IETF Logo Mail Archive

Re: [OAUTH-WG] review draft-ietf-oauth-native-apps-07

Justin Richer <jricher@mit.edu> Tue, 21 February 2017 23:09 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DF571289B0 for <oauth@ietfa.amsl.com>; Tue, 21 Feb 2017 15:09:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qkJ5bY6rKl07 for <oauth@ietfa.amsl.com>; Tue, 21 Feb 2017 15:09:28 -0800 (PST)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A649C120726 for <oauth@ietf.org>; Tue, 21 Feb 2017 15:09:28 -0800 (PST)
X-AuditID: 12074425-bc3ff70000003acd-a8-58acc8a56863
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 72.90.15053.5A8CCA85; Tue, 21 Feb 2017 18:09:26 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id v1LN9OOH023091; Tue, 21 Feb 2017 18:09:25 -0500
Received: from [172.16.208.198] (173-166-14-1-newengland.hfc.comcastbusiness.net [173.166.14.1]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v1LN9Dkx030374 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 21 Feb 2017 18:09:20 -0500
From: Justin Richer <jricher@mit.edu>
Message-Id: <DC50BBDC-ECC3-4883-93A1-B7A73F0C25ED@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3CDE03D4-FF70-417F-A394-187C98362952"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Tue, 21 Feb 2017 18:09:03 -0500
In-Reply-To: <CAAP42hAV+-AGemqUEU1yNcM70Zt9xF7m=u_Bnm_T82Ph1Wzu3A@mail.gmail.com>
To: William Denniss <wdenniss@google.com>
References: <CAF2hCbYL_hi1_kAXhYDcY7vx+iVA0Gf664BN+2jS2OOEGU16eQ@mail.gmail.com> <CAAP42hA5=Pv5avFgaWcnUQqrSjL2oAViybi3V7ixr+yNVFcj_g@mail.gmail.com> <304c520f-e531-2ac8-f93f-b91aae11253c@free.fr> <CAAP42hAV+-AGemqUEU1yNcM70Zt9xF7m=u_Bnm_T82Ph1Wzu3A@mail.gmail.com>
X-Mailer: Apple Mail (2.3259)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprJKsWRmVeSWpSXmKPExsUixCmqrbvsxJoIg6Yp0hbru+wsTr59xWax aU4zuwOzR/+6z6weCzaVeixZ8pMpgDmKyyYlNSezLLVI3y6BK+PPHqGCD62MFbuaHzM1MO7J 7GLk5JAQMJF427uFvYuRi0NIoI1J4tDSZ2wQzkZGiWt7dkJl7jJJvGmawwrSwiagKjF9TQsT iM0rYCVxeuZcdhCbWSBJYsKhXlaIuL7E7DOXWEBsYQE7iUv3rgFN5eBgAert7TMHCXMKBEpM X3eTFaLVWWLPhLlsILaIgKbEy7MHWCD29jNJvHv2kg3iVFmJt7+WME9g5J+FZN0sJOsg4toS yxa+ZoawNSX2dy/HIq4h0fltIusCRrZVjLIpuVW6uYmZOcWpybrFyYl5ealFuhZ6uZkleqkp pZsYQaHO7qK6g3HOX69DjAIcjEo8vA/c10QIsSaWFVfmHmKU5GBSEuVdPhMoxJeUn1KZkVic EV9UmpNafIhRgoNZSYR30k6gHG9KYmVValE+TEqag0VJnFdcozFCSCA9sSQ1OzW1ILUIJivD waEkwRtzHKhRsCg1PbUiLTOnBCHNxMEJMpwHaPiUYyDDiwsSc4sz0yHypxh1OaZMvfiSSYgl Lz8vVUqcdx9IkQBIUUZpHtwcUIpau4yP8RWjONBbwrydIOt4gOkNbtIroCVMQEtueqwEWVKS iJCSamAUrExLetS4h6tQpOfJIZ3Kqz1KhkIfpVc1PP3Bdcjt4eNTEecK/ok9eL2bd+n+6Oiv 61yvcR5RFz2X35YXqvh2Xw/f04SeNdqT6ux190pZJStxSjca3w1xWiva0BObKclyuV97moLa 9lNab/X/LUrM/3Be+5iR65eXYuKJ1wO/B0rGrll3p06JpTgj0VCLuag4EQDsqt4JLAMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/jJ4XgwmPtbcrfz3zCP5EhwqytVg>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] review draft-ietf-oauth-native-apps-07
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2017 23:09:30 -0000

When I brought RFCs 7591, 7592, and 7662 up through the finalization process, I learned that there are two camps out there on normative requirements in the security considerations section. Some like them, as long as they don’t contradict requirements/advice in previous sections, and some don’t like them, preferring all normative material be in the “body” of the spec itself. I was given the impression that it was more of a stylistic choice than anything, but I can only speak from my personal experience.

