Re: [OAUTH-WG] Signed JWK Sets
John Zila <john@jzila.com> Wed, 17 April 2024 17:43 UTC
Return-Path: <john@jzila.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86000C14F5F9 for <oauth@ietfa.amsl.com>; Wed, 17 Apr 2024 10:43:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=jzila-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dd7HCRYbXSPJ for <oauth@ietfa.amsl.com>; Wed, 17 Apr 2024 10:43:07 -0700 (PDT)
Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0ACEBC14F5F6 for <oauth@ietf.org>; Wed, 17 Apr 2024 10:43:00 -0700 (PDT)
Received: by mail-pg1-x530.google.com with SMTP id 41be03b00d2f7-5dca1efad59so4096824a12.2 for <oauth@ietf.org>; Wed, 17 Apr 2024 10:43:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jzila-com.20230601.gappssmtp.com; s=20230601; t=1713375780; x=1713980580; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=LOwKjr6jrn7iZ87VZUeSSEai/cLGc64iChq1PGu2Ttc=; b=vsIjhjueDi8zU4j1BqBaO7FLDAun/tT49ayfwgL+i2VlazahkeLPR3pf5s0dcXr3rj utynRWoiwFdypwItOPJ4z5G/RxD8qM6Spe7EXZ9yZi7xoTYS+6J9ZJ/nhKD6DHrV17iy J7GQtLE7bauu9YuGqDETq2kbbYbD3vBPQ+v2Np5EB2ZS0NBKsE+cPesgai9fuZvlMktO BSbfhvP278Q89BThfMIOfEHmAW5S96tZMfAcGGXskHKjTIxVpI4bXgzvXG8CWubW8JH6 fOt7/ot7AkoY+7I6J2wOGxo/oN8R33SJJ0QZ8K3IBvQTdXDVxgrPe58sDduYRWTTgP2M 06fA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713375780; x=1713980580; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=LOwKjr6jrn7iZ87VZUeSSEai/cLGc64iChq1PGu2Ttc=; b=Cr6LnmABPku2YU5pZJUKqZAVUbg2gw8X/Akd8gxcd6e+sW+ivjH2tFIUbZgoJkguGV 8PuhwxhDtLIt/nglgbfsXvP7a0qEBTtLkJa+VtZWmqxAGt+OfEIR5CpBmT8ArqxVKZuL LZ2jzhwAkSn9P7IdcwgY8iyQ1uIsXKElVyc7dC97isVzh/A6UiGd0djQXjpsXr1NEVW2 07JXOU6LVgTwtd+3nrGJ5pEQXDDMLWNoC4B8FDbUglt5fY5CoQEUYon2hTV1htVsmBJ2 8gwtZH3iJLkv3qbbgxBz4gQINhATs4MdnCsb+A6y8XKSzN7d7HIFX76aixHkcG6eNTfP yonQ==
X-Gm-Message-State: AOJu0YxL9aA9fzqW+kgrmjdZF6Xsj13EUWjW2EP3Aqnh9vrlXUcnKmAX TqibYVGVENpGNtmWYbgUOwX6hWHyt9E6gvulfnO/ivka6EKN6965I/1Os0tctRppHfC5vg/23ui /7+rr6lD2dLWmvhcPrerTfXQp8XSLbye7s4OT91YjpEgBJZ1dTA==
X-Google-Smtp-Source: AGHT+IG3Lhk6mb7iw53ZHVe/M29mfXsMw7hL3f3cWhM5POgfRe4winYcx8yzheJoZRAVJU27YP39jXhTV71cRmCfemc=
X-Received: by 2002:a17:90a:c703:b0:2ab:926b:7401 with SMTP id o3-20020a17090ac70300b002ab926b7401mr66082pjt.34.1713375779634; Wed, 17 Apr 2024 10:42:59 -0700 (PDT)
MIME-Version: 1.0
From: John Zila <john@jzila.com>
Date: Wed, 17 Apr 2024 12:42:25 -0500
Message-ID: <CANhuC9Qa+jH-OhXJX0Fiyr4CZWfjiVm45cQ8m-ZekotQKqKmsw@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000b665ef06164e62da"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/lUAggVJE8gI7z6BZUmxlm8Zxdsc>
Subject: Re: [OAUTH-WG] Signed JWK Sets
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Apr 2024 17:43:09 -0000
On 11 Apr 2024, at 21:15, Neil Madden <neil.e.madden@gmail.com> wrote: > I'm still digesting this draft, and generally supportive of it. However, I don't think it stops the attack you mention here, which sounds similar to threats that Ryan Sleevi discussed for FastFed in [1]. Essentially, in the current OIDC model, an attacker that briefly compromises the jwks_uri of an OP (e.g. through a mis-issued TLS cert) can serve a JWK Set containing public keys under their own control with a long Cache-Control header. Clients then might blindly cache that key set even beyond the time when the certificate is revoked and the rightful owner restored. > > But I think this attack is basically the same even with PIKA. The attacker in this case just uses their mis-issued cert to sign the PIKA and serve that instead, perhaps putting a really long "exp" claim in it so that clients cache it for a really long time. The only thing that would stop that is if the draft insisted that clients regularly perform an OCSP or CRL lookup on the cert in the x5c chain to make sure it hasn't been revoked. But that would completely negate the benefits of avoiding clients all hitting the OP jwks_uri: we've just shifted the burden from the OP to the CA. I am also supportive of this draft. Chain of Trust is a real problem in JWT issuance, and it's nice to see a simple solution that addresses it. Regarding Neil's attack above, rather than requiring clients to separately do OCSP or CRL, you could envision an OCSP stapling-like approach that could include a signature over a timestamped PIKA as a "staple" in a JWT, which moves up the proof of issuer validity to the time of issuance of the JWT, rather than just the last time you retrieved the PIKA. If you see a new PIKA staple, you know you need to fetch again. If you see a staple for a PIKA you've already cached, then you know it hasn't been revoked. You could additionally layer this approach by stapling the PIKAs themselves, where the PIKA staples are periodically updated to assert continued validity of the signing certificate. With such a system, you can provide guarantees regarding validity latency down the entire signature chain. - John
- Re: [OAUTH-WG] Signed JWK Sets John Zila
- [OAUTH-WG] Signed JWK Sets Richard Barnes
- Re: [OAUTH-WG] Signed JWK Sets Michael Jones
- Re: [OAUTH-WG] Signed JWK Sets Michael Jones
- Re: [OAUTH-WG] Signed JWK Sets Watson Ladd
- Re: [OAUTH-WG] Signed JWK Sets Richard Barnes
- Re: [OAUTH-WG] Signed JWK Sets Richard Barnes
- Re: [OAUTH-WG] Signed JWK Sets Watson Ladd
- Re: [OAUTH-WG] Signed JWK Sets Joseph Salowey
- Re: [OAUTH-WG] Signed JWK Sets Orie Steele
- Re: [OAUTH-WG] Signed JWK Sets Richard Barnes
- Re: [OAUTH-WG] Signed JWK Sets Ethan Heilman
- Re: [OAUTH-WG] Signed JWK Sets Neil Madden
- Re: [OAUTH-WG] Signed JWK Sets Ethan Heilman
- Re: [OAUTH-WG] Signed JWK Sets Joseph Salowey
- Re: [OAUTH-WG] Signed JWK Sets Neil Madden
- Re: [OAUTH-WG] Signed JWK Sets Neil Madden
- Re: [OAUTH-WG] Signed JWK Sets Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Signed JWK Sets James Carnegie