Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-17.txt

George Fletcher <gffletch@aol.com> Wed, 07 April 2021 20:07 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1C313A27AB for <oauth@ietfa.amsl.com>; Wed, 7 Apr 2021 13:07:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xKNUEGWtuALq for <oauth@ietfa.amsl.com>; Wed, 7 Apr 2021 13:07:06 -0700 (PDT)
Received: from sonic305-22.consmr.mail.ne1.yahoo.com (sonic305-22.consmr.mail.ne1.yahoo.com [66.163.185.148]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78B603A27AA for <oauth@ietf.org>; Wed, 7 Apr 2021 13:07:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1617826023; bh=FWl8ap99B2f1gwrC6r1DPyLbKr0vZop6mhjMLdqTLGc=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject:Reply-To; b=p3EDqK4i36ByOUWYvdZhk0gfXUwFk1WRxoX3lwvdusEReea21o4TRJVPRV6y0Rs/KAzau+annLWwWMlBbhpF0l4+P6bpTBU0W9+RPI316pn/y3hy5LsNLI7PM69dnNc1I/lWIhD9oHeQ77cEq+kmTGZCXZdg460AXdhHCprvteKmsNBwjmSdcov3dEEwfvQcshEsX4sbpJ9JTlaObAjOigHdVOr2Xb/DtTIGFDC9IEXUnO2Nfv0Kyu+0eUJtMQVxm8iAujARBP6Q7X/QxaIModpLWYGjgGp6fzaeey1ToSircnwmQ0Jv/zOvrMR+uq916ZJhLeCzFC3A8xAkGoRZIw==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1617826023; bh=iC/EyPZNLqhXLvn4TloINTBUnHq3V+ATyepXlIALFNz=; h=X-Sonic-MF:Subject:To:From:Date:From:Subject; b=Hrb7XQMEjLfcGSHcWh1BsP1qalYdUUJXeV2rrawZjXbvXMLj9a2JFWEWzxPUp8WgViVvRH5a3okjtSNowGdmXSUx/B9MXO5/U+/6AhlKnwiUEvOhB9bfJ2hKE676hZ54ElRJ0z/9XN3Pj25zf1FA/M27fxI19GhYCEBK50DGB2X0JG0ACiI6/PmxqtRk7wh+Qd2FiJqGBOiC1U2yzcoAAWiii7V8/d8nOvlDOU63WDL9NpSz1x0o0n9c2iEWwnIFwlW007tB2yqBVNpllMnDPW0Aifpz8SphS2s99C7mp0yScKG7jBuiK6qViWI5OhLaUDZjr4iUSTgbchHalp/ZDA==
X-YMail-OSG: QI_yvi4VM1neh4s3yvU_gxBf7DqFhawBQaup4_geODX14jFjfkkFo8TQXT2004m TSs3IMwDzw95W40KY7xo0sZHUAI9YT03_xkWKxvQsDRcCvoOw7Pgcw5xjo11kr31IhS9ZyOj2VWB cnSkxKe75SzhqxEYyLR.2mv8PUA0d7jy3yUFgqd3wcScBliNgYALHr8Fu40irunNUrXBNwyEtRRp eeI1X5Jdc5HQNI4dKjYt6ALgT8Eryc2ohK3n_t2Xao5TC1NdeqKI4z7NCrgbRaxQ92UoVwSpd1nW .HSYrnp7APZ.mxD6RRN04PssdplVxiJx8MpiDEzrJRF_44VCvXp6SlVZFyl293OAEbA2nGxWmBzI cW8YSZQzu9PIF4jLJR2om3hRKYgXtqoCyL7g2BGM3c4EQ3X__oTISwh2IUT36fTLsTVXltp5pc3r g9Pp.uX1UZddsbmZMuwc0WPQIL2jxppBF02m_T335jyu06bAtHN3r9iqYl.ndATX.mHZ9YPR8_.E BF.qJxxx0zqvMEsjQ9fe7QVAj7.4PZX25EES.lS.IaOIzz7ucC5ebcBVxAIV60sD1cdYk7rwTRNS Qcm7.TYpPL.HdqVTeOaEIRf9am755R2n6XExk7t6hrh4VoP6jSk19EYD1meT0DO5wIB8cV0Ftb.. Vlr7ekDHWQmvdM3hafhFdffdScm0F5XUj.NYSI1RCdNXYJdgaff7AMatp2ZnHdNmwxY__HwrXe8q lO3b5QzYvcj.F_HPQQkSwQQy9Z8vvhw1pakHRhiEQuDRPHiqzws5Xx9I1v2FOQVornSZNUMd4mBI EV8Qg8UPLeHKdzBhA60qe3yR3.DBu38dXNbNErPN8hrAV0PRpCCztdv0g0vbXY8.c6AtodXGzZrz TaUoOXH8fgyEimsFUQ8ty7qcc9d9.J0tFe41pOrfobZMOf6JfuYb5P8KvqIBf2z263ahn0pAAamr exYLqFK8D3OJ0sdm5Tm37QkbSKP04w_EXEL.9YFlmniYcSl0fe4cIaT3E8cs91p0LvFu.bnO5yrY