IETF Logo Mail Archive

Re: [OAUTH-WG] Regarding iat and nonce in DPoP Proofs

Brian Campbell <bcampbell@pingidentity.com> Mon, 11 April 2022 21:57 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55F7A3A1D14 for <oauth@ietfa.amsl.com>; Mon, 11 Apr 2022 14:57:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NwjseYdSVsNV for <oauth@ietfa.amsl.com>; Mon, 11 Apr 2022 14:57:02 -0700 (PDT)
Received: from mail-oi1-x230.google.com (mail-oi1-x230.google.com [IPv6:2607:f8b0:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 785EE3A1D16 for <oauth@ietf.org>; Mon, 11 Apr 2022 14:57:02 -0700 (PDT)
Received: by mail-oi1-x230.google.com with SMTP id w127so17176653oig.10 for <oauth@ietf.org>; Mon, 11 Apr 2022 14:57:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Ba7yH526wpb758Tg4JqfzdmVoh76/34kkLVW3BSFWKM=; b=Vo+jf6UHwDBtadEbS/I7Dj550m71tIzovXg80a/O9ec4TuYULMUw2/ml0sOGJKwBag DfYS4zr7SPNGpabPL74dY5w3+b+nSbpboMvX2Gv5dtQupRO7yVuY32KLgWYTMnlOBBt/ yLAIrCPkIwARTrD3ay6nNZLckADYe0T0FLWZ04TBoVhykoK+Gi9W4jUpgmHw2X44TZph Gr0ZuoVkiNqWThkAbVDbiA+PKxWWqHz98mJyczliqy7o34D97DuX8kxCPh/YeyTr97cv YJaVDVjIFnjxLnG5KhrhWPH752CY3YuZPX+eOav/LKWbgPvLOgdLQQWojH5VD0Eqw3D3 Ejdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Ba7yH526wpb758Tg4JqfzdmVoh76/34kkLVW3BSFWKM=; b=Vgv59MjN9c+CsMVyWkkFtT1P1C7Kpa17zV9NOiwWJL1Sj+5qz/SSYWh2htb5dAxajg 0U47ArU95/T70+AFvzE7poUzvS6r0L9Gp2YHfxPCdiavxNG1WtFUSvmP5D1/s4HLhszw ZsFpTLv6cTHMH2K7abI/9hc3TEEmTMEcNd/jIgqqBR1vEt719YemDhowu84w2VNnsDpL wjQJZqjHHXBBpkj47HAOT1BjfgUYPX2QjH+Ow7ziNAmamOsRmesAHWkTo4kRYbgUOBiF jgHoMJzUlng2NyGrX4mDlOPKa2XePsAWcTK0XwcKc/teLengWvvBY5KHiWYt1BY5NUM6 IqWA==
X-Gm-Message-State: AOAM530RYB3uKRk8sQel70Pk9O/oga7845NDQl0oZwxAW8fGGZfOguwd nPhgaPYCQKopi9TW9codQncYAhuh+T6qWWOyxKvbp3eK+GCzJ/6UymKZWiIWyXSCrN34l6sD1e4 8G5x8i86S6VFJyw==
X-Google-Smtp-Source: ABdhPJywmkZNYzhA0qNLwWi/vEjcHnG5sb5NKLTNh1wkgqoqTH2ZGzX8u5ZWRQk9PgXtSrl6c9qXNREoN8eHcGyA3vo=
X-Received: by 2002:a05:6808:1a08:b0:2f9:a87c:f382 with SMTP id bk8-20020a0568081a0800b002f9a87cf382mr539601oib.52.1649714221328; Mon, 11 Apr 2022 14:57:01 -0700 (PDT)
MIME-Version: 1.0
References: <CAKL4o=G9wO-LCgkWipsAEV3_sVUThTsQcaHd-Vf2o08KTA5UKg@mail.gmail.com> <CALAqi_977Jjyzi5Hv2yVLsv3=7sS9Lpjs7kusQ+YObnj-TiLig@mail.gmail.com>
In-Reply-To: <CALAqi_977Jjyzi5Hv2yVLsv3=7sS9Lpjs7kusQ+YObnj-TiLig@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 11 Apr 2022 15:56:33 -0600
Message-ID: <CA+k3eCTwWqkmBpOEH-3wC8yukkCAAwS4NigFu5egZ5406wKyyw@mail.gmail.com>
To: Filip Skokan <panva.ip@gmail.com>
Cc: Jacob Ideskog <jacob.ideskog@curity.io>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000024c66705dc6806a7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/qJSjyB6wUVAnai6Njpvvyufqwv8>
Subject: Re: [OAUTH-WG] Regarding iat and nonce in DPoP Proofs
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Apr 2022 21:57:07 -0000

Hello Filip, Jacob, co-authors, and WE participants,

Apologies from myself and fellow co-authors for the slow response. I was on
family vacation for much of WGLC and am slowly catching up.

