IETF Logo Mail Archive

Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

"Richard Backman, Annabelle" <richanna@amazon.com> Fri, 08 October 2021 21:04 UTC

Return-Path: <prvs=9087326c9=richanna@amazon.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBB4A3A0970 for <oauth@ietfa.amsl.com>; Fri, 8 Oct 2021 14:04:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.037
X-Spam-Level:
X-Spam-Status: No, score=-10.037 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GYlX-GP7vvrZ for <oauth@ietfa.amsl.com>; Fri, 8 Oct 2021 14:04:10 -0700 (PDT)
Received: from smtp-fw-6002.amazon.com (smtp-fw-6002.amazon.com [52.95.49.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 897733A0E3A for <oauth@ietf.org>; Fri, 8 Oct 2021 14:02:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1633726965; x=1665262965; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=KrEiisfQFd+WQ1yln57NYkpj+1jW6dpzTSEW/L3LJ9M=; b=obbl25Da5/pjkC05UWwLyFwGp1s/J4Z3yZDptW6VAxJCcam8wwMxINKk sB6xrJZpGoZYOpDivLN6e4DA+HU1tea3KLrUZbD2pAAk+hF91bfV5tYSo Hx8qfLOdSosvogk1Op7nLYe4IYkvo6l7t7qC21sZhfk8OhE8pT6peI3Is k=;
X-IronPort-AV: E=Sophos;i="5.85,358,1624320000"; d="scan'208,217";a="146483229"
Thread-Topic: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
Received: from iad12-co-svc-p1-lb1-vlan2.amazon.com (HELO email-inbound-relay-pdx-2a-39fdda15.us-west-2.amazon.com) ([10.43.8.2]) by smtp-border-fw-6002.iad6.amazon.com with ESMTP; 08 Oct 2021 21:02:36 +0000
Received: from EX13MTAUWC001.ant.amazon.com (pdx1-ws-svc-p6-lb9-vlan3.pdx.amazon.com [10.236.137.198]) by email-inbound-relay-pdx-2a-39fdda15.us-west-2.amazon.com (Postfix) with ESMTPS id 50815421A9; Fri, 8 Oct 2021 21:02:33 +0000 (UTC)
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13MTAUWC001.ant.amazon.com (10.43.162.135) with Microsoft SMTP Server (TLS) id 15.0.1497.23; Fri, 8 Oct 2021 21:02:33 +0000
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13D11UWC004.ant.amazon.com (10.43.162.101) with Microsoft SMTP Server (TLS) id 15.0.1497.23; Fri, 8 Oct 2021 21:02:32 +0000
Received: from EX13D11UWC004.ant.amazon.com ([10.43.162.101]) by EX13D11UWC004.ant.amazon.com ([10.43.162.101]) with mapi id 15.00.1497.023; Fri, 8 Oct 2021 21:02:32 +0000
From: "Richard Backman, Annabelle" <richanna@amazon.com>
To: Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>
CC: "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Thread-Index: AQHXuvWVTQTkcIrcmUG+kwSuqkjn9qvGdXKAgAABUwCAAANnAIAAARQAgAAGkQCAAAHwAIAAuqMAgAASLgCAAkPsgIAAAmmAgAACzQA=
Date: Fri, 08 Oct 2021 21:02:32 +0000
Message-ID: <1CFD97B8-CB10-4DC1-961C-DB30E40165EA@amazon.com>
References: <CADNypP9QXCEjJmkhBvTHn68kDcJ2Mfg-tSQx1-hvfPoOTXCKzA@mail.gmail.com> <CAGBSGjqasD=eYnsMm7gZB2g+=C4abZoVi7FH4e7EFfgwKdjS8w@mail.gmail.com> <CAD9ie-uH9xGL9orTFxEd=tfhO6Q-S3sDHrQDtU7h0_dr6YeLOg@mail.gmail.com> <EE56CE99-5592-40AF-9BA5-7F3886ED315A@mit.edu> <CAD9ie-t9i1sVLhVhJp-mWSchV_x0b3no7i4qNXvcaQS+8OqCVA@mail.gmail.com> <CAGBSGjrgVbGWwFq6LDX_2Vhv7yQkwtEEjy36GpLj-bN+MtcX-w@mail.gmail.com> <CAD9ie-vJiwBSV71z4_2TJJO7A52mV763XvXmEPsEFgOMFVOwyQ@mail.gmail.com> <3e3ca312-6c03-d3ea-cf6f-e13ba22a9545@free.fr> <CAJot-L38FOvT2do2H1jUCbYUE3ERExh=OJKEiJtm5sqXitFHkg@mail.gmail.com> <E28FA216-3010-4C71-8296-A761C5E89257@amazon.com> <CAJot-L1TZxRS1hHjvF3wBxX29CzShzqeAZSsvfpCR3NYyV=fXA@mail.gmail.com>
In-Reply-To: <CAJot-L1TZxRS1hHjvF3wBxX29CzShzqeAZSsvfpCR3NYyV=fXA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.120.23.2.7)
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.161.147]
Content-Type: multipart/alternative; boundary="_000_1CFD97B8CB104DC1961CDB30E40165EAamazoncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/lAic1U_TpyaxWuXK0hpCyAn17MQ>
Subject: Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Oct 2021 21:04:16 -0000

Working Group discussions need to happen in Working Group spaces. Generally speaking, that means the mailing list.

