Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-15.txt

Denis <denis.ietf@free.fr> Tue, 05 May 2020 15:20 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E40D3A087E for <oauth@ietfa.amsl.com>; Tue, 5 May 2020 08:20:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.621
X-Spam-Level:
X-Spam-Status: No, score=-1.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.275, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4TubEaLi5drn for <oauth@ietfa.amsl.com>; Tue, 5 May 2020 08:20:00 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp04.smtpout.orange.fr [80.12.242.126]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B8383A0831 for <oauth@ietf.org>; Tue, 5 May 2020 08:19:57 -0700 (PDT)
Received: from [192.168.1.11] ([86.238.65.197]) by mwinf5d07 with ME id b3Kv2200J4FMSmm033Kvel; Tue, 05 May 2020 17:19:55 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Tue, 05 May 2020 17:19:55 +0200
X-ME-IP: 86.238.65.197
To: oauth@ietf.org
References: <158608868945.18323.557347538112056951@ietfa.amsl.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <51f42eb9-9f6a-6fb1-e01e-2bba7688bcb9@free.fr>
Date: Tue, 5 May 2020 17:19:54 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <158608868945.18323.557347538112056951@ietfa.amsl.com>
Content-Type: multipart/alternative; boundary="------------EFC32F8748FE63BAF761399D"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/jzKWz8vfOjTKf9EErvf2ftsnkkg>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-15.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2020 15:20:08 -0000

Comments on draft-ietf-oauth-security-topics-15

1) Historically, the acronym RO (Resource Owner) has been used but is 
still used in this document.
     Since a client is not necessarily any more a RO, it would be more 
adequate to use the word "Client"
     instead of "RO"  in this document.

2) The structure of the document is the following:

1.Introduction
2.Recommendations
3.The Updated OAuth 2.0 Attacker Model

It is rather odd to have recommendations placed before the Attacker 
Model. Before providing solutions to some problems,
it is important to understand what the problems are. The Updated OAuth 
2.0 Attacker model should be placed after the introduction.

The "most important recommendations of the OAuth working group for every 
OAuth implementor" should be placed after the "Attacks and Mitigations" 
section.

3) The "_Updated _OAuth 2.0 Attacker Model" is supposed to have been 
"updated to account for the potentially _dynamic relationships involving 
multiple parties_".
However, it still misses to address the case of _dynamic relationships 
between clients_, which include scenarios of _collaborative clients_.

Such a collaboration between clients is possible and should be 
considered in the "updated model". Since the Auth 2.0 protocol may be 
used by clients
which are human beings, it cannot be assumed that all the human beings 
in the world will necessary be honest. Whether or not Auth 2.0 is able 
or not
to counter such an attack is another issue.

The collaborative attack should be added to this "updated" model. It was 
missing in the previous model.

In another section, it should be mentioned that OAuth 2.0 is unable to 
counter such an attack.
Stating that such an attack is "out of the scope" of OAuth 2.0 would not 
be an appropriate statement.

It should not be forgotten, that the purpose of this document is to 
inform the reader about _all_ the relevant security issues.

Denis

> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Web Authorization Protocol WG of the IETF.
>
>          Title           : OAuth 2.0 Security Best Current Practice
>          Authors         : Torsten Lodderstedt
>                            John Bradley
>                            Andrey Labunets
>                            Daniel Fett
> 	Filename        : draft-ietf-oauth-security-topics-15.txt
> 	Pages           : 46
> 	Date            : 2020-04-05
>
> Abstract:
>     This document describes best current security practice for OAuth 2.0.
>     It updates and extends the OAuth 2.0 Security Threat Model to
>     incorporate practical experiences gathered since OAuth 2.0 was
>     published and covers new threats relevant due to the broader
>     application of OAuth 2.0.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-15
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-security-topics-15
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth