting, but then you get into > a weird space of how to define the combinations, and what to do if one is > missing, etc. It opens up a weird space for interop problems. It’s not > insurmountable, but I don’t think it’s a trivial as it might look at first. > > Plus, the “backwards compatible” argument is what led to the existing RFC > using Bearer again. In my view, this actually opens up the possibility of > downgrade attacks against the RS, where a lazy RS doesn’t check the binding > because it sees “Bearer” and calls it a day. > > > I think this actually strongly argues the opposite - it is precisely > because the scheme is under attacker control that enables such downgrade > attacks. So relying on the scheme to tell you what kind of PoP checks to > apply makes these kinds of attacks more likely, not less. I’m suggesting > instead that the RS decides what checks to enforce based on the “cnf” > content in the token - which is either signed by the AS or retrieved > directly from the AS through introspection. On the other hand, the token > type is not even defined in the recent RFC 9068 for JWT-based ATs. So an > attacker could easily change the scheme from MTLS to Bearer to see if the > RS stops performing checks, but they can’t remove a “cnf” claim from the > token itself. > > In hindsight, “Bearer” might have been better named “AccessToken” or > similar, but I don’t think the name matters as much as the semantics. > > > While I can’t speak for those involved, I suspect there was a desire to > carry over OAuth 1 behavior with message signatures at the authorization > level. That is to say, I suspect the name Bearer was to distinguish against > say a PoP or HttpSig scheme. > > In that light, I suspect the separation was not necessarily one trying to > capture security semantics, but in understanding the format of the > authorization header itself. A PoP scheme might include a signed > challenge-response as a mandatory second parameter, or via wrapping the > access token into a security structure such as a JWT. Neither of these > would be valid for the Bearer authorization header, which is meant to > convey an access token and provides for no additional parameters. > > MTLS did not change the semantics of the bearer authorization header, > since the format/meaning and validation of an access token has always been > implementation-defined. Thus, a “MTLS” authentication scheme does not > provide meaningful distinction, even ignoring the issues such distinction > gives under an attacker model. > > -DW > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] Proposed changes to RFC 8705 (oauth-mt… Dmitry Telegin
- Re: [OAUTH-WG] Proposed changes to RFC 8705 (oaut… Warren Parad
- Re: [OAUTH-WG] Proposed changes to RFC 8705 (oaut… Neil Madden
- Re: [OAUTH-WG] Proposed changes to RFC 8705 (oaut… Warren Parad
- Re: [OAUTH-WG] Proposed changes to RFC 8705 (oaut… Justin Richer
- Re: [OAUTH-WG] Proposed changes to RFC 8705 (oaut… Warren Parad
- Re: [OAUTH-WG] Proposed changes to RFC 8705 (oaut… Neil Madden
- Re: [OAUTH-WG] Proposed changes to RFC 8705 (oaut… David Waite
- Re: [OAUTH-WG] Proposed changes to RFC 8705 (oaut… Benjamin Kaduk
- Re: [OAUTH-WG] Proposed changes to RFC 8705 (oaut… Warren Parad
- Re: [OAUTH-WG] Proposed changes to RFC 8705 (oaut… Brian Campbell