Re: [OAUTH-WG] draft-ietf-oauth-v2-threatmodel

Michael Thomas <mike@mtcc.com> Thu, 03 May 2012 20:25 UTC

Return-Path: <mike@mtcc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8870A21F869F for <oauth@ietfa.amsl.com>; Thu, 3 May 2012 13:25:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Level:
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[AWL=0.200, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DWnM76DnCR-K for <oauth@ietfa.amsl.com>; Thu, 3 May 2012 13:25:46 -0700 (PDT)
Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id A9F7D21F869E for <oauth@ietf.org>; Thu, 3 May 2012 13:25:46 -0700 (PDT)
Received: from piolinux.mtcc.com (65-172-208-69.dsl.volcano.net [65.172.208.69]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id q43KPiUc004085 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 3 May 2012 13:25:45 -0700
Message-ID: <4FA2E9C1.3090308@mtcc.com>
Date: Thu, 03 May 2012 13:25:37 -0700
From: Michael Thomas <mike@mtcc.com>
User-Agent: Thunderbird 2.0.0.14 (X11/20080501)
MIME-Version: 1.0
To: Peter Saint-Andre <stpeter@stpeter.im>
References: <E0A719BA-4FCD-4B57-AB6E-778DE46B79D6@gmx.net> <7AAD23CC-0D1F-4F7C-80FA-5E796D6ADE67@oracle.com> <4FA2E405.7040502@stpeter.im>
In-Reply-To: <4FA2E405.7040502@stpeter.im>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=5854; t=1336076746; x=1336940746; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20<mike@mtcc.com> |Subject:=20Re=3A=20[OAUTH-WG]=20draft-ietf-oauth-v2-threat model |Sender:=20 |To:=20Peter=20Saint-Andre=20<stpeter@stpeter.im> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=cgYJykU4r71F7AOhoh5K9+iBXwpT11O/kWVl8b8ZEqo=; b=pTUhl0XLN5ZGd6qRcdMpYAsh8CDWZx9p/0gz5IN1THtdWgwp8X2CqGlHBu sVx9VMsREWhAVacCUpkC9y/Lpj5C9t4ReGbb/xd1LI9RKeii3Je/Bi8Yd6KZ kb/X0KvyBhqiIhLdvoAQ8YQD1KqMhyjTOUvGy6bmya9mTBCKKamnc=;
Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-threatmodel
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 May 2012 20:25:47 -0000

Peter Saint-Andre wrote:
> Barry, I think your text is sufficient.
> 
> Hannes, I agree with your point about taking this up outside the OAUTH
> WG because this is a broader issue.

The roots of the problem are certainly larger, but the particulars about the way
that it interacts with oauth's security model are what I found troublesome. As I've
said before, oauth was conceived before the widespread deployment of apps where
the system browser is mostly trustable. The way it's getting widespread adoption
now is back in an app environment so all of the browser trustability assumptions
flew out the window.

> Phil, I've reviewed things again and I think Michael is simply in the
> rough here, but if Michael thinks that Barry's text is insufficient then
> he is free to raise this issue during IETF Last Call or to follow the
> appeal procedures defined in RFC 2026.
>

I only asked to add one bullet that said that the auth server can and should
have a part by being less promiscuous about enrollment and more proactive about
revocation. I didn't hear anything one way or other about that.

Mike


> Peter
> 
> On 5/2/12 11:36 AM, Phil Hunt wrote:
>> I think you hit the nail on the head. 
>>
>> My feeling is that threats not directly related to OAuth obfuscate the key issues we are trying to alert implementers and deployers to. 
>>
>> I think Barry made a good proposal but Michael still feels Barry's text has not addressed the issue. 
>>
>> I think you are right to escalate the issue for guidance. 
>>
>> Phil
>>
>> On 2012-05-02, at 9:02, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>>
>>> Hi all, 
>>>
>>> I looked at the feedback for the draft-ietf-oauth-v2-threatmodel and I want to share my thoughts with you (as a WG co-chair).
>>>
>>> I believe there are three questions that need to be answered:
>>>
>>> 1) Is malicious code a problem? 
>>>
>>> I believe most people would agree that malicious code is indeed a problem for Internet security. 
>>>
>>> 2) Are IETF working groups required to address this extended Internet threat model? 
>>>
>>> RFC 3552 provides guidance for protocol developers writing security considerations. It also defines terminology and a threat model. 
>>> The model, however, does not consider malicious code as a threat. 
>>>
>>> Malicious code is a problem for any IETF protocol, not just for OAuth. This requires a broader IETF discussion.  
>>>
>>> If there is the believe that IETF groups should (a) describe threats that result from malicious code and (b) develop solutions to deal with it then the IAB  should facilitate such a discussion. I will discuss this topic within the IAB. 
>>>
>>> Despite the lack of available guidance in RFC 3552 draft-ietf-oauth-v2-threatmodel talks about this threat. 
>>>
>>> 3) What can we do to highlight the threat in our document? 
>>>
>>> Barry proposed additional text (see below) that highlights the challenges. 
>>>
>>> This issue as resolved. Let's move forward. 
>>>
>>> Ciao
>>> Hannes
>>>
>>> PS: Here is Barry's proposed tet
>>>
>>> -----------------------------------------------------------------
>>> 5.5.  A Word on User Interaction and User-Installed Apps
>>>
>>> OAuth, as a security protocol, is distinctive in that its flow usually
>>> involves significant user interaction, making the end user a part of
>>> the security model.  This creates some important difficulties in
>>> defending against some of the threats discussed above.  Some of these
>>> points have already been made, but it's worth repeating and
>>> highlighting them here.
>>>
>>> * End users must understand what they are being asked to approve (see
>>> Section 5.2.4.2).  Users often do not have the expertise to understand
>>> the ramifications of saying "yes" to an authorization request. and are
>>> likely not to be able to see subtle differences in wording of
>>> requests.  Malicious software can confuse the user, tricking the user
>>> into approving almost anything.
>>>
>>> * End-user devices are prone to software compromise.  This has been a
>>> long-standing problem, with frequent attacks on web browsers and other
>>> parts of the user's system.  But with increasing popularity of
>>> user-installed "apps", the threat posed by compromised or malicious
>>> end-user software is very strong, and is one that is very difficult to
>>> mitigate.
>>>
>>> * Be aware that users will demand to install and run such apps, and
>>> that compromised or malicious ones can steal credentials at many
>>> points in the data flow.  They can intercept the very user login
>>> credentials that OAuth is designed to protect.  They can request
>>> authorization far beyond what they have led the user to understand and
>>> approve.  They can automate a response on behalf of the user, hiding
>>> the whole process.  No solution is offered here, because none is
>>> known; this remains in the space between better security and better
>>> usability.
>>>
>>> * Addressing these issues by restricting the use of user-installed
>>> software may be practical in some limited environments, and can be
>>> used as a countermeasure in those cases.  Such restrictions are not
>>> practical in the general case, and mechanisms for after-the-fact
>>> recovery should be in place.
>>> -----------------------------------------------------------------
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth