Re: [OAUTH-WG] AD Review of draft-ietf-oauth-par-07
Brian Campbell <bcampbell@pingidentity.com> Fri, 14 May 2021 22:05 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 062E23A41C5 for <oauth@ietfa.amsl.com>; Fri, 14 May 2021 15:05:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wn_3QnZ9yvDb for <oauth@ietfa.amsl.com>; Fri, 14 May 2021 15:05:52 -0700 (PDT)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 568143A41C8 for <oauth@ietf.org>; Fri, 14 May 2021 15:05:52 -0700 (PDT)
Received: by mail-lf1-x12d.google.com with SMTP id h4so497729lfv.0 for <oauth@ietf.org>; Fri, 14 May 2021 15:05:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LstwOOWw9/gWDQHteh9A3QSFb8rPEdFAc+M/zgkfHHc=; b=DIExxbnYXufGB/pjqvAO4Dc4Y3RkAO9k1iYMpjwF0+0nxlRSkYV7fL0kxy6AFPhsJX S9yCmTFiRviIwN8/9vOAWecN00QK+v6fZWj0tOSird9nLxHMcawsdcW/ZUxdtJzo2RXq 9CjXveryQAzXj7JdAGQ9AzKyskM+qysoWok2cXR28QCCbFbiwQVTG0b3YfapZ2F6t99M fJ7bJfXOh8PvPhKNPShSN8ZGywG72q+nAWEO0zlR/CaN/LcaCu0bZQ/xdnVnfXAHYSQU nxxSzRYutI2OmS9kgPY+i3WMtRt2uPaVoGZiqhJyNKjKVxKEvvILZ2GXRFvxtRQQFmY+ BHug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LstwOOWw9/gWDQHteh9A3QSFb8rPEdFAc+M/zgkfHHc=; b=MbjrTBEhG2BZEKE2Tp0F3P/e6xbqM+/HIYUBvbcUx44IKcdedU/DhPgl2Pyq6G5vMj n0XbSW2sWtvDumrSmNrvhF1N41Tbi/b9hbszxC9hAmulfs7dS8lnMzbspNkUIlOfKXfc 6xK/OqlNT8h+ctK2kJFpbVfQRF/voSy8D+vuwSsKGzeyRI/3r88da5pE/4HH4TRqdGgN 2aFKoylmOa4ilqcxVt6jNiKhrBK/4FM1IE3ADVoCb2BoW9AdTUwUIDqyXzoSzoagVDv4 DDLw1Hb+3iukegPaojuRhXolkPFB1UZ3MQ6cvDEgr0HHPTlaAEC3s1sIYpqou+zZ1beC tedA==
X-Gm-Message-State: AOAM530T1K56tzYzKRRy0s1vQHUlcbDM9/3SyzubdDdf/A/5oWxJXeza 9bo1VPn0tdba6hGMn74mbkbYe2XRMWtwQ0M3HGYUd8p1ZAx3kZ6vdsLcwvKArHKi0YP3jUNz2C9 auqLQ4qCs2Ks4xg==
X-Google-Smtp-Source: ABdhPJzYXDkdmTOBMzfHrQU0yZ62ItbroZAQIw6pHSEMHeaoPE35xI60fd2OqlsEA5x0k5BChN1KhPSHgSRGR3Y2n9w=
X-Received: by 2002:ac2:533a:: with SMTP id f26mr5319639lfh.574.1621029949561; Fri, 14 May 2021 15:05:49 -0700 (PDT)
MIME-Version: 1.0
References: <912d493e506e4f2c8e200b6cc71f3b88@cert.org> <CA+k3eCQuHBz+jDkgHR-aK_H51FGWFiiFiyzQ0oL4mpTik-hQ9A@mail.gmail.com>
In-Reply-To: <CA+k3eCQuHBz+jDkgHR-aK_H51FGWFiiFiyzQ0oL4mpTik-hQ9A@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 14 May 2021 16:05:23 -0600
Message-ID: <CA+k3eCSXBEFAm_eE4BOjYea+iBo7TVCmOEc50_Lo+ME0jz_poA@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005078db05c251727e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/op22V6F0f0KnWi-S6LJIA9IsOq8>
Subject: Re: [OAUTH-WG] AD Review of draft-ietf-oauth-par-07
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 May 2021 22:05:57 -0000
I went ahead and pushed an -08 that hopefully addresses all your feedback and suggestions. https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-par-08 https://datatracker.ietf.org/doc/draft-ietf-oauth-par/ On Fri, May 14, 2021 at 2:55 PM Brian Campbell <bcampbell@pingidentity.com> wrote: > Thanks for the review Roman! Responses from me are inline below. And I'll > endeavor to get a new draft published soon that addresses your feedback. > > > On Fri, May 14, 2021 at 1:17 PM Roman Danyliw <rdd@cert.org> wrote: > >> Hi! >> >> I performed my AD review of draft-ietf-oauth-par-07. Thanks for the >> effort to produce this document. See my feedback below: >> >> ** Section 1.1. Per the first POST example, please provide a bit more >> text to explain the presence of the Authorization header. >> > > Makes sense and will do. > > > >> >> ** Section 2.1. Per step #1, "Authenticate the client in the same way as >> at the token endpoint." Would it be appropriate to cite Section 2.3.1 of >> RFC6749 as the reference for "the same way"? >> > > I think a reference here would be good but Section 2.3 of RFC6749 is > probably more appropriate as