Anyway, yeah, I definitely believe that one of the intentions when adding
the nonce was to allow the server to limit the acceptance timeframe of DPoP
Proof JWTs using its own notion of time somehow captured opaquely in/with
the nonce rather than using the client time via iat. I'll endeavor to
rework the text in sections 4.3 and 11.1 to be more clear that either can
be used alone in validating the timeliness of the proof.

Filip's last comment about section 11.1 shows, to me anyway, that there's
an inconsistency in the requirements (SHOULD level currently) for jti
tracking depending on whether iat or nonce is used for TTL. I think that
should change to have uniform treatment for both. And I think the jti
tracking requirement should be somewhat further de-emphasised - it can be
difficult/costly to do and there's no obvious threat (I don't think?)
that'd be prevented by catching the same proof being used more than once.






On Wed, Mar 30, 2022 at 7:53 AM Filip Skokan <panva.ip@gmail.com> wrote:

> Hello Jacob, dear Authors,
>
> If the server (AS or RS) utilizes the `nonce` mechanism to limit the
> acceptance timeframe of DPoP Proof JWTs it would appear the need to check
> the `iat` claim for "freshness" is redundant. If we're making the client
> jump through hoops to enforce fresh proofs via `nonce` it seems counter
> intuitive that the validation could still fail due to client or server side
> clock skews (regardless of how unreasonable they may be).
>
> Changes would need to be introduced in (source
> <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-07>)
>
>    - section 4.3. point 11
>       - the iat claim value is within an acceptable timeframe and, within
>       a reasonable consideration of accuracy and resource utilization, a proof
>       JWT with the same jti value has not previously been received at the same
>       resource during that time period (see Section 11.1)
>       - section 11.1
>       - To prevent this, servers MUST only accept DPoP proofs for a
>       limited time window after their iat time, preferably only for a relatively
>       brief period (on the order of seconds or minutes).
>
> Proposal:
>
> Section 4.3. point 11
> *if the server did not provide a nonce value to the client that was
> verified in the previous point*, that the iat claim value is within an
> acceptable timeframe and, within a reasonable consideration of accuracy and
> resource utilization, a proof JWT with the same jti value has not
> previously been received at the same resource during that time period (see
> Section 11.1)
>
> Section 11.1 upon a second read may not need an update afteral due to the
> following language "Server-provided nonces are an effective means of
> preventing DPoP proof replay.". That being said, server-provided nonces do
> nothing about replay within a short time window, they ensure freshness, so
> may need a bit of language afterall.
>
> S pozdravem,
> *Filip Skokan*
>
>
> On Tue, 29 Mar 2022 at 16:23, Jacob Ideskog <jacob.ideskog@curity.io>
> wrote:
>
>> Hi all,
>>
>> We have encountered a situation in the wild which I would like to share
>> and discuss with you.
>>
>> We have strict validation of the iat claim as per section 4.3 in the
>> specification where we allow a reasonable skew.
>>
>> The problem we see is that some users (more than a few) have changed the
>> clock on their mobile device. This is commonly done for users playing games
>> where changing the clock gives them more credit in the game. This means
>> that the drift is more than reasonable as per the specification. It can be
>> hours to days.
>>
>> The solution is to use the newer "nonce" parameter (which wasn't in the
>> early drafts) to be able to manage the TTL server side, since the server
>> controls the nonce and can therefore control the TTL of any proof received.
>>
>> However, the wording in section 4.3 states that:
>>
>> the iat claim value is within an acceptable timeframe and,
>>         within a reasonable consideration of accuracy and resource
>>         utilization, a proof JWT with the same jti value has not
>>         previously been received at the same resource during that time
>>         period (see Section 11.1 <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-07#section-11.1>),
>>
>> And in section 11.1 this limits it to seconds or minutes.
>>
>> So, even though using nonces could solve clock sync issues, it's not
>> possible due to the strictness of the iat claim verification.
>>
>> Could we relax the wording of the iat claim verification to let the nonce
>> be the main solution in some cases:
>>
>> Suggestion:
>> the iat claim value is within an acceptable timeframe and,
>>         within a reasonable consideration of accuracy and resource
>>         utilization, a proof JWT with the same jti value has not
>>         previously been received at the same resource during that time
>>         period (see Section 11.1), *unless the clock syncronization can
>> be made to depend on the issuance of the nonce values.*
>>
>> Regards
>> Jacob
>>
>> --
>> Jacob Ideskog
>> CTO
>> Curity AB
>> -------------------------------------------------------------------
>> Sankt Göransgatan 66, Stockholm, Sweden
>> M: +46 70-2233664
>> j <jacob@twobo.com>acob@curity.io
>> curity.io
>> -------------------------------------------------------------------
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email