Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-revocation-09: (with DISCUSS and COMMENT)
Torsten Lodderstedt <torsten@lodderstedt.net> Sat, 13 July 2013 13:30 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2602621F9DBE; Sat, 13 Jul 2013 06:30:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.248
X-Spam-Level:
X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y7JWboG0hN37; Sat, 13 Jul 2013 06:30:46 -0700 (PDT)
Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.31.104]) by ietfa.amsl.com (Postfix) with ESMTP id D44E521F9D8D; Sat, 13 Jul 2013 06:30:45 -0700 (PDT)
Received: from [83.8.204.239] (helo=[192.168.251.6]) by smtprelay06.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1UxzuL-0005Zm-TB; Sat, 13 Jul 2013 15:30:42 +0200
Message-ID: <51E15681.8070306@lodderstedt.net>
Date: Sat, 13 Jul 2013 15:30:41 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Richard Barnes <rlb@ipv.sx>
References: <20130529190805.7996.64437.idtracker@ietfa.amsl.com> <51BCAB42.3010204@lodderstedt.net> <CAL02cgQMeRMu9ShEsPcO1PYP0xJge0_jA5BvnWyTdcQcE1k9jA@mail.gmail.com>
In-Reply-To: <CAL02cgQMeRMu9ShEsPcO1PYP0xJge0_jA5BvnWyTdcQcE1k9jA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------050803010508060303030706"
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Cc: draft-ietf-oauth-revocation@tools.ietf.org, oauth-chairs@tools.ietf.org, The IESG <iesg@ietf.org>, "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-revocation-09: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Jul 2013 13:30:51 -0000
Hi Richard, thanks for your proposals. I adopted the draft accordingly. http://www.ietf.org/id/draft-ietf-oauth-revocation-11.txt regards, Torsten. Am 12.07.2013 20:43, schrieb Richard Barnes: > Hi Torsten, > > Sorry for the delay on this. I've cleared on D2. Focusing this > response on point D1: > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > D1. The mandate for TLS usage actually seems backward here. > Suppose a > server receives a request over HTTP. At this point, the > credentials have > been exposed, so you would *want* the token to be invalidated! > Suggest: > -- Clients MUST NOT send over HTTP > -- Server revocation URIs MUST be HTTPS > -- Servers MAY support HTTP to the corresponding URI, just in > case the > client screws up > > > I see your point. Doesn't the last bullet contradict the first bullet? > > > They don't contradict each other; the third just assumes that the > first might not be universally true. But I would probably be happy > with just the first two. > > The scenario I'm worried about is the following: > > 1. An operator runs both HTTP and HTTPS servers under the name > "example.com <http://example.com>". The HTTPS server is used for > OAuth things, while the HTTP server for unsecured, public-facing > things. In particular, the revocation URIs the server hands out point > to the HTTPS server. > > 2. An attack or mishap manages to change the revocation URL from > "https:" to "http:" > > 3. When the client tries to revoke his token, he is able to > successfully open a TCP connection to the HTTP server. He then sends > his revocation request over the TCP connection. > > What is the safe thing for the server do now? The client has exposed > the token on the wire, so clearly it *should* be revoked. But if the > OAuth revocation service is only active on the HTTPS server, then it > won't be. > > In the spec, there are two things we can do, (1) try to prevent this > scenario from happening, and (2) have it fail safely when it does > happen. In the above three suggested points, the first does (1) and > the third does (2). The document currently says that the server MUST > require TLS (the second bullet above). But that doesn't prevent the > client from sending TLS, so it doesn't prevent the scenario. > > Concrete suggestion to realize (1): > OLD: "This URL MUST conform to the rules given in [RFC6749], section 3.1." > NEW: "This URL MUST conform to the rules given in [RFC6749], section > 3.1. Clients MUST verify that the URL is an HTTPS URL." > > Concrete suggestion to realize (2): > OLD: > """ > Since requests to the token revocation endpoint result in the > transmission of plain text credentials in the HTTP request, the > authorization server MUST require the use of a transport-layer > security mechanism when sending requests to the token revocation > endpoints. > """ > NEW: > """ > Since requests to the token revocation endpoint result in the > transmission of plain text credentials in the HTTP request, URLs for > token revocation endpoints MUST be HTTPS URLs. If the host of the > token revocation endpoint can also be reached over HTTP, then the > server SHOULD also offer a revocation service at the corresponding > HTTP URI, but MUST NOT publish this URI as a token revocation > endpoint. This ensures that tokens accidentally sent over HTTP will > be revoked. > """ > > > > >
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Torsten Lodderstedt
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Torsten Lodderstedt
- Re: [OAUTH-WG] Richard Barnes' Discuss on draft-i… Richard Barnes