z_w6dcbRVDzMCdftCLWkVKWDHcbL8w7qyAiW3D0Bh.DW5aAE6r_o2AS57IJSXVSb6isFvQsApKno SZ4.pksirhWn1ZsnSi8E.3wHTDUYxfAaJzrgTDrjwwQ4GbEr0DDu8LkvzpsUlUYgrfqoLHBxTrx4 I94a023pOb1_aBfupYMEvcoSQ4Jy5NH37F2Vi_jwCV.4y3dXzPCWuutq9swjwJ_YkqRaKUGXUYg7 xUQp_HTWha_n5WvKFkR7t3pl7IVKcdS9MtZuJmM7k9T_ng.htenYpBEH_qhc0ukhyzsnkBzG7r_j 2mtfh.XhJf7T.C0b7LXTFlRK2uTcsZY12_nT_ebPaR3bjbw63dmgIes41lRHie2cRgLJ3Yg2n8aN 3UgIVA.xetoTNJfZ0Ve01mZDLJpG1jl8MgCillhxp4MutLMpJ1N63Vge6BPyMzki5Htk8vFsdyfz IqX1VB0GQwJ4g2miTqwuf6CNci9NzAoKEX0Y9x47JGS_4zA6.8vu9k2iKF7YIkohVKOLLiOr7_Ee mCsk3nn8V1.jSdKl3ot5GorUX3Cl29sMYQ7VdRI8kldjsg5IRyDKboOSl9xsxMQSWRffUUAB.rxv 7HkIJlleNZv6eq7xpDlvrLHZfN5jqXQDTax0QWwXhb9JIGaTfccZJLReIlF6sXtFZue0gNKiEKzd FOHmWKuPmpcwPHK6plm5i4MKjjJhZYnJwwJzuwwwU0sxN80bWt4Mgm2XzBaH5qF7zt312.XkgpYI Bw83ZF.zhZ0CR4WvjPkWt59CFLTK1MlICvsnQpYv0d9y2rUDUBzkMNYM9DpD04u0u0BVzHy9L7sH uLLlqCSmu.I48HzweSK7jHGSV4oFkh2IZjNo_p9XLy1s46LsJ_ep2a5VRQD_LWI4QCTWumhV2gkS hc49587f5bzxS825YnSCVO4LL1VjbDgViOl7JIp9YT2WVXWp4_bXIti35CODQXKi7oezODWv.nUG z0HwbLSD1bNKPvVFc5FcglIogjF0qggk.ObULsrRzpY.EkaPFULdNvMFs4UoJ_OBqD6bmbcYMNSm A4RkF51jgL0s99lOA.D1jZ86Vj6NrvuGQ9zuEyGXoi9sdnaW7plDOEN.JJ0Twmgvv4BpUZ6vfs1O 28i4UFv8tnFUr6EHKKzLGZtW2J_EFWmGSUrXxUmg5zXEn7Cf7r.9w_DtADPI1CuqEtkaPSfF5kSS x5H5SFVivIDRNe.JegdlYb9MXu9BWhDWw5C5wJ24bQ0nk2ue6TSR.X4ZrMJ.aeotVJsGHL1pGnK3 9baKLm80R.YJTff1sG0AY68Ino0tLp.Z8w4CAjsmz9T63YuNgF47hWvmJTOR6fpvtpSLWe3NMmnq xhe1SW4mRPvJ5527LBTCfrTjVsgoXnXv7a4oIn9pSO_uB2Jtr3W8ktMMNiiCzVsdp5oS4r4noz25 xbKTr6I0j
X-Sonic-MF: <gffletch@aol.com>
Received: from sonic.gate.mail.ne1.yahoo.com by sonic305.consmr.mail.ne1.yahoo.com with HTTP; Wed, 7 Apr 2021 20:07:03 +0000
Received: by kubenode527.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID fde7e89d33765bb925a9a95c56596cf4; Wed, 07 Apr 2021 20:06:59 +0000 (UTC)
To: Daniel Fett <fett@danielfett.de>, oauth@ietf.org
References: <161771436122.1506.973742618731100764@ietfa.amsl.com> <63c57751-ff04-4e75-a74d-c4ba1105fb56@danielfett.de>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <35d57c1b-5e1f-aec7-8669-c93260e873da@aol.com>
Date: Wed, 7 Apr 2021 16:06:56 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.9.0
MIME-Version: 1.0
In-Reply-To: <63c57751-ff04-4e75-a74d-c4ba1105fb56@danielfett.de>
Content-Type: multipart/alternative; boundary="------------CFEE964D3604FAC3675760A2"
Content-Language: en-US
X-Mailer: WebService/1.1.18033 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.aol Apache-HttpAsyncClient/4.1.4 (Java/16)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/n_Ai7_Xn56Y4-RF_gBNMyf2Cx0Y>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-17.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Apr 2021 20:07:11 -0000

