[OAUTH-WG] Re: Call for adoption - PIKA
Watson Ladd <watsonbladd@gmail.com> Tue, 25 June 2024 22:12 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 115E2C169428 for <oauth@ietfa.amsl.com>; Tue, 25 Jun 2024 15:12:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rnsG31XXzfB5 for <oauth@ietfa.amsl.com>; Tue, 25 Jun 2024 15:12:00 -0700 (PDT)
Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FE2EC169421 for <oauth@ietf.org>; Tue, 25 Jun 2024 15:12:00 -0700 (PDT)
Received: by mail-wm1-x32c.google.com with SMTP id 5b1f17b1804b1-42179dafd6bso42073295e9.0 for <oauth@ietf.org>; Tue, 25 Jun 2024 15:12:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1719353518; x=1719958318; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=s0rDsCMxdcxZQq6rKw6KhNLxbxeBi90dP40Jbh8vm4E=; b=ixFda8Np9RXncZdvoi09R4CMk4A5/PJiXoPEUIyUkcNIzcSVLE/7IQKaaIJMEFt6uu HQF+O/3dbGXLCUlXDMDlZYA9wzGK3XX/oneLCS/lO29/1f/vn3OEb97bWSTLGuJM9icx Yn5T15BshWqiQWTWuy3M08zygk6JP7u/ZzQk6tmye4ZBXvEN6xLkfFETgkWb/EM/RxVm tFb5uovPYOD/WZj5dXRFRLtHK1P4y40aFg9nVq93/e68Zns8KppObh4t6ZWbH11rrTIn OnTGOvk3sAeDjRknIswZwiSKKMhPjjLdv1ZTFQarCvaLEI1wMwrkuBLEU+Mf3oksmk1S kT0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719353518; x=1719958318; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=s0rDsCMxdcxZQq6rKw6KhNLxbxeBi90dP40Jbh8vm4E=; b=OM4XzUcTWr86zbnZSISymkeN2o9ac8XhmVwUYQH/EzIuCTpxf116npDDZ80a2gGHx4 od7xJENReFgIzZNqqHyzjNH49lrNh4EAq1OvvRASiWmAzrvYzj6uYGqSKl9JG3Y4yPP+ pfrjthsDWxYSRMeeY4O/vGNFMhgAf5BXMO9SBVvTN6kEaxBqON71hOjtCfeSNHuNB2L2 +SGlmAXZvqNPrqvSP6CF95LzNiaumkZ2lrbm/mcX2w1kARFq3c82g5d2It7nuDGAjsSs KuFlT3cRLMNwlkjzL4Di+LO5OeF8dzDzLhAZOnpWerY7GomTNRGfgUJKC/SUqZO1niqE 9RtA==
X-Forwarded-Encrypted: i=1; AJvYcCUm8rbdSArTMuMCHE5B+o7HFOhcM8e/npnBuE0v/BCy4N5GV90Y5NhIX9yOwDDo5CMfC/xWHFA5PehXYEgoPw==
X-Gm-Message-State: AOJu0YzfiNPaiz02iSr33L6fcxzwUekASUderfS3QX/t8qDgFXVo+5aX VieJiCQ04qHIBOHIQTt0qGwkAUoGe8J0Uc5cWWj9MVK4Et+MN63BRAkFucD+/epA09tBNYK/IXm Ivkg6B+tUpTrPQqgKDLC4NrikPW4=
X-Google-Smtp-Source: AGHT+IE015vO4vMlsJRpXsr+L0mdUfQhKMs+3vqqHNR9QJMTN06ztJNqM1TqmPWGxP9b+zhaUq6MH18pdTXdIeLqZ6Y=
X-Received: by 2002:a5d:6a02:0:b0:366:f455:e7c1 with SMTP id ffacd0b85a97d-366f455ea80mr5397980f8f.27.1719353518359; Tue, 25 Jun 2024 15:11:58 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9GmF4vp1uzLXK0YYZAHUDjK7RHbhEb4MCXkB7N3Oq4+w@mail.gmail.com> <CAL02cgQYom9P+yGMODkHNE125mZnQxRdUTNQbP4ck4y48cgGTA@mail.gmail.com> <SJ0PR02MB7439E4391F43BC7D045859F2B7D52@SJ0PR02MB7439.namprd02.prod.outlook.com>
In-Reply-To: <SJ0PR02MB7439E4391F43BC7D045859F2B7D52@SJ0PR02MB7439.namprd02.prod.outlook.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 25 Jun 2024 15:11:47 -0700
Message-ID: <CACsn0cnW-N984ErjkLiqGx014GikupYWEJ-VPhOg7oD3Vaa=bQ@mail.gmail.com>
To: Michael Jones <michael_b_jones@hotmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 5CEDJQJOYDJJ4KMDVITM57ZVQA3IFAUG
X-Message-ID-Hash: 5CEDJQJOYDJJ4KMDVITM57ZVQA3IFAUG
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - PIKA
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/qes2kBxmRBdCv91By2gQd-eSp8c>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
On Tue, Jun 25, 2024 at 2:56 PM Michael Jones <michael_b_jones@hotmail.com> wrote: > > The other critique I voiced of the approach is that the application-level X.509 certificate can be used to secure the HOST part of the issuer, but not the entire issuer, since in general, the issuer will contain a PATH. Yes, the service hosting the issuers controls all the paths, as Richard replied earlier, but it’s not the service who is the attacker that this enables. The attackers that not securing the PATH enables are the tenants themselves. > > > > An attacker could host a tenant at the service and get an X.509 certificate securing the HOST part of its issuer. However, because a legitimate tenant at another path shares the same HOST, the attacker can copy its X.509 certificate chain and utilize a substitution attack to make unauthorized statements about the victim tenant – statements that were not made by the hosting service. > > > > This attack was not addressed, and I believe is intrinsic to the decision not to protect the entire issuer value. > > > > I believe that adopting this draft would result in this attack occurring in practice. To be clear, drafts get modified by the WG after adoption so adoption is not the same thing as WGLC. However, I'm not sure I understand your attack scenario. If we have a "tenant" distinguished by a path, there is already a security issue with giving it the X509 certificate. It could then imitate any other tenant on that server already. That's why we use reverse proxies and put the certificate only on the proxying machines. Sincerely, Watson -- Astra mortemque praestare gradatim
- [OAUTH-WG] Call for adoption - PIKA Rifaat Shekh-Yusef
- [OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
- [OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
- [OAUTH-WG] Re: Call for adoption - PIKA Michael Jones
- [OAUTH-WG] Re: Call for adoption - PIKA Tom Jones
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Michael Jones
- [OAUTH-WG] Re: Call for adoption - PIKA Rohan Mahy
- [OAUTH-WG] Re: Call for adoption - PIKA Rohan Mahy
- [OAUTH-WG] Re: Call for adoption - PIKA Rohan Mahy
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Michael Jones
- [OAUTH-WG] Re: Call for adoption - PIKA Watson Ladd
- [OAUTH-WG] Re: Call for adoption - PIKA Kristina Yasuda
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
- [OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Michael Jones
- [OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
- [OAUTH-WG] Re: Call for adoption - PIKA Rohan Mahy
- [OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
- [OAUTH-WG] Re: Call for adoption - PIKA Michael Jones
- [OAUTH-WG] Re: Call for adoption - PIKA Watson Ladd
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Rohan Mahy
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Rohan Mahy
- [OAUTH-WG] Re: Call for adoption - PIKA Tom Jones
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Watson Ladd
- [OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
- [OAUTH-WG] Re: Call for adoption - PIKA Joseph Salowey
- [OAUTH-WG] Re: Call for adoption - PIKA Ethan Heilman
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Pieter Kasselman
- [OAUTH-WG] Re: Call for adoption - PIKA James Carnegie
- [OAUTH-WG] Re: Call for adoption - PIKA Tom Jones
- [OAUTH-WG] Re: Call for adoption - PIKA John Bradley