any of the defined/supported client > authentication methods (e.g., RFC8705 or RFC7523) could be used. It's not > limited to client password/secret, which is what Section 2.3.1 of RFC6749 > is about. > > > >> >> ** Section 2.1. Typo. s/the the/the/ >> > > Doh! Will fix. > > > >> >> ** Section 2.2. "The format of the "request_uri" value is at the >> discretion of the authorization server ...", it would be helpful to remind >> implementers (via reference) that the constraints of Section 10.10 of >> RFC6749 apply. >> >> The authorization server MUST prevent attackers from guessing access >> tokens, authorization codes, refresh tokens, resource owner >> passwords, and client credentials. >> >> The probability of an attacker guessing generated tokens (and other >> credentials not intended for handling by end-users) MUST be less than >> or equal to 2^(-128) and SHOULD be less than or equal to 2^(-160). >> > > I'll add that reference around the current text saying it has to be > "computationally infeasible to predict or guess a valid value". > > > >> ** Section 2.2. "The string representation of a UUID as a URN per >> [RFC4122] is also an option for authorization servers to construct >> "request_uri" values" suggests that a UUID could be used as the >> "cryptographically strong pseudorandom algorithm such that it is >> computationally infeasible to predict or guess a valid value" for the >> random part of the request_uri. However, a few bits of the 128-bit UUID >> are in fact not random. Hence, this UUID construct would seem to violate >> the guidance of Section 10.10 of RFC6749 noted above. Likewise, the >> Section 10.2 of draft-ietf-oauth-jwsreq-34 referenced in Security >> Considerations also suggest 128-bits. >> > > Good catch, if not a touch pedantic :) Honestly, my thinking was that > creating UUIDs is made pretty easy in a lot of environments and that the > not-quite-128-bits from a UUID was probably good enough for the purpose. > But you are right and, under a strict reading, this amounts to the PAR > draft suggesting something that is in violation of a normative MUST in > RFC6749. I think the best path forward is that the sentence that suggests > UUIDs should just be removed. > > > >> ** Section 2.4. This section relaxes exact matching of the redirect_uri >> specified in the current text of the security BCP and OAuth 2.1. Not >> relevant to this document, but would it make sense to acknowledge this >> relaxation in the BCP or caveat language about strict requirements in the >> v2.1 draft? >> > > Yeah, it might make sense to do so perhaps along with some rationale or > explanation about the conditions that make relaxation acceptable. > > > >> ** Section 6. Typo. s/reqired/required/ >> > > Ugh. Will fix. And thanks. > > > >> ** Section 7.5. Per "Clients SHOULD make use of PKCE, a unique "state" >> parameter, or the OIDC "nonce" parameter" are good advice. Can the text >> provide references to each of these. >> > > Yup, I can add references for those. > > > >> ** Section 8. Wouldn't some of the privacy considerations of >> draft-ietf-oauth-jwsreq-34/Section 11 apply? >> > > I read through that section again and honestly don't see anything that is > applicable or isn't already constrained or made irrelevant by the specifics > of the PAR draft. Please let me know if you think I'm overlooking something > though. > > > Thanks, >> Roman >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] AD Review of draft-ietf-oauth-par-07 Roman Danyliw
- Re: [OAUTH-WG] AD Review of draft-ietf-oauth-par-… Brian Campbell
- Re: [OAUTH-WG] AD Review of draft-ietf-oauth-par-… Brian Campbell
- Re: [OAUTH-WG] AD Review of draft-ietf-oauth-par-… Roman Danyliw