Re: [OAUTH-WG] Call for adoption: OAuth Security Topics

Denis <denis.ietf@free.fr> Mon, 06 February 2017 12:30 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5286C129D31 for <oauth@ietfa.amsl.com>; Mon, 6 Feb 2017 04:30:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.618
X-Spam-Level:
X-Spam-Status: No, score=-2.618 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hEnvZvTzFIUu for <oauth@ietfa.amsl.com>; Mon, 6 Feb 2017 04:30:24 -0800 (PST)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [212.27.42.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79B581293EB for <oauth@ietf.org>; Mon, 6 Feb 2017 04:30:24 -0800 (PST)
Received: from [192.168.0.13] (unknown [88.182.125.39]) by smtp6-g21.free.fr (Postfix) with ESMTP id 89B2C78037F for <oauth@ietf.org>; Mon, 6 Feb 2017 13:30:21 +0100 (CET)
To: oauth@ietf.org
References: <ae7d8912-2a13-4d19-62b4-0b1d1106a555@gmx.net> <541A5105-B963-4FA4-94E4-D794A73B3358@ve7jtb.com> <CAB3ntOupmVPnW4D2QXfJ1rjbMnF-8T9hvcy5cC6EaTDawyuA_A@mail.gmail.com> <CAAP42hC-eM2twsZySvrw26-nL88QBpAU_3MLsztp7JFT=daC0Q@mail.gmail.com> <14c5b7d3-9faa-0e2f-1411-689ab13d4fad@manicode.com> <CABzCy2AxvPnj9tj9y=bGyu2vB1SaBn6UXVWwV+ckvf-SLHkPOA@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <0a8ab2ad-9f14-6915-464f-119a724422c7@free.fr>
Date: Mon, 6 Feb 2017 13:30:22 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <CABzCy2AxvPnj9tj9y=bGyu2vB1SaBn6UXVWwV+ckvf-SLHkPOA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------B90367528D5F66A84CAC7FEA"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/iWpCK2Cg9b4nv_Jz4P7y88lXoc4>
Subject: Re: [OAUTH-WG] Call for adoption: OAuth Security Topics
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Feb 2017 12:30:26 -0000

The scope of this draft is unclear. The title states: "OAuth Security 
Topics".**

I have some questions:

  * Does this document intend to cover only the OAuth 2.0 delegation
    protocol (since Justin said that OAuth 2.0 is a delegation protocol)
    or OpenId Connect as well which is not limited to a delegation
    protocol ?
  * Should we discuss OpenID Connect issues and/or solutions in an IETF
    RFC ?

If this document is going to be progressed, the threats should be 
clearly separated whether they relate to a delegation model or to
a client-server access control model. This is not currently the case.

If this document is going to be progressed, the ABC attack (in the 
context of an access control model) should be mentioned even if there exits
no way to counter it given the current implicit assumptions made in 
OAuth 2.0, in particular the use of software only implementations.


Denis

> A belated +1
>
>
> On Sat, Feb 4, 2017, 9:08 AM Jim Manico <jim@manicode.com 
> <mailto:jim@manicode.com>> wrote:
>
>     I'm just some random idiot am an not in this working group but the
>     work from
>     https://tools.ietf.org/html/draft-lodderstedt-oauth-security-topics-00
>     is one of the most up to date and useful OAuth security resources
>     every published. I am thrilled to see more work put into it.
>
>     Aloha, Jim
>
>
>     On 2/3/17 1:57 PM, William Denniss wrote:
>>     I support the adoption of this document as a working group item.
>>
>>     On Thu, Feb 2, 2017 at 2:30 PM, Jim Willeke <jim@willeke.com
>>     <mailto:jim@willeke.com>> wrote:
>>
>>         +!
>>         I agree this is needed.
>>
>>         --
>>         -jim
>>         Jim Willeke
>>
>>         On Thu, Feb 2, 2017 at 4:33 PM, John Bradley
>>         <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>> wrote:
>>
>>             I am in favour of adoption.
>>             > On Feb 2, 2017, at 4:09 AM, Hannes Tschofenig
>>             <hannes.tschofenig@gmx.net
>>             <mailto:hannes.tschofenig@gmx.net>> wrote:
>>             >
>>             > Hi all,
>>             >
>>             > this is the call for adoption of the 'OAuth Security
>>             Topics' document
>>             > following the positive call for adoption at the last IETF
>>             > meeting in Seoul.
>>             >
>>             > Here is the document:
>>             >
>>             https://tools.ietf.org/html/draft-lodderstedt-oauth-security-topics-00
>>             >
>>             > The intention with this document is to have a place to
>>             collect
>>             > discussions and conclusions around OAuth 2.0 security
>>             and to reference
>>             > the actual solution specifications.
>>             >
>>             > Please let us know by Feb 16th whether you accept /
>>             object to the
>>             > adoption of this document as a starting point for work
>>             in the OAuth
>>             > working group.
>>             >
>>             > Ciao
>>             > Hannes & Derek
>>             >
>>             > _______________________________________________
>>             > OAuth mailing list
>>             > OAuth@ietf.org <mailto:OAuth@ietf.org>
>>             > https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>             _______________________________________________
>>             OAuth mailing list
>>             OAuth@ietf.org <mailto:OAuth@ietf.org>
>>             https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>>         _______________________________________________
>>         OAuth mailing list
>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>         https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>>
>>     _______________________________________________
>>     OAuth mailing list
>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/oauth
>
>     -- 
>     Jim Manico
>     Manicode Security
>     https://www.manicode.com
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>
> -- 
>
> Nat Sakimura
>
> Chairman of the Board, OpenID Foundation
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth