[OAUTH-WG] explicit/implicit signaling to reveal TB ID
Brian Campbell <bcampbell@pingidentity.com> Fri, 30 September 2016 20:04 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C52B12B025 for <oauth@ietfa.amsl.com>; Fri, 30 Sep 2016 13:04:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ji7vSPGmZBOJ for <oauth@ietfa.amsl.com>; Fri, 30 Sep 2016 13:04:06 -0700 (PDT)
Received: from mail-it0-x22c.google.com (mail-it0-x22c.google.com [IPv6:2607:f8b0:4001:c0b::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FECE12B091 for <oauth@ietf.org>; Fri, 30 Sep 2016 13:04:06 -0700 (PDT)
Received: by mail-it0-x22c.google.com with SMTP id 15so10216188ita.1 for <oauth@ietf.org>; Fri, 30 Sep 2016 13:04:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:from:date:message-id:subject:to; bh=EspPfIVfXpvqXw99fU4j9F9o+NYueB9X6G8BIY1fQIE=; b=iNjJMDnwKu7SBcFhi6J1LnQjP0BtQC2tszt8Yt7djqIQM3Wqd9WRYQUsUEycV0AU6a a8DDWwBh7URiQiDc7XhTHm9eytgL9S6AFj+/XJOTmYRQwrjnZUGJxVyYIhHUziY44ObW d0zfm/v76+Wh1WJxwn7mgwjsm25sdwPAVHF/I=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=EspPfIVfXpvqXw99fU4j9F9o+NYueB9X6G8BIY1fQIE=; b=ZLR3sEuyQbfssjZtsZE80Ug6uT2OqPsqhD8oGoYMQZolmODbu18jOGnyLePRKPdsdX syW3o0ztz51DASp22V7gFoa7fCZGZskBENTZ7vTjWHzNchjE+EaYp1tGaWqyhGd6tL3v sA2ejM3oIRisoZLx2Ki5iqwR/6bJo9wo6jnp1VT816xtPOj1vzYEqFad+L55LpknOlRy F5KM4eODh9B133N860O4oXVtq9eKjZpqWjT7425B3v6n30qME9N6fyr3UWxiC5eNsjbZ su5wARcn/pveGd20O2Bz+Jlpb2BUV/bhxJIb8LJG8CnWR3sY9DBqy/jg5BRpaOnu7Cge CwSg==
X-Gm-Message-State: AA6/9RnkxQmPUj5uWHPR5wQno8j2xWQvK0wpo12COg5mjOZ6/CBPpXMoR0zTR23VkzmKSnTSxraDpfasPKUoqp/x
X-Received: by 10.107.58.87 with SMTP id h84mr10673602ioa.122.1475265845068; Fri, 30 Sep 2016 13:04:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.6.141 with HTTP; Fri, 30 Sep 2016 13:03:34 -0700 (PDT)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 30 Sep 2016 14:03:34 -0600
Message-ID: <CA+k3eCRqKNk2hex1xRR3oR-nZSb1uvGi7Uj2g13f1W6FcqLsow@mail.gmail.com>
To: oauth <oauth@ietf.org>, IETF Tokbind WG <unbearable@ietf.org>
Content-Type: multipart/alternative; boundary="001a114ac57aa522d7053dbf189b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/p4ofQZhyAv-Hk5dMSNB6knzJp-M>
Subject: [OAUTH-WG] explicit/implicit signaling to reveal TB ID
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Sep 2016 20:04:08 -0000
Sending this to both the Tokbind and OAuth lists. There is text now in HTTPSTB that says that a TB ID must only be conveyed to a different server, if the associated server explicitly singles to do so. Specifically these two snippets, https://tools.ietf.org/html/draft-ietf-tokbind-https-06#section-5 has However, such applications MUST only convey Token Binding IDs to other servers if the server associated with a Token Binding ID explicitly signals to do so, e.g., by returning an Include-Referred- Token-Binding-ID HTTP response header field. and https://tools.ietf.org/html/draft-ietf-tokbind-https-06#section-7.3 has Also, applications must take care to only reveal Token Binding IDs to other endpoints if the server associated with a Token Binding ID explicitly signals to do so, see Section 5 "Implementation Considerations". This seems like it might be problematic for token binding of OAuth access tokens. Many/most OAuth flows don't begin at the resource sever (token consumer) but at the authorization server (token provider) so there's not an opportunity for such an explicit signal. And even when a request is made to the resource sever (token consumer) without a token or with a bad token, there isn't a redirect but rather a 40x is returned (see https://tools.ietf.org/html/rfc6750#section-3). The relationship between OAuth servers is much more of an implicit thing in how the OAuth client application (different than a browser client) interacts with those severs. And there's correlatable info already flowing between the two so revealing a referred TB doesn't make the privacy situation any different. But it can greatly improve the security of the access tokens. Can the text in HTTPSTB be reworked slightly to allow for an implicit okay or a prearrangement to reveal referred Token Binding IDs for applications which are not web browsers? Otherwise OAuth clients will have to ignore that MUST or a token (pun intended) but really meaningless signal will have to be invented for OAuth (like maybe a new auth-param with the WWW-Authenticate Response Header Field from RFC 6750.
- [OAUTH-WG] explicit/implicit signaling to reveal … Brian Campbell
- Re: [OAUTH-WG] explicit/implicit signaling to rev… Justin Richer