[OAUTH-WG] Re: We cannot trust Issuers

Tom Jones <thomasclinganjones@gmail.com> Wed, 31 July 2024 15:55 UTC

Return-Path: <thomasclinganjones@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21FB8C14F6AB for <oauth@ietfa.amsl.com>; Wed, 31 Jul 2024 08:55:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jH78ThaUiKcO for <oauth@ietfa.amsl.com>; Wed, 31 Jul 2024 08:55:44 -0700 (PDT)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49673C14F6A8 for <oauth@ietf.org>; Wed, 31 Jul 2024 08:55:38 -0700 (PDT)
Received: by mail-ed1-x52c.google.com with SMTP id 4fb4d7f45d1cf-5b19f9a9d91so433930a12.2 for <oauth@ietf.org>; Wed, 31 Jul 2024 08:55:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722441336; x=1723046136; darn=ietf.org; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ze/q8i4KsHahjiUkenGfzLxk+OH7GvnPN1sBrjIz25E=; b=kQUy7mf0wO5kIN2oL5+kP+QNRYdKBnwXszHneNOgQgPBjzCBtX0CYG8XvYJNH2EFml Sv3DyaWHx4oaDQfcNc0NnzkPqcwjprXuujsTnfnsVIZv/OZvZmfeIVX4iO/TseGHRm9H hDppCGjTI6kPoAE5ARJ3OjUi5BW5W0QDrnLy+yPDU0vlDOsHPVKEfU1PVMBNTG7PNNsM C+JbInGYYeO7UwmNZfrdLfzhy6SnJPm47HtUrX6sOnUjjABGAeL7QOEGUDIzweKAgSKc h8blFShDK4nk8kdZ2Xb9be+ESb9Y/1EZyFix6CG1SzPIi1YrWpxaOBgz6lQ5yrxmv8Od 0+9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722441336; x=1723046136; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ze/q8i4KsHahjiUkenGfzLxk+OH7GvnPN1sBrjIz25E=; b=Wr3fFz+qiRyeKaBmrL6b+ufE3TAwWUyv2UIIolswgggLr9f2wGrNoCetrhKu6TrCmn x10LvGFl2MP2HlFrHlqsJl4Hxq+aSmPx/JTHsqQIdyz4Ls//ADl/xGJ3lzM8ADPLQdIk rtEdfsRuQOJzn/Aw0AWF9HiHyisue/XjXmdEVHsbG46UuJTHytzpaZTuKXzVlVnVL8T9 0JwBeUCXl9eCxPQ8PZA/HmB73DeQD91DYEXmqlbRSqnuorLiBZ6HJ4Nt5wC6fx8paH0i QhOQB8hxGSOw0nXwJLr41Szv5LwdBA/aXI2FutmjgLv4esF4zqR+dQh+lSEe8FuT76C0 ADlA==
X-Forwarded-Encrypted: i=1; AJvYcCVtqivMNwsDxmSRUkbBEQI+xwopofTwpm1G+XQuZUytQU5Ov+QGF3rdsYcO3ntvh+7Xsogdsg==@ietf.org
X-Gm-Message-State: AOJu0YwslnJHM4c06fqLR4GR6UYSwwPKzupGKHX2BpqXYYhLvdrXhsAY G75h34/0JsTc5kbst48bj1Hu5Nd95HBRdpP2u/AuxVdemHW/AjtjzD0xL7vhni5cRy4HT501IZf E3q8CY+RIkXxatltt+VoreSy82t+s6w==
X-Google-Smtp-Source: AGHT+IEVeojYcg5jzwWRA/YbSh4v2XqrF8VPvfIE4td/XQVhL8+f0tdoyxFV5+vKdc7k4EQq9LatuubD0neAImOtXlc=
X-Received: by 2002:a05:6402:2689:b0:5af:41ab:2608 with SMTP id 4fb4d7f45d1cf-5af41ab2e18mr7197531a12.0.1722441336037; Wed, 31 Jul 2024 08:55:36 -0700 (PDT)
MIME-Version: 1.0
References: <CACsn0cmy03viT6wboUZeVu_8Yf-m7As0rxcjpda2W_Xw6ohKNg@mail.gmail.com> <CAANoGhLsm1yqJvKuPEH_is-ep60EVNfLfi17T9M17KJFfAFiNQ@mail.gmail.com> <CACsn0ckXZVPznV8cq4sMm1axCzMfd_M8FQ9BnMa5TTvPgZ8emg@mail.gmail.com> <CAL02cgRPc8Ef8LjL4pNOCOmApSNaCSZSekmxxcps7yAZ6ZhdqA@mail.gmail.com> <c464d1fc1530c267bf9ecc64ef3e5723c171829d.camel@mnt.se> <CA+k3eCQom6=o+fSYWRd+qWZnWqki3Enij1X8tYhn75Ksuz=jvA@mail.gmail.com>
In-Reply-To: <CA+k3eCQom6=o+fSYWRd+qWZnWqki3Enij1X8tYhn75Ksuz=jvA@mail.gmail.com>
From: Tom Jones <thomasclinganjones@gmail.com>
Date: Wed, 31 Jul 2024 09:55:22 -0600
Message-ID: <CAK2Cwb5Whft4vtNSUvSmViOa5XMDwPjj9Z4gLG2asM-zDxb5_g@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fb2af7061e8d1f01"
Message-ID-Hash: BVPJB3SRSMOMTFFH62NN3NI37ON45R5N
X-Message-ID-Hash: BVPJB3SRSMOMTFFH62NN3NI37ON45R5N
X-MailFrom: thomasclinganjones@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF oauth WG <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Reply-To: peace@acm.org
Subject: [OAUTH-WG] Re: We cannot trust Issuers
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/o7pZCsCxJ7mx6YKezQo60QoITts>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

There are many cases of verifiers colliding with issuers.
Police recording all traffic stops looking for patters of abuse.
One time time and similar use restrictions on tokens.
Patterns of use that indicate fraud or abuse of financial or tracking by
third parties.
Password or vendor relations apps.
Any advertising.
Frequent buying programs.
I personally don't think that this topic is well considered against real
world situations.


thx ..Tom (mobile)

On Wed, Jul 31, 2024, 6:32 AM Brian Campbell <bcampbell=
40pingidentity.com@dmarc.ietf.org> wrote:

>
>
> On Tue, Jul 23, 2024 at 11:15 AM Leif Johansson <leifj@mnt.se> wrote:
>
>> On Mon, 2024-07-22 at 19:43 -0400, Richard Barnes wrote:
>> > I would observe that any solution based on garden-variety digital
>> > signature (not something zero-knowledge like BBS / JWP) will have
>> > problems with issuer/verifier collusion.  One-time tokens and batch
>> > issuance don't help.  There is no such thing as SD-JWT with
>> > issuer/verifier collusion resistance.  At best you could have SD-JWP.
>> >
>> > I don't think this needs to be a blocker on SD-JWT.  There are use
>> > cases that don't require issuer/verifier collusion resistance.  We
>> > should be clear on the security considerations and warn people away
>> > who care about issuer/verifier collusion resistance, and accelerate
>> > work on SD-JWP if that's an important property to folks.
>> >
>>
>>
>> +1 on this
>>
>
> I'm generally a +1 on this too.  There is an attempt at a discussion
> around unlinkablity in the privacy considerations at
> https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-unlinkability
> currently. Concrete suggestions to that text about how to better frame the
> risks and difficulties around Issuer/Verifier Unlinkability (perhaps
> especially with respect to something like a government issuer compelling
> collusion from verifiers) would be welcome for consideration.
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*_______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>