While this is mostly covered in section 8.6 of RFC 8252 for native apps, 
I wonder if we shouldn't mention "Client Impersonation" in this doc as 
well in that any public client can be easily impersonated. Mobile OS's 
are providing additional mechanisms for "authenticating" the client but 
it's unclear whether those will be made available in desktop 
environments where native apps also exist. At this stage Universal Links 
(iOS) and App Links (Android) should be best practice for any mobile 
native app. Best practice for desktop apps is less clear.

Impersonating a public client is very easy especially if the only 
mechanism available for the callback is a custom scheme URL.

Thoughts?

On 4/6/21 9:15 AM, Daniel Fett wrote:
> Hi all,
>
> this version most importantly updates the recommendations for Mix-Up 
> mitigation, building upon 
> https://tools.ietf.org/html/draft-ietf-oauth-iss-auth-resp-00. The 
> description of Mix-Up attacks has also been improved.
>
> Smaller changes:
>
>    * Make the use of metadata RECOMMENDED for both servers and clients
>    * Make announcing PKCE support in metadata the RECOMMENDED way 
> (before: either metadata or deployment-specific way)
>    * AS also MUST NOT expose open redirectors.
>    * Mention that attackers can collaborate.
>    * Make HTTPS mandatory for most redirect URIs.
>
> I'll present more details in the interim meeting next monday.
>
> As always, your feedback is appreciated. We hope that we can proceed 
> to a WGLC for this document soon.
>
> -Daniel
>
> Am 06.04.21 um 15:06 schrieb internet-drafts@ietf.org:
>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>> This draft is a work item of the Web Authorization Protocol WG of the IETF.
>>
>>          Title           : OAuth 2.0 Security Best Current Practice
>>          Authors         : Torsten Lodderstedt
>>                            John Bradley
>>                            Andrey Labunets
>>                            Daniel Fett
>> 	Filename        : draft-ietf-oauth-security-topics-17.txt
>> 	Pages           : 52
>> 	Date            : 2021-04-06
>>
>> Abstract:
>>     This document describes best current security practice for OAuth 2.0.
>>     It updates and extends the OAuth 2.0 Security Threat Model to
>>     incorporate practical experiences gathered since OAuth 2.0 was
>>     published and covers new threats relevant due to the broader
>>     application of OAuth 2.0.
>>
>>
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/
>>
>> There is also an HTML version available at:
>> https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-17.html
>>
>> A diff from the previous version is available at:
>> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-security-topics-17
>>
>>
>> Please note that it may take a couple of minutes from the time of submission
>> until the htmlized version and diff are available at tools.ietf.org.
>>
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
> -- 
> https://danielfett.de
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth