Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"

Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 19 November 2019 02:25 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66E1B12002E for <oauth@ietfa.amsl.com>; Mon, 18 Nov 2019 18:25:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tVlwaZa0yvBI for <oauth@ietfa.amsl.com>; Mon, 18 Nov 2019 18:25:47 -0800 (PST)
Received: from mail-pj1-x102c.google.com (mail-pj1-x102c.google.com [IPv6:2607:f8b0:4864:20::102c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34ADB120232 for <oauth@ietf.org>; Mon, 18 Nov 2019 18:25:46 -0800 (PST)
Received: by mail-pj1-x102c.google.com with SMTP id a10so2088954pju.10 for <oauth@ietf.org>; Mon, 18 Nov 2019 18:25:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=ilkyceoHRQZt+bqgvqhPWfU5w8pafvvchiZCpASYZKo=; b=3kLIXipQFdKpBdrsqC4d+f9tpbIkKnbY9oZCUOTQvX8RCIhhpd6lBBS3GEoN99esI7 DgE+KNAFEITfnmfUu6wh/SED6HnKhRBfmpK9HLiF0/q+ZKYN9t9IhwiLFRaP4DiGHEWu 2/X9iVB8B+1f+67sJ0bo1zcbB7uuNJWtRki+57XK8Wf0ttTpDUvJbVbruue0CtSJxaJK qbI9crYL6CXybw6ZxWtWUQkJQsbHuTaRTSk3qHS1qeNZP1x5sdLlGg/VHAXd19ZPoZWn 38z9FQf+ucuPz2TkuICJ3ezoMT5Y5lOKLcDBFailpktbFooWxUGC3He1Gtl6JqFw833I GJmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=ilkyceoHRQZt+bqgvqhPWfU5w8pafvvchiZCpASYZKo=; b=irF4STBQoQXqCNm1M5Fm27K4QaFSXrvKwW3KXe6aszfO3ij9RtRGNE+4fgQ0WLIlY8 jhM4do0D6Rq0cljdp4ZiCciE1XHxHozaa1PDa13tkiO5XBr8n7uVuTDlvBul/jy3xraM XYMMOiewsV7E5kTetIxe9vWwtpnCoU9OaiN2I8J6U0WZrfAbh/xOsH1+AMLwjXw9pdS/ IMzjtWX+SuSnmb27l5/kuq0DuL+bQbIugZ8ybchQBqZDVb3eSyw7POyXNdAWUjr/xnvR 450ZxfvV1XBWm1WsC0r/266eaR2neLPrOk+5TH1M8oNdFdCcpKR9sUjeqmPeXl/gcYB2 hgBA==
X-Gm-Message-State: APjAAAVxIvjZWeA+oa7Bx31yw49/xFut4vRQujDivMnl7DFQD6wM3r0C 4hMHZc1BSOP58Y8RVlpRH1B/bQ==
X-Google-Smtp-Source: APXvYqyC+56jylLQ5kFVbXwrzNvf+BUEpWIGUY71qlwgrpDx3pHlgFHNhka8SC03bt+Rpin5QFK9dQ==
X-Received: by 2002:a17:90a:1089:: with SMTP id c9mr3098281pja.8.1574130346459; Mon, 18 Nov 2019 18:25:46 -0800 (PST)
Received: from [192.168.20.53] ([118.200.165.182]) by smtp.gmail.com with ESMTPSA id i102sm847356pje.17.2019.11.18.18.25.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 18 Nov 2019 18:25:45 -0800 (PST)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <1FA4D2C5-AE20-4A24-B5A3-2B7B55529C23@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_FA987D8F-076A-4341-9C0B-F4258B0BF5B6"; protocol="application/pkcs7-signature"; micalg=sha-256
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3601.0.10\))
Date: Tue, 19 Nov 2019 10:25:34 +0800
In-Reply-To: <CAPHqeLeA00FwSLv-ry7pCKguS+4RfnOC-PEBh6t4eoTU_GbY-Q@mail.gmail.com>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "oauth@ietf.org" <oauth@ietf.org>
To: Vineet Banga <vineetbanga@google.com>
References: <VI1PR08MB5360FBBAF0D3A38BDBED618BFA790@VI1PR08MB5360.eurprd08.prod.outlook.com> <CAPHqeLd4szopBOVFUyThhx5X7bW2izB+nPKCzZ+1b5efB3wF_g@mail.gmail.com> <3FE840EE-9261-414E-8AB7-B75BD8BA6F86@lodderstedt.net> <CAPHqeLeA00FwSLv-ry7pCKguS+4RfnOC-PEBh6t4eoTU_GbY-Q@mail.gmail.com>
X-Mailer: Apple Mail (2.3601.0.10)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/jsXquSyHQut54q0eHF4DoVIQ42U>
Subject: Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2019 02:25:52 -0000


> On 17. Nov 2019, at 05:42, Vineet Banga <vineetbanga@google.com> wrote:
> 
> 
> On Fri, Nov 15, 2019 at 11:51 PM Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
> 
> >> On 16. Nov 2019, at 02:07, Vineet Banga <vineetbanga=40google.com@dmarc.ietf.org> wrote:
> >> 
> >> Just one comment/question at the moment:
> > >3.1.1 - Is there any recommendation around leveraging state vs using multiple URIs (with exact match) to remember the application state of the client? I have seen exploding list of registered redirect URIs, but am not aware of any security issues around this usage. But would like to check if there are any opinions on this matter..
> 
> >The BCP recommends transaction specific one time use state values for CSRF prevention. To achieve the same protection level with redirect URI’s and exact match, one would need to register per transaction redirect URI values. 
> 
> >Do your redirect URIs meet those requirements?
> No. I think the options are using state for purely csrf or using [I-D.bradley-oauth-jwt-encoded-state], which is called our in the BCP. Using encoded jwt can be used to limit the number of redirect uris. 

So you are saying "state" is used for CSRF. Then what is the rational of your original question? To move towards application state encoded in redirect URIs?

> 
> 
> 
> 
> 
> > 
> > 
> > On Wed, Nov 6, 2019 at 12:27 AM Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote:
> > Hi all,
> > 
> > this is a working group last call for "OAuth 2.0 Security Best Current Practice".
> > 
> > Here is the document:
> > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13
> > 
> > Please send you comments to the OAuth mailing list by Nov. 27, 2019.
> > (We use a three week WGLC because of the IETF meeting.)
> > 
> > Ciao
> > Hannes & Rifaat
> > 
> > IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
> > 
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>