IETF Logo Mail Archive

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

Jaimandeep Singh <jaimandeep.phdcs21@nfsu.ac.in> Fri, 25 August 2023 19:31 UTC

Return-Path: <jaimandeep.phdcs21@nfsu.ac.in>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B141CC15109A for <oauth@ietfa.amsl.com>; Fri, 25 Aug 2023 12:31:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_PERMERROR=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nfsu.ac.in
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NmOGztcEiOfg for <oauth@ietfa.amsl.com>; Fri, 25 Aug 2023 12:31:21 -0700 (PDT)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B36CAC14CE3B for <oauth@ietf.org>; Fri, 25 Aug 2023 12:31:21 -0700 (PDT)
Received: by mail-lf1-x135.google.com with SMTP id 2adb3069b0e04-4fe21e7f3d1so1959321e87.3 for <oauth@ietf.org>; Fri, 25 Aug 2023 12:31:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nfsu.ac.in; s=google; t=1692991879; x=1693596679; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ZY7bwJ3vXyYfExTRoXqxGqgEJ/dHt9iuSPKT3MY9fPw=; b=AVdVKh+4TUPL4Nw79aWoGT7dL1RbjpGoPvjuTuwWlSQ5jSeXe7vdNtV4R+iJZKPJfK egWXBrdGVmh9H0Ef/IWZTi01v05xJNFs9SESL6hE6Wat3A4bIgHZZFJ40kyKYOiAiQCn GfTjAkPyQpJyNa1m84W4TwdqgrKKuYa/utZuo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692991879; x=1693596679; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ZY7bwJ3vXyYfExTRoXqxGqgEJ/dHt9iuSPKT3MY9fPw=; b=gbbhXGgUEneFIwlury4XJCu8Ft8uT+ErJyuneHh7ldnD4oHu/J6rWEpoaviFpVLzTj MBXyvmVHU5JYWyYkr5JmiqfJGBKv6IIW0dKuKJnTQDBw9odyKLswSWcc4t5pUPS7Y/Y0 ECS6Bv81VEilmVAoNBs6aJ0JTkC48avurq7ZPVUNAjSohJnB6C1fL+FvqrPkI6fglgzX h/TdiRLqf9dhN2iAA7wtQPTCwsVbHLdAEk+50gg7ojuziMf0Nhy5wxchSB6MdvdZO+bA 3evLjG8Wl5umbCbX6SuZ/gWqfiKbSLpERm2jH90DJMeNR58r8NwRn4wvU4y3w+N4p5Xa RC7Q==
X-Gm-Message-State: AOJu0YyZR8KP9M2Lsd0X4W5ht8m+dhBFeu3LjIi8b6cSu7Z1KDMUXoRm FzK8jLXXh9TJmJtV6vgkXAHa/ccWiRMonExZAqvfpQ==
X-Google-Smtp-Source: AGHT+IGkCxjczIDxaXD0ts47Ek6FMI7YShzY43vL24rXcO20MkI81CfeVRaflQLmKrpmmJHvYP7rtLTR4/aZiPfowz0=
X-Received: by 2002:a19:760f:0:b0:500:8d17:1992 with SMTP id c15-20020a19760f000000b005008d171992mr7727100lff.22.1692991878897; Fri, 25 Aug 2023 12:31:18 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP_ve-rMFrioC0LS=NowESnTn1LSOU0pV4=K8hht4zy+Nw@mail.gmail.com>
In-Reply-To: <CADNypP_ve-rMFrioC0LS=NowESnTn1LSOU0pV4=K8hht4zy+Nw@mail.gmail.com>
From: Jaimandeep Singh <jaimandeep.phdcs21@nfsu.ac.in>
Date: Sat, 26 Aug 2023 01:01:06 +0530
Message-ID: <CAODMz5FsmR7mxGuZk5=bOg4zP9PEAHhsWbnK7uvU_Q3ATKuc8g@mail.gmail.com>
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008cbe2f0603c46308"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/n0CtvtfORH_riv76xt_oWOXezYc>
Subject: Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Aug 2023 19:31:25 -0000

I do not support the adoption because of following:

1. Increased Attack Surface and Information Disclosure: The proposed draft
inherently expands the attack surface by allowing the retrieval of detailed
information about the protected resources held with a particular resource
server, as outlined in section 3.1. We are inadvertently exposing the
resources supported by the protected resource server. The secondary URIs
which correspond to each of the protected resources further expands the
potential attack vectors. To illustrate, if a protected resource server
supports resources from 1 to 10, and a client requests metadata for all
these resources, it leads to 11 requests (1 + 10). This exposes a total of
11 URIs to potential attackers with information disclosure.

2. Lack of Client Verification and Potential DDoS Vulnerability: There is
absence of client application verification before it accesses the APIs.
This can lead to the possibility of malicious client applications
initiating Distributed Denial of Service (DDoS) attacks.

3. Impact on Processing Time due to Multiple Resources: The need to
wildcard match/support numerous secondary URIs based on the number of
protected resources could lead to increased processing time.

4. Strengthening the Existing System with Adequate Error Codes: Our
existing OAuth RFC, can handle this issue gracefully by incorporating error
codes. This ensures that, at the very least, access tokens are verified
before any specific information is disclosed.

Thanks
Jaimandeep Singh

On Thu, Aug 24, 2023 at 12:32 AM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
wrote:

> All,
>
> This is an official call for adoption for the *Protected Resource
> Metadata* draft:
> https://datatracker.ietf.org/doc/draft-jones-oauth-resource-metadata/
>
> Please, reply on the mailing list and let us know if you are in favor of
> adopting this draft as WG document, by *Sep 6th.*
>
> Regards,
>  Rifaat & Hannes
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


-- 
Regards and Best Wishes
Jaimandeep Singh
LinkedIn <http://www.linkedin.com/in/jaimandeep-singh-07834b1b7>

v2.23.0 | Report a Bug | By Email