IETF Logo Mail Archive

Re: [OAUTH-WG] Comments on ietf-oauth-dpop

Brian Campbell <bcampbell@pingidentity.com> Wed, 23 March 2022 15:17 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 490D93A1732 for <oauth@ietfa.amsl.com>; Wed, 23 Mar 2022 08:17:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id szAusBxdfTOQ for <oauth@ietfa.amsl.com>; Wed, 23 Mar 2022 08:17:43 -0700 (PDT)
Received: from mail-oi1-x22c.google.com (mail-oi1-x22c.google.com [IPv6:2607:f8b0:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81DE13A1443 for <oauth@ietf.org>; Wed, 23 Mar 2022 08:17:43 -0700 (PDT)
Received: by mail-oi1-x22c.google.com with SMTP id z8so1952097oix.3 for <oauth@ietf.org>; Wed, 23 Mar 2022 08:17:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1GLR4Gzpl+Vbmb8XE8PyiiD9w4czN0t7GVtT7pAOpwI=; b=CmGQf8X9MY1UslV67M/OZcDY6zSdeYQa6R1SlOYbFAbP5/eSrAbqkIKfgxhCLVHbhA /+Czx+Kx4IXffNZJSfNzj2Ks7yzDL7aXeWw2m03rBQgO30pfKQZuP4Zqo1w3P8vGnuWP uVHIxetACXL2yJE62tKbbNJFwHUklD9sYpAGD7bMwGjH3yTg63UhoPOEoVBnszYakBq5 STsCKZn6hsnW6vrGG4gNmkDwZDqtoPJbB8b05Goitk0hTkGdWbIy+zgw13sGl3bWQUX8 iD93EgeBWBjLLBQAPG7CqF7uyBbetxpcU7/XFzaEVFdkyHcbv2dK8wsIK6oWGUvsKRrL 4O3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1GLR4Gzpl+Vbmb8XE8PyiiD9w4czN0t7GVtT7pAOpwI=; b=N8ooD5yVx8/AdkH115bVcXbgOa6dL/YXEGaesVp6ya5QkzkJoCRuoR9DnhiJd70K3K oFXW2vo4tbiG9QlWzc55+Hlczk8ezVxpM0FdEAh/UXRQ6+K2rbaO6PUdKQ9w5s2lEnyZ Jq8dQuchL6ZoT02NLiCEqS7b5QYQgRYSi8uo7k0EZssIUubjPy5PEinzEXrh86mFbSg9 +OTcaoXsfYnsMBBdZCl9niHxlc/mwwL3s1G464GUHZn8YuWiYbfTQnk8OWOexSA/0Ldk I6cAxB4zXRx5wg6LeaEKLkDRXJ6HMkFDhDUC58GtzzuyQhj+TpoN3dw3rn7D7Iehj36d 03Ww==
X-Gm-Message-State: AOAM5326gaqNfQ+zFYt0CH/vDwWdmgpEvTPtITbYOJBct/y1MKuzCPMD 36juuWwfVlCxL75zVp0TuHaJD5RYfatQNvZCLQ6/c+vfdsMjMaQXgTUc+EsMNzrqLZj1l9SXMNB Cn2NG4foEqe2G7b1sdBATBpDR
X-Google-Smtp-Source: ABdhPJyHTEs5WmDwZKs6qNsH347V4sIPJOR/N22BOQruH5YB/YFKdYSO/27d/odoJLPTLz6KcIK2KThXMaCGSJFQxJk=
X-Received: by 2002:a05:6808:58:b0:2ee:f54e:65fe with SMTP id v24-20020a056808005800b002eef54e65femr271732oic.52.1648048662314; Wed, 23 Mar 2022 08:17:42 -0700 (PDT)
MIME-Version: 1.0
References: <CACW8--PPqWp+AMCWTuFT3Q=w6OFpn2xrS=4Cu8oAd8wBEkDNYg@mail.gmail.com> <CACW8--PoQLzO3TP6Xi7PwY4vWoBHpUwn9Q3hz_3j375pvAo9gw@mail.gmail.com>
In-Reply-To: <CACW8--PoQLzO3TP6Xi7PwY4vWoBHpUwn9Q3hz_3j375pvAo9gw@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 23 Mar 2022 16:17:15 +0100
Message-ID: <CA+k3eCTe_+U-ssCmXhtc9SPGti+xC7wHZbnneef3xQjtR=Dixg@mail.gmail.com>
To: Rohan Mahy <rohan.mahy=40wire.com@dmarc.ietf.org>
Cc: oauth@ietf.org
Content-Type: multipart/alternative; boundary="00000000000017198605dae43ba4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/jPhL22Kv1ZCHt_LvIcFRY-GNOK8>
Subject: Re: [OAUTH-WG] Comments on ietf-oauth-dpop
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2022 15:17:48 -0000

Thanks Rohan,

Pre-generating a proof requires the ability to execute code on the client,
which is already a problematic situation where other (arguably more)
serious attacks are possible. Such as driving a whole attack directly from
the client. The draft aims to give servers the option to use a nonce but
not push it too much or overstate its protections.

The vagueness around lifetimes is somewhat intentional. At one point the
document (maybe aspirationally) had something like 'no more than a few
seconds' but there was some push-back that it was unrealistically short to
accommodate real world client clock skew. I'm not sure the draft can make a
much more concrete recommendation as I think it really is something that
has tradeoffs and will be implementation/deployment specific. Perhaps
something like, "(on the order of seconds or minutes)" could be added as a
qualifier around lifetime leniency? That maybe gives a general idea of what
is acceptable and/or relatively brief without being overly prescriptive.
I'm quite hesitant to say anything more specific.

An access token and its "ath" hash value are shown as part of the examples
https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-06.html#figure-12 and
https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-06.html#figure-13
respectively. Perhaps it'd be worthwhile to more explicitly mention the
relationship between the two examples? I think I did the calculations
correctly but anyone double checking that work would be welcome. The
sentence in sec 4.3 step 11 is already pretty darn verbose - probably too
much so. I think breaking it up would probably be a better way to make it
more clear.

The MIME type registration will be in the next revision
https://mailarchive.ietf.org/arch/msg/oauth/Vj24ZXU4UuG6Rr04U1Cdrz2rx3o/

I'll work those nits and fix things up as appropriate.






On Tue, Mar 22, 2022 at 4:24 PM Rohan Mahy <rohan.mahy=
40wire.com@dmarc.ietf.org> wrote:

> Hi,
> Here are some comments on draft-ietf-oauth-dpop-06:
>
> 1) With such a significant attack possible as DPoP proof pre-generation,
> why isn't using the server nonce a SHOULD? Preventing a significant attack
> and making lifetime handling sane are two excellent reasons to use a server
> nonce. If an implementation has a good reason to not use a server nonce, we
> can give guidance about what additional steps the implementation needs to
> take.
>
> 2) The handling of lifetimes of DPoP proofs is vague: "acceptable
> timeframe" (Section 4.3), "relatively brief period" (Section 11.1). Is that
> 1 day,15 minutes, or 30 seconds?
> The normative text in the two sections seem contradictory.
> I think you need a lifetime parameter if a server nonce isn't included, or
> just pick a number (5 minutes?).
>
> 3) I had a similar thought to Nicolas Mora about including other
> assertions/tokens. There should be a way to chain, include, or reference
> other OAuth assertions and bind them somehow with the DPoP. This will be a
> common and important model.
>
> 4. Right now you describe the access token hash before describing the
> access token itself. I think it would be very useful to show the a worked
> example of an access token and then its hash used subsequently. Also
> Section 4.3 step 11 feels like a circular description. Please rewrite more
> verbosely to be clearer:
> Currently:
> "when presented to a protected resource in conjunction with an access
> token, ensure that the value of the ath claim equals the hash of that
> access token and confirm that the public key to which the access token is
> bound matches the public key from the DPoP proof."
>
> 5. Re: IANA registration of the MIME type. TL;DR: Just register
> application/dpop+jwt.
> Long version: The semantics of the thing you want to register is
> application/dpop. The first syntax you are defining is jwt. For example,
> iCalendar has three formats: text/calendar (iCal),
> application/calendar+json (jCal), and application/calendar+xml (xCal).
>
> NITS:
> - Spell out first use of acronyms: JWT, JWK, JWS, TLS, JOSE, PKCE,
> - Add reference to TLS, XSS, Crime/Heartbleed/BREACH/etc., HTTP, JOSE, on
> first use
> - First sentence of Section 2 (Objectives): add a comma (access tokens_,_
> by binding) to make it clear that "binding a token" is doing the preventing
> instead of the stealing in the sentence.
> - Section 2 para 5: s/XXS/XSS/
> - Maybe mention why you are using ASCII (7-bit) when the charset in the
> examples is UTF-8.
>
> I hope these comments are useful.
> Many thanks,
> -rohan
>
>
> *Rohan Mahy  *l  Vice President Engineering, Architecture
>
> Chat: @rohan_wire on Wire
>
>
>
> Wire <https://wire.com/en/download/> - Secure team messaging.
>
> *Zeta Project Germany GmbH  *l  Rosenthaler Straße 40,
> <https://maps.google.com/?q=Rosenthaler+Stra%C3%9Fe+40,%C2%A0+10178+Berlin,%C2%A0+Germany&entry=gmail&source=g>10178
> Berlin,
> <https://maps.google.com/?q=Rosenthaler+Stra%C3%9Fe+40,%C2%A0+10178+Berlin,%C2%A0+Germany&entry=gmail&source=g>
> Germany
> <https://maps.google.com/?q=Rosenthaler+Stra%C3%9Fe+40,%C2%A0+10178+Berlin,%C2%A0+Germany&entry=gmail&source=g>
>
> Geschäftsführer/Managing Director: Morten J. Broegger
>
> HRB 149847 beim Handelsregister Charlottenburg, Berlin
>
> VAT-ID DE288748675
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email