Re: [OAUTH-WG] Reminder - Interim Meeting to discuss DPoP

Denis <denis.ietf@free.fr> Tue, 01 December 2020 08:54 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12E9B3A0DBB for <oauth@ietfa.amsl.com>; Tue, 1 Dec 2020 00:54:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.399, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PcZNZ8OuWjOB for <oauth@ietfa.amsl.com>; Tue, 1 Dec 2020 00:54:53 -0800 (PST)
Received: from smtp.smtpout.orange.fr (smtp01.smtpout.orange.fr [80.12.242.123]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D79BD3A0D7C for <oauth@ietf.org>; Tue, 1 Dec 2020 00:54:52 -0800 (PST)
Received: from [192.168.1.11] ([90.91.135.71]) by mwinf5d48 with ME id ywuo2300a1Ybo4i03wuoQT; Tue, 01 Dec 2020 09:54:49 +0100
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Tue, 01 Dec 2020 09:54:49 +0100
X-ME-IP: 90.91.135.71
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: oauth <oauth@ietf.org>
References: <CADNypP-ef3z6WJ1DDOBhmh0CN4kRK_VACkzFaCLVxA3zCoEx0A@mail.gmail.com> <1b584adf-14f9-ba2e-657d-f22b57d87675@free.fr> <CA+k3eCQ+QKWfW8RsutYk94LmeHR+NWwHmxWJRnXLkHkRHEER-w@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <4cb35c85-e13a-aabe-1e74-d6eb244189cf@free.fr>
Date: Tue, 1 Dec 2020 09:54:51 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <CA+k3eCQ+QKWfW8RsutYk94LmeHR+NWwHmxWJRnXLkHkRHEER-w@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------D4BEA02DB495EF05D9873A8E"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/mkCOQjuPsWYBeCHGhjc4-4B_p1U>
Subject: Re: [OAUTH-WG] Reminder - Interim Meeting to discuss DPoP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2020 08:55:03 -0000

Hi  Brian,

> Hi Denis,
>
> The choice to use "iat" vs. "exp" was made in the summer of last year. 
> You can see some of the discussion from then in 
> https://github.com/danielfett/draft-dpop/issues/38 
> <https://github.com/danielfett/draft-dpop/issues/38>.
> I believe it pretty well has consensus at this point and thus unlikely 
> to be changed.

I fear that you misread my email or read it too fast. My point had 
nothing to do whether using *either *of "iat" *o**r* "exp" in the DPoP 
proof JWT sent by the client.

The first sentence of my email was: "One comment on slide 5 about the 
/time window/". So the topic was all about how the RS SHALL handle the 
"jti" claim included
in the DPoP proof JWT when using a time window.


> While I do believe there are reasonable arguments that can be made on 
> both sides of using either of "iat" or "exp", it's difficult (and 
> honestly time consuming and very frustrating) to try and have such 
> discussions or even respond in a coherent way when fundamental aspects 
> of the draft are misrepresented or misunderstood. For example, the 
> DPoP proof JWT is created by the client not the AS so the advantages 
> you put forward are nonsensical in the context of the actual workings 
> of the draft.

Section 8.1 addresses the topic of the /time window/, but this topic 
should not /only /be addressed in the "Security Considerations" section
but in the main body of the document, since some checks MUST be done by 
the RS. "Security Considerations"are intended to provide
explanations but are not intended to be normative.

Section 8.1 states:

    " If an adversary is able to get hold of a DPoP proof JWT, the 
adversary could replay that token at the same endpoint (the HTTP
    endpoint and method are enforced via the respective claims in the 
JWTs).  To prevent this, servers MUST only accept DPoP proofs
    for a limited time window after their "iat" time, preferably only 
for a relatively brief period.

    Servers SHOULD store, in the context of the request URI, the "jti" 
value of each DPoP proof for the time window in which the respective
    DPoP proof JWT would be accepted and decline HTTP requests to the 
same URI for which the "jti" value has been seen before.  In order
    to guard against memory exhaustion attacks a server SHOULD reject 
DPoP proof JWTs with unnecessarily large "jti" values or store only
    a hash thereof.

    (...) ".

The previous text makes the assumption that RSs MUST only accept DPoP 
proofs for a relatively brief period after their "iat" time included
in the DPoP proof JWT. This assumption is rather restrictive. A client 
might get an access token and associate it with DPoP proof JWT that
could be used during, e.g., 12 hours. A DPoP proof JWT/ access token JWT 
pair could thus be used by a client during, e.g., one day for
several sessions with a RS.

The /time window/ is currently left at the discretion of each RS and is 
supposed to be short (without stating explicitly what "short" may mean)..

It would be possible to mandate in the JWT the inclusion of the exp 
(Expiration Time) Claim. (I am _not_ advocating the inclusion of the "exp"
claim in the DPoP proof JWT).

In this way, for a RS, the /time window /would be defined using the 
"iat" claim defined in the DPoP proof JWT and the "exp" claim defined in
the JWT.

Such a description should not be done in section 8, but in a section 
earlier in the main body of the document.

This would have the following advantages:

  * The RS would be able to better manage the "jti" claim values,
    because it would be able to discard "jti" claim values as soon as
    they are
    outside the time window as defined above.

  * The client would know whether a DPoP proof JWT/ access token JWT
    pair is still usable, in particular using the "expires_in" status code
    returned in case of a successful response from the AS and is thus
    unlikely to get a rejection of both of them because of an unknown time
    window used by a RS.

Denis


>
> On Mon, Nov 30, 2020 at 8:45 AM Denis <denis.ietf@free.fr 
> <mailto:denis.ietf@free.fr>> wrote:
>
>     One comment on slide 5 about the /time window/.
>
>     At the bottom, on the left, it is written: "Only valid for a
>     limited /time window/ relative to creation time".
>
>     While the creation time is defined by "iat", the /time window/ is
>     currently left at the discretion of each RS.
>
>     It would be preferable to mandate the inclusion in the JWT of the
>     exp (Expiration Time) Claim.
>     In this way, the /time window /would be defined by the AS using
>     both the "iat" and the "exp" claims.
>
>     This would have the following advantages:
>
>       * The client will know whether a token is still usable and is
>         unlikely to get a rejection of the token
>         because of an unknown time window defined by a RS.
>
>       * The RS is able to manage better the "jti" claim values,
>         because it will be able to discard "jti" claim values
>         as soon as they are outside the time window defined by the AS
>         in a JWT.
>
>     Denis
>
>
>>     All,
>>
>>     This is a reminder that we have an Interim meeting this Monday,
>>     Nov 30th @ 12:00pm ET, to discuss the latest with the *DPoP
>>     *document:
>>     https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/
>>     <https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/>
>>
>>     You can find the details of the meeting and the slides here:
>>     https://datatracker.ietf.org/meeting/interim-2020-oauth-16/session/oauth
>>     <https://datatracker.ietf.org/meeting/interim-2020-oauth-16/session/oauth>
>>
>>     Regards,
>>      Rifaat & Hannes
>>
>>
>>     _______________________________________________
>>     OAuth mailing list
>>     OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/oauth  <https://www.ietf.org/mailman/listinfo/oauth>
>
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>     <https://www.ietf.org/mailman/listinfo/oauth>
>
>
> /CONFIDENTIALITY NOTICE: This email may contain confidential and 
> privileged material for the sole use of the intended recipient(s). Any 
> review, use, distribution or disclosure by others is strictly 
> prohibited.  If you have received this communication in error, please 
> notify the sender immediately by e-mail and delete the message and any 
> file attachments from your computer. Thank you./