Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-Up Mitigation

Phil Hunt <phil.hunt@oracle.com> Mon, 25 January 2016 23:22 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B25B91A1EEA for <oauth@ietfa.amsl.com>; Mon, 25 Jan 2016 15:22:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4ZaCw5oqnpUC for <oauth@ietfa.amsl.com>; Mon, 25 Jan 2016 15:22:52 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B62531A1B30 for <oauth@ietf.org>; Mon, 25 Jan 2016 15:22:52 -0800 (PST)
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u0PNMpW9004565 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <oauth@ietf.org>; Mon, 25 Jan 2016 23:22:51 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0022.oracle.com (8.14.4/8.13.8) with ESMTP id u0PNMpJa027825 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <oauth@ietf.org>; Mon, 25 Jan 2016 23:22:51 GMT
Received: from abhmp0003.oracle.com (abhmp0003.oracle.com [141.146.116.9]) by userv0121.oracle.com (8.13.8/8.13.8) with ESMTP id u0PNMo9X026275 for <oauth@ietf.org>; Mon, 25 Jan 2016 23:22:51 GMT
Received: from [192.168.1.22] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 25 Jan 2016 15:22:50 -0800
From: Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C537EB57-D4D1-43D6-AB73-33EF2A9A242D"
Date: Mon, 25 Jan 2016 15:22:48 -0800
References: <809D2C8D-F76B-42AD-93D1-E6AF487487AA@oracle.com>
To: "oauth@ietf.org WG" <oauth@ietf.org>
Message-Id: <362D654D-BC33-45AE-9F64-0A131A9EBC5E@oracle.com>
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
X-Mailer: Apple Mail (2.3112)
X-Source-IP: userv0022.oracle.com [156.151.31.74]
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/j9YvojmMslWUjqkED_TsGyk0_L8>
Subject: Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-Up Mitigation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jan 2016 23:22:54 -0000

Sorry, meant to reply-all.

Phil

@independentid
www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>





> Begin forwarded message:
> 
> From: Phil Hunt <phil.hunt@oracle.com>;
> Subject: Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-Up Mitigation
> Date: January 25, 2016 at 3:20:19 PM PST
> To: Nat Sakimura <sakimura@gmail.com>;
> 
> I am having trouble with the very first assumption. The user-agent sets up a non TLS protected connection to the RP? That’s a fundamental violation of 6749.
> 
> Also, the second statement says the RP (assuming it acts as OAuth client) is talking to two IDPs.  That’s still a multi-AS case is it not?
> 
> Phil
> 
> @independentid
> www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
> 
> 
> 
> 
> 
>> On Jan 25, 2016, at 2:58 PM, Nat Sakimura <sakimura@gmail.com <mailto:sakimura@gmail.com>> wrote:
>> 
>> Hi Phil, 
>> 
>> Since I was not in Darmstadt, I really do not know what was discussed there, but with the compromised developer documentation described in http://nat.sakimura.org/2016/01/15/idp-mix-up-attack-on-oauth-rfc6749/ <http://nat.sakimura.org/2016/01/15/idp-mix-up-attack-on-oauth-rfc6749/>;, all RFC6749 clients with a naive implementer will be affected. The client does not need to be talking to multiple IdPs. 
>> 
>> Nat
>> 
>> 2016年1月26日(火) 3:58 Phil Hunt (IDM) <phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>>:
>> I recall making this point in Germany. 99% of existing use is fine. OIDC is probably the largest community that *might* have an issue.
>> 
>> I recall proposing a new security document that covers oauth security for dynamic scenarios. "Dynamic" being broadly defined to mean:
>> * clients who have configured at runtime or install time (including clients that do discovery)
>> * clients that communicate with more than one endpoint
>> * clients that are deployed in large volume and may update frequently (more discussion of "public" cases)
>> * clients that are script based (loaded into browser on the fly)
>> * others?
>> 
>> Phil
>> 
>> > On Jan 25, 2016, at 10:39, George Fletcher <gffletch@aol.com <mailto:gffletch@aol.com>> wrote:
>> >
>> > would
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>