—
Annabelle Backman (she/her)
richanna@amazon.com<mailto:richanna@amazon.com>




On Oct 8, 2021, at 1:52 PM, Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org<mailto:wparad=40rhosys.ch@dmarc.ietf.org>> wrote:


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


I think there are a bunch of different conversations happening here at the same time. Individual responses arguing for/against others in the WG isn't going to be productive over email. If the goal is to convince everyone that there are merits despite the objections, then tracking those objections and current discussion in another form is going to be necessary. (I recommend a github repository, with separate issues)

We at least need to group the types of discussions we are having and then list them out in the order of priority before continuing. We can't be arguing against individual points in this manner and expect a good outcome.

[https://lh6.googleusercontent.com/DNiDx1QGIrSqMPKDN1oKevxYuyVRXsqhXdfZOsW56Rf2A74mUKbAPtrJSNw4qynkSjoltWkPYdBhaZJg1BO45YOc1xs6r9KJ1fYsNHogY-nh6hjuIm9GCeBRRzrSc8kWcUSNtuA]

Warren Parad
Founder, CTO

Secure your user data with IAM authorization as a service. Implement Authress<https://authress.io/>.


On Fri, Oct 8, 2021 at 10:44 PM Richard Backman, Annabelle <richanna=40amazon.com@dmarc.ietf.org<mailto:40amazon.com@dmarc.ietf.org>> wrote:
We need to come up with a better argument such as: This allows a client to reduce use of the token to a smaller window to where the signature is also valid.

We have one: prevent unauthorized parties from using access tokens. Since a client's signing key never needs to leave the client's system, requiring a signature over the `Authorization` header raises the bar from "read an access token out of a server log" to "compromise the client itself." Additionally, Message Signatures defines an optional `nonce` parameter that can be used by the recipient of the message to enforce one-time usage of a signature, meaning that a signature cannot be replayed in another request, even if the signed message components are the same as in the original request.


 I reject the use of an additional header to transmit additional authorization information. Due to the nature of this information may be conveyed and stored throughout a number of systems which would all need access to this complexity. As headers and authorization evolves the introduction and replacement of existing headers provides additional security vulnerabilities.

I'm not sure I follow the concern here. I agree that this adds complexity. While there are many use cases for which this complexity/security tradeoff is worth it, this will not be the case for every OAuth 2.0 deployment out there.


The draft does not support multiple clients with access to the access token who all should be able to provide different client signatures and all be verifiable by the RS.

Access tokens are not intended to be used by multiple clients. They may be used by multiple hosts/devices, for example if the client is a distributed system running on multiple hosts. Different hosts within such a client could use different keys, provided they are all identified in the JWKS the client registers with the AS.


This forces the RS to lookup two pieces of information in the case of signed JWTs, the JWKs from the AS and the JWKs from the client

Yes, however this could be changed. For example, the AS could embed the client's public key in the access token JWT, so the RS only has to retrieve the AS key. That comes with its own set of tradeoffs, but this is likely not the only solution – it's just the one I came up with while writing this email. :)

That's the thing about adopting a draft: once the Working Group adopts it, the Working Group gets to change it to cover all the use cases and requirements that the original author didn't think of. "The draft doesn't cover my use case" is really an argument for adoption.

—
Annabelle Backman (she/her)
richanna@amazon.com<mailto:richanna@amazon.com>




On Oct 7, 2021, at 3:08 AM, Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org<mailto:wparad=40rhosys.ch@dmarc.ietf.org>> wrote:


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


I do not support adoption.

While I love the idea to be able to restrict the usage of the access token by the client, enabling longer expiry access tokens, and preventing usage to perform unexpected actions with that token, the reasons I do not support the adoption are as follows:

* The draft depends on another draft and personally not one that I even agree with. Saying that the "draft is officially adopted" doesn't justify depending on it.
* I reject the use of an additional header to transmit additional authorization information. Due to the nature of this information may be conveyed and stored throughout a number of systems which would all need access to this complexity. As headers and authorization evolves the introduction and replacement of existing headers provides additional security vulnerabilities.
* The draft does not support multiple clients with access to the access token who all should be able to provide different client signatures and all be verifiable by the RS.
* This forces the RS to lookup two pieces of information in the case of signed JWTs, the JWKs from the AS and the JWKs from the client
* The argument in the introduction is flawed

Bearer tokens are simple to implement but also have the significant security downside of allowing anyone who sees the access token to use that token.