 — Justin

> On Feb 21, 2017, at 3:17 PM, William Denniss <wdenniss@google.com> wrote:
> 
> The only real requirement in that section I guess is the use of PKCE (8.2).  That requirement could be moved to the body of the doc, while keeping the longer discussing around code interception in the security considerations.  To me the remaining text are indeed security best practices / clarifications.
> 
> Other OAuth WG RFCs have requirement level capitalization in the Security Section like RFC7591. I always assumed these were best-practice security requirements. But if the style is really not to do this, the requirement level capitalization could be dropped from that section in the native apps BCP.
> 
> On Tue, Feb 21, 2017 at 12:50 AM, Denis <denis.ietf@free.fr <mailto:denis.ietf@free.fr>> wrote:
> 
> I don't think it's normal to have normative text in the Security Considerations, hence I support Samuel's position.
> 
> Let us look at the first MUST from RFC 6749 in the Security Considerations section:
>    The authorization server MUST authenticate the client whenever possible.
> 
> This sentence is incorrect. The right sentence should be :
> 
>    The authorization server should authenticate the client whenever possible.
> 
> RFC 6749 is not an example to follow.
> 
> Denis 
> 
>> I do think it's normal to have normative text in the Security Considerations.  RFC6749 has a lengthy Security Considerations section <https://tools.ietf.org/html/rfc6749#section-10> with a lot of normative text.
>> 
>> Think of it this way: Sections 4 to 7 describe how to use native app URI schemes to perform OAuth flows from the app to browser and back. If you only read those sections, you could have a functioning (but potentially insecure) OAuth flow in a native app. The security section adds some security requirements and clarifications for implementing Sections 4-7, like using PKCE, and more.
>> 
>> Reviewing sub-section by sub-section:
>> 
>> 8.1 Definitely belongs here, as the the whole BCP is about native-app URI schemes, whereas doing OAuth in a WebView doesn't need those (as the client can just pluck out the code from any redirect URI)
>> 8.2 Requires that servers who want to follow the native apps BCP support PKCE, and recommends that they reject requests from clients who don't.  This *could* be in the main doc, but since PKCE is an existing thing, and is purely additive from a security perspective, I think this reference works fine. Originally I talked about PKCE more in the doc body, but some reviewers thought it was then a little duplicative of the PKCE doc itself.
>> 8.3 This reads like classic security considerations to me, clarifying some details of 7.3
>> 8.4 Part of this reads a little new-ish, regarding distinguishing native clients from web ones. But on review, I think could just be re-worded to reference RFC6749 Section 2.1.
>> 8.5 This one belongs where it is since the body of the BCP is talking about the code flow.
>> 8.6 Totally belongs.
>> 8.7 to 8.11 belong IMO, they are security clarifications of long-standing topics. 
>> 
>> My methodology when reviewing this was: is the text introducing a new topic directly related to native apps or sections 4-7, or does it discuss an old security topic in the context of native apps, or add security related discussions of the content in 4-7. Of all those, I really only see a bit of new topic related to native apps in 8.4, and in actual fact it that sub-section should probably be reworded since RFC6749 already establishes the public client type, which native apps are and a reference would be more appropriate (which would reduce it to just clarifying an old topic).
>> 
>> What do you think of this analysis? Do you have any specific sections or text you feel are better suited in the document body?  I will take an action item to revise section 8.4.
>> 
>> On Mon, Feb 20, 2017 at 9:57 PM, Samuel Erdtman <samuel@erdtman.se <mailto:samuel@erdtman.se>> wrote:
>> Hi,
>> 
>> I just had a question on best practice. In this document a large part of the normative text is located under Security Considerations.
>> 
>> I had previously seen Security Considerations as things to think about when implementing not so much as MUSTs and MUST NOTs.
>> 
>> I think it is okay to have it this way but it surprised me a bit and wanted to ask if there is any best practice for the Security Considerations section saying what type of information it should include.
>> 
>> Best Regards
>> Samuel Erdtman
>> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email