[OAUTH-WG] Comments on draft-ietf-oauth-security-topics-13
"Peck, Michael A" <mpeck@mitre.org> Thu, 05 December 2019 16:27 UTC
Return-Path: <mpeck@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D42D12013A for <oauth@ietfa.amsl.com>; Thu, 5 Dec 2019 08:27:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mitre.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EIF1-3H8Acgt for <oauth@ietfa.amsl.com>; Thu, 5 Dec 2019 08:27:37 -0800 (PST)
Received: from smtpvbsrv1.mitre.org (smtpvbsrv1.mitre.org [198.49.146.234]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46D32120130 for <oauth@ietf.org>; Thu, 5 Dec 2019 08:27:37 -0800 (PST)
Received: from smtpvbsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 8164733203F for <oauth@ietf.org>; Thu, 5 Dec 2019 11:27:36 -0500 (EST)
Received: from smtprhbv1.mitre.org (unknown [129.83.19.196]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtpvbsrv1.mitre.org (Postfix) with ESMTPS id 7267B33203D for <oauth@ietf.org>; Thu, 5 Dec 2019 11:27:36 -0500 (EST)
Received: from mbfesmtp-mgt.mitre.org (unknown [198.49.146.235]) by smtprhbv1.mitre.org (Postfix) with ESMTP id 6E13980BE9B for <oauth@ietf.org>; Thu, 5 Dec 2019 11:27:36 -0500 (EST)
Received: by mbfesmtp-mgt.mitre.org (Postfix, from userid 600) id 47TLjN35HTzl1Y; Thu, 5 Dec 2019 16:27:31 +0000 (UTC)
Received: from GCC02-DM3-obe.outbound.protection.outlook.com (mail-dm3gcc02lp2106.outbound.protection.outlook.com [104.47.65.106]) by mbfesmtp-mgt.mitre.org (Postfix) with ESMTPS id 47TLjC06w9zl39 for <oauth@ietf.org>; Thu, 5 Dec 2019 16:27:27 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OaQgukZJIwLuYxpSvoRJFNXROZ7HPlnM6odbUDpVgPhIOg9TCQOFmAFuNESAFQwdExAvFT+SWOzLx1LG+5VjrIOZtAOPpWiXS5rDcV8DFNFCL3Up7+Mj5YS5+FyqoYuMVxT5Lof3tlv0m+k4HDIVCDBbWRa3oHnyGrz9bmeqCoEVGKBm5ibo04Daugtm5BuH7kBsy10iS7Ga0XVGO0pmER9qhUG8JamSJdH/k0Dhq+tVxfSHvVrDENvcp3aKcV6Yw+PuxB4Ennm3h+rtymUDNu9nVQz9Er6NmKy7VynwDy7P9a6V/1/fOwfTGBgVtiPBiaE0fXbHrNfnk8RBC1MFTw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XX/bJe2pANYuBZmHiSG2Hc4nB+Bv8CqlYmUGkF37+do=; b=IUwaRpHRJX+UaRhCeEAe8KNQuXmsX4QwLBQYNbCHKMXP/XUvwASPGz7+Z8PA4ky5S43OKPu01yLXtfbAx+vvGOFCRsSEWWj/ZrMyuMpT5j2pX/w714DHRDHpcqTb976a0cwtDYJTmXpu0onQQnOIHNLyOiHiP1/+2UpU7IneMTVIq+LJo9yxGuqiOHEzgeobK8nqclYZxhCMosMEI1T6K/hciXUOosN+sZW/mXOrdshBPZwn8XaW/3CtU7GhUK3h0T7CvbWlmfpJbxIix1oQE65qAvbMTmSH6LQsi/ThODx0OGe/9WqDgMi+Nqs3+4KZv7YfATu2r57SsROn+7/Jhg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mitre.org; dmarc=pass action=none header.from=mitre.org; dkim=pass header.d=mitre.org; arc=none
Received: from BL0PR0901MB4435.namprd09.prod.outlook.com (52.135.45.75) by BL0PR0901MB2516.namprd09.prod.outlook.com (52.132.19.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.21; Thu, 5 Dec 2019 16:27:25 +0000
Received: from BL0PR0901MB4435.namprd09.prod.outlook.com ([fe80::dd58:fb2f:b6bf:9394]) by BL0PR0901MB4435.namprd09.prod.outlook.com ([fe80::dd58:fb2f:b6bf:9394%7]) with mapi id 15.20.2516.014; Thu, 5 Dec 2019 16:27:25 +0000
From: "Peck, Michael A" <mpeck@mitre.org>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Comments on draft-ietf-oauth-security-topics-13
Thread-Index: AQHVo6/pGuyf7IJtTkumwEWcFNIHMg==
Date: Thu, 05 Dec 2019 16:27:25 +0000
Message-ID: <7E7543E9-E0F6-43C8-BA51-DA5F4F93FC1B@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mpeck@mitre.org;
x-originating-ip: [192.80.55.88]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 0f1eafa7-7206-4309-8278-08d779a0037e
x-ms-traffictypediagnostic: BL0PR0901MB2516:
x-microsoft-antispam-prvs: <BL0PR0901MB2516F547154BFABF4B38C885B95C0@BL0PR0901MB2516.namprd09.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 02426D11FE
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(199004)(189003)(8936002)(14444005)(58126008)(1730700003)(15650500001)(305945005)(6512007)(6916009)(5640700003)(14454004)(2616005)(25786009)(498600001)(99286004)(5660300002)(186003)(6506007)(6486002)(8676002)(86362001)(2906002)(71200400001)(81156014)(102836004)(81166006)(71190400001)(66946007)(66446008)(66476007)(64756008)(36756003)(76116006)(66556008)(33656002)(26005); DIR:OUT; SFP:1101; SCL:1; SRVR:BL0PR0901MB2516; H:BL0PR0901MB4435.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: mitre.org does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: KS9KIOmTVk6lgj80Wc3dqisj/R4NnWmnKsjAs2DJIMaJ5lIpw7+OsB0YJ9vE0nLynGD/uE4iEyWgtdAuvA6rAw6tUgBzj8Tl3PYHySOIB5UgUiU7MN5v8d60ZWFNKr6PZanYNMOdasF0PQaw0H4E9qA9QhXMZxo97tieQbkPD7fYAy0Y9e6xeJBBA+ufGdhaS0Aptvi0ahP0BJKWRfKQFbDZF9oMB76uY8b4WUsDy0jZUAvmV4t8A3KhkOMN1JZs9cDF8s2ulPrOfdwkpik25+PjYC6z2Ie0H2eVWDioIkELT6h2whjTFnPGStYe2pqlC2S8Ai26GOwKkah+UxBVS2nSf7TdbsU3D/SLLwnjlQOg3rRQZJWjAUiYcdrQDfJk3GPOObHZM2qCXDM8emcvRTi9r/cUJWDPD33SXZ6xfBZ6Ce9Hbw2hCGE14Mt13FIz
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <3D19D2907A7C1B4CBEEFC1AED006FEE4@namprd09.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: mitre.org
