IETF Logo Mail Archive

Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)

Mike Jones <Michael.Jones@microsoft.com> Thu, 16 October 2014 15:30 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B1A81A1BD6; Thu, 16 Oct 2014 08:30:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9KOOoT7pJ6Vj; Thu, 16 Oct 2014 08:30:24 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0749.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::749]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E70091A1BD1; Thu, 16 Oct 2014 08:30:23 -0700 (PDT)
Received: from CO2PR03CA0043.namprd03.prod.outlook.com (10.141.194.170) by DM2PR03MB399.namprd03.prod.outlook.com (10.141.84.148) with Microsoft SMTP Server (TLS) id 15.0.1049.19; Thu, 16 Oct 2014 15:30:01 +0000
Received: from BN1AFFO11FD005.protection.gbl (2a01:111:f400:7c10::153) by CO2PR03CA0043.outlook.office365.com (2a01:111:e400:1414::42) with Microsoft SMTP Server (TLS) id 15.0.1054.13 via Frontend Transport; Thu, 16 Oct 2014 15:30:00 +0000
Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD005.mail.protection.outlook.com (10.58.52.65) with Microsoft SMTP Server (TLS) id 15.0.1039.16 via Frontend Transport; Thu, 16 Oct 2014 15:29:59 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.93]) by TK5EX14HUBC107.redmond.corp.microsoft.com ([157.54.80.67]) with mapi id 14.03.0210.003; Thu, 16 Oct 2014 15:29:45 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Richard Barnes <rlb@ipv.sx>, The IESG <iesg@ietf.org>
Thread-Topic: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)
Thread-Index: AQHP6PPyEQ0Qm5p8FUevm57Q8TXNpZwy2Jrw
Date: Thu, 16 Oct 2014 15:29:44 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439BB13261@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <20141016034735.18695.61014.idtracker@ietfa.amsl.com>
In-Reply-To: <20141016034735.18695.61014.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.37]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(189002)(199003)(13464003)(377454003)(51704005)(52044002)(76482002)(80022003)(46102003)(97736003)(230783001)(85806002)(77096002)(2656002)(26826002)(92726001)(86362001)(85306004)(23726002)(86612001)(21056001)(33656002)(66066001)(15202345003)(46406003)(87936001)(4396001)(85852003)(81156004)(106466001)(107046002)(106116001)(95666004)(15975445006)(68736004)(69596002)(84676001)(97756001)(120916001)(92566001)(50466002)(76176999)(54356999)(55846006)(19580395003)(47776003)(20776003)(99396003)(31966008)(64706001)(50986999)(104016003)(44976005)(6806004)(19580405001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR03MB399; H:mail.microsoft.com; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:DM2PR03MB399;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 036614DD9C
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/kQsUDEe1xURo-fbs9zzpiGWmQos
Cc: "draft-ietf-oauth-assertions@tools.ietf.org" <draft-ietf-oauth-assertions@tools.ietf.org>, "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Oct 2014 15:30:26 -0000

Thanks for your review, Richard.  I'm replying to your DISCUSS about the audience being required below...

				-- Mike

> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Richard Barnes
> Sent: Wednesday, October 15, 2014 8:48 PM
> To: The IESG
> Cc: draft-ietf-oauth-assertions@tools.ietf.org; oauth-chairs@tools.ietf.org;
> oauth@ietf.org
> Subject: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17:
> (with DISCUSS and COMMENT)
> 
> Richard Barnes has entered the following ballot position for
> draft-ietf-oauth-assertions-17: Discuss
> 
> When responding, please keep the subject line intact and reply to all email
> addresses included in the To and CC lines. (Feel free to cut this introductory
> paragraph, however.)
> 
> 
> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> http://datatracker.ietf.org/doc/draft-ietf-oauth-assertions/
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> "The assertion MUST contain an Audience that identifies the Authorization
> Server as the intended audience.  Assertions that do not identify the
> Authorization Server as an intended audience MUST be rejected."
> 
> Could you please identify the threat model within which this "MUST" is required?
> This requirement doesn't follow from any of the threats elaborated in Section 8.

Sure, this is to prevent a legitimate assertion intended for one authorization server being captured by the attacker and sent to a different authorization server.  Unless there's an audience for the authorization server to check, there's no way for the authorization server to reject assertions intended to be used by a different server.  Using the audience is the normal way to prevent this attack.

> The Audience is only necessary if the Issuer wishes to constrain the set of
> Authorization Servers with which an assertion may be used.  So ISTM that this
> should be "MAY contain..."

Constraining the set to the intended server is basic to the security guarantees.  If I can take a server intended for server1 and get server2 to accept it, all security bets are off.

> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> "keyed message digest" -> "Message Authentication Code"
> 
> That's the proper terminology [RFC4949], especially since there are MACs that
> are not based on digests.
> 
> "This mechanism provides additional security properties." -- Please delete this or
> elaborate on what security properties it provides.
> 
> Section 8.2 should note that "Holder-of-Key Assertions" are also a mitigation for
> this risk.
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email