This is not a complete argument because I can replace the words in the sentence and justify that HTTPSig should never be used by the same argument:
HTTPSig tokens are incredibly complex to implement but also have the significant security downside of allowing anyone who sees the access token and signature to use that token.

We need to come up with a better argument such as: This allows a client to reduce use of the token to a smaller window to where the signature is also valid.
That would allow us to better focus on the value that the RFC would provide, rather than getting stuck with arbitrary implementation of another RFC draft as it would apply to OAuth.



[https://lh6.googleusercontent.com/DNiDx1QGIrSqMPKDN1oKevxYuyVRXsqhXdfZOsW56Rf2A74mUKbAPtrJSNw4qynkSjoltWkPYdBhaZJg1BO45YOc1xs6r9KJ1fYsNHogY-nh6hjuIm9GCeBRRzrSc8kWcUSNtuA]

Warren Parad
Founder, CTO

Secure your user data with IAM authorization as a service. Implement Authress<https://authress.io/>.


On Thu, Oct 7, 2021 at 11:03 AM Denis <denis.ietf@free.fr<mailto:denis.ietf@free.fr>> wrote:
I am not supportive of adoption of this document by the WG at this time.

As I said during the last interim meeting, at this time, there is no security considerations section, nor a privacy considerations section.

The current draft describes a mechanism but does not state how the signing key will be established and / or come from.

>From a security considerations point of view, if the client has the control of the private key, it might be able to voluntary transmit
the private key to another client in order to mount a client collaborative attack. If the client is unable to transmit the private key
to another client in order to mount a collaborative attack, it might be able to perform all the cryptographic computations that
the other client needs. It is important to state which protections (or detection) features will be obtained as well as which protections
(or detection) features will not be obtained. A top-down approach is currently missing.

>From a privacy considerations point of view, if the same public key is used to sign the messages whatever the RS is, this will allow
different RSs to link the requests from the same client. It is important to state which protections (or detection) features will be obtained
as well as which protections (or detection) features will not be obtained.

Let us wait to have both the security considerations section and the privacy considerations section written,
before adopting this draft as a WG document.

Denis

Remember token binding? It was a stable draft. The OAuth WG spent a bunch of cycles building on top of token binding, but token binding did not get deployed, so no token binding for OAuth.

As I mentioned, I think Justin and Annabelle (and anyone else interested) can influence HTTP Sig to cover OAuth use cases.

/Dick

[X]ᐧ

On Wed, Oct 6, 2021 at 2:48 PM Aaron Parecki <aaron@parecki.com<mailto:aaron@parecki.com>> wrote:
This actually seems like a great time for the OAuth group to start working on this more closely given the relative stability of this draft as well as the fact that it is not yet an RFC. This is a perfect time to be able to influence the draft if needed, rather than wait for it to be finalized and then have to find a less-than-ideal workaround for something unforeseen.

Aaron

On Wed, Oct 6, 2021 at 2:25 PM Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>> wrote:
I meant it is not yet adopted as an RFC.

To be clear, I think you are doing great work on the HTTP Sig doc, and a number of concerns I have with HTTP signing have been addressed => I just think that doing work in the OAuth WG on a moving and unproven draft in the HTTP WG is not a good use of resources in the OAuth WG at this time.


[X]ᐧ

On Wed, Oct 6, 2021 at 2:20 PM Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>> wrote:
> HTTP Sig looks very promising, but it has not been adopted as a draft

Just to be clear, the HTTP Sig draft is an official adopted document of the HTTP Working Group since about a year ago. I would not have suggested we depend on it for a document within this WG otherwise.

 — Justin

On Oct 6, 2021, at 5:08 PM, Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>> wrote:

I am not supportive of adoption of this document at this time.

I am supportive of the concepts in the document. Building upon existing, widely used, proven security mechanisms gives us better security.

HTTP Sig looks very promising, but it has not been adopted as a draft, and as far as I know, it is not widely deployed.

We should wait to do work on extending HTTP Sig for OAuth until it has stabilized and proven itself in the field. We have more than enough work to do in the WG now, and having yet-another PoP mechanism is more likely to confuse the community at this time.

An argument to adopt the draft would be to ensure HTTP Sig can be used in OAuth.
Given Justin and Annabelle are also part of the OAuth community, I'm sure they will be considering how HTTP Sig can apply to OAuth, so the overlap is serving us already.

/Dick


[X]ᐧ

On Wed, Oct 6, 2021 at 2:04 PM Aaron Parecki <aaron@parecki.com<mailto:aaron@parecki.com>> wrote:
I support adoption of this document.

- Aaron

On Wed, Oct 6, 2021 at 2:02 PM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com<mailto:rifaat.s.ietf@gmail.com>> wrote:
All,

As a followup on the interim meeting today, this is a call for adoption for the OAuth Proof of Possession Tokens with HTTP Message Signature draft as a WG document:
https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/

Please, provide your feedback on the mailing list by October 20th.

Regards,
 Rifaat & Hannes

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth




_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email