X-MS-Exchange-CrossTenant-Network-Message-Id: 0f1eafa7-7206-4309-8278-08d779a0037e
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Dec 2019 16:27:25.4703 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ghOc7bSRmpcbjflv/fBcyt9gO/tFr0Yo60Lpj34tjrNIaBx5wxGYkFTyuWafoMs0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR0901MB2516
X-MITRE: 8GQsMWxq66rxk57w
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.org; h=from:to:subject:date:message-id:content-type:content-id:content-transfer-encoding:mime-version; s=selector1; bh=XX/bJe2pANYuBZmHiSG2Hc4nB+Bv8CqlYmUGkF37+do=; b=wKvccF8E2znL8HqMBvVHpzinqn5V1fN5vK/6gxwVxgRN2yO18GMxBtg84NCKHNru72pNqdm8okiGmnNH1aFzmWXkrOgoYMG0xhQxYP3CFL2xJZUsJGJDdNMvc8TG+vaNslBPQexdQRKJ8vZeHmEJnnYB0Ifid4U2kOe6KWA/z1Q=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/rHNfyvVFqdQg-qpX9WI7bUVoU1U>
Subject: [OAUTH-WG] Comments on draft-ietf-oauth-security-topics-13
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2019 16:27:40 -0000
Thank you for writing this BCP. I believe it provides important guidance and support its publication. I have the following comments on draft -13: Overall: The draft uses the term “adversary” (3 times) and the term “attacker” (>100 times). I suggest using one term consistently. My understanding of the document structure is that Section 3 provides specific implementable recommendations up-front, while Section 4 describes in detail the threats that provide the rationale for those recommendations along with a discussion of various potential countermeasures and their tradeoffs. If that understanding is correct, I believe much of the specific recommendation text in the countermeasures sections (4.1.3, 4.2.4, 4.4.2, 4.5.3) would be a better fit in Section 3. Section 3.5: It is not clear to me how MTLS or “private_key_jwt” provide non-repudiation, or what it is that non-repudiation is being provided for. Could you explain or consider removing the non-repudiation discussion? It is clear to me how MTLS enables use of sender-constrained access tokens. However it’s not clear to me how private_key_jwt does so – at least not without something like DPoP that hasn’t yet been finalized? Maybe change the text to something like “Additionally, MTLS enables use of sender-constrained access tokens (without requiring additional keys to be distributed).”? Section 4.5: “In such an attack, the adversary attempts to inject a stolen authorization code into a legitimate client on a device under his control.” This text implies to me that the client is running on a device under the adversary’s control (but that the adversary presumably can’t directly control the client’s behavior)? But I think the intention is that the adversary is using a device/user agent under the adversary’s control to perform the code injection, not that the client is running on the adversary’s device? (e.g. previously discussed cut and paste attacks where the adversary has a session with the client and injects a stolen authorization code into that session) If I’m understanding correctly how about text like “In such an attack, the adversary attempts to inject a stolen authorization code into the adversary’s own session with the client, in an attempt to associate the adversary’s session with the client to the victim’s resources or identity.”? Section 4.5.1: “The attacker obtains an authorization code by performing any of the attacks described above.” Section 4.5 says “an attacker with advanced capabilities (A3-A5)” are out of scope, but would those advanced capabilities (e.g. A3 – ability to read the authorization response) potentially be useful to steal the authorization code? Should the text about attacker capabilities A3-A5 being out of scope be removed? Section 4.5.3: It may be worth noting that PKCE is verified by the authorization server, while the OpenID Connect nonce is verified by the client. There could be an argument to be made that authorization servers are more likely than clients to properly implement checks (e.g. the papers cited in section 4.8.1.1?), and so PKCE should be preferred. There could also be a defense-in-depth argument towards using both PKCE and nonce. “PKCE is a deployed OAuth feature, even though it is used today to secure native apps only.” That is not necessarily true anymore (the recommendations in this draft are already being adopted in other work such as FAPI). How about something like: “PKCE is a deployed OAuth feature, although its original intended use was solely focused on securing native apps, not the broader use recommended by this document.” Section 4.6: Similar concerns about the “on a device under his control” text as expressed above for section 4.5. Thanks, Mike
- [OAUTH-WG] Comments on draft-ietf-oauth-security-… Peck, Michael A