[OAUTH-WG] Review of draft-ietf-oauth-pop-architecture
Derek Atkins <derek@ihtfp.com> Fri, 10 July 2015 20:48 UTC
Return-Path: <derek@ihtfp.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33EA21A00F9 for <oauth@ietfa.amsl.com>; Fri, 10 Jul 2015 13:48:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tYcLpeFb3DaB for <oauth@ietfa.amsl.com>; Fri, 10 Jul 2015 13:48:45 -0700 (PDT)
Received: from mail2.ihtfp.org (mail2.ihtfp.org [IPv6:2001:4830:143:1::3a11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3EE11A0093 for <oauth@ietf.org>; Fri, 10 Jul 2015 13:48:45 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id 81AD9E2035 for <oauth@ietf.org>; Fri, 10 Jul 2015 16:48:44 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 05441-08 for <oauth@ietf.org>; Fri, 10 Jul 2015 16:48:43 -0400 (EDT)
Received: from securerf.ihtfp.org (unknown [IPv6:fe80::ea2a:eaff:fe7d:235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mocana.ihtfp.org", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail2.ihtfp.org (Postfix) with ESMTPS id 2BBFBE2034 for <oauth@ietf.org>; Fri, 10 Jul 2015 16:48:43 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ihtfp.com; s=default; t=1436561323; bh=tM1RJNTqQgw8eJkSVT6FGCYvbLoqA3cD1ire2LGDIjY=; h=From:To:Subject:Date; b=Tn5couYGANyNbD6D/Tc9kh6Uzu3AYspT3UVkls9yY4x9o/jTo5he+ZV2d7HeKAbC3 LkyUx2InIAraFekO4/+p6ioXA8W05wljYJ1Ov3FQiNmPbFeS94ggVDATFt0TSV09QA xLjL22nZJGYKmNESdmLWc0HX79GX/rfyvW38TByI=
Received: (from warlord@localhost) by securerf.ihtfp.org (8.14.8/8.14.8/Submit) id t6AKmgNI028507; Fri, 10 Jul 2015 16:48:42 -0400
From: Derek Atkins <derek@ihtfp.com>
To: oauth@ietf.org
Date: Fri, 10 Jul 2015 16:48:42 -0400
Message-ID: <sjm8uan7n85.fsf@securerf.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/m8H3pZ4QqSU-atrtlPL9VVR_1pk>
Subject: [OAUTH-WG] Review of draft-ietf-oauth-pop-architecture
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2015 20:48:47 -0000
Hi,
In performing my shephard review of draft-ietf-oauth-pop-architecture I
found one issue that was bugging me: you talk about target naming "too
late" in the draft. I.e., as I was reading through section 3.1 about
token reuse I think it doesn't have enough detail about how you would
prevent server A asking the client for a token for a resource of server
B, and then server A acting as the client for server B? I.e., how do
you prevent server A acting as a MITM between the client and server B?
(This is sort of the same question that resulted in TLS channel
bindings).
I know this target (scope) protection exists, and it's even discussed a
bit later in the document but it's not even mentioned as a possible
threat in 3.1, which seems like a glaring ommission.
I'll create a more formal shephard review but I'd suggest some
additional text to at least mention this threat in 3.1; you can provide
a pointer to the protections then, too.
-derek
--
Derek Atkins 617-623-3745
derek@ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant