IETF Logo Mail Archive

Re: [OAUTH-WG] AD Review: draft-ietf-oauth-jwt-introspection-response-03

Roman Danyliw <rdd@cert.org> Tue, 23 July 2019 22:02 UTC

Return-Path: <rdd@cert.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C14F1209C6 for <oauth@ietfa.amsl.com>; Tue, 23 Jul 2019 15:02:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lAKQcyOI6LcU for <oauth@ietfa.amsl.com>; Tue, 23 Jul 2019 15:02:22 -0700 (PDT)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 039391209DD for <oauth@ietf.org>; Tue, 23 Jul 2019 15:02:21 -0700 (PDT)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x6NM2IUs003761; Tue, 23 Jul 2019 18:02:19 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu x6NM2IUs003761
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1563919339; bh=vHpCcEIlqdHHutPJkzt0S1niMLAQHJzUNPRKtzqufd0=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=L/jchqS8frnMCrMmrmWAhDax5n8R0seJCIER3GyOqS+0GODJWLMumN+Vn8FFxOfCI 5ral6DxkENxG1bBy0WZC1aHX0daA5Y8h1ELs2V4/DCd16lxNCiBtl1LzwXpTQslVG1 2f/rSq7zRRZIHhjJNlSO5SrvFQaXutA32q/fxiG0=
Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x6NM2Hhi026503; Tue, 23 Jul 2019 18:02:17 -0400
Received: from MARCHAND.ad.sei.cmu.edu ([10.64.28.251]) by CASSINA.ad.sei.cmu.edu ([10.64.28.249]) with mapi id 14.03.0439.000; Tue, 23 Jul 2019 18:02:16 -0400
From: Roman Danyliw <rdd@cert.org>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
CC: "oauth@ietf.org" <oauth@ietf.org>, Vladimir Dzhuvinov <vladimir@connect2id.com>
Thread-Topic: [OAUTH-WG] AD Review: draft-ietf-oauth-jwt-introspection-response-03
Thread-Index: AdU8um9EYRsZS/zUTimSMgl/pofXXQD431IAABQoH3AAAKFZMAAyuTQAAAaH8iA=
Date: Tue, 23 Jul 2019 22:02:16 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFC01B33E2C1D@marchand>
References: <359EC4B99E040048A7131E0F4E113AFC01B33D7447@marchand> <271A13CC-5B12-4318-8F3D-9E3ACA6D903E@lodderstedt.net> <359EC4B99E040048A7131E0F4E113AFC01B33E1621@marchand> <359EC4B99E040048A7131E0F4E113AFC01B33E1631@marchand> <D8687765-A3CA-499A-B7DD-CB7C341E71B9@lodderstedt.net>
In-Reply-To: <D8687765-A3CA-499A-B7DD-CB7C341E71B9@lodderstedt.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.22.6]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/tONvj2CATEs7MhUS3mZg0NfLiF8>
Subject: Re: [OAUTH-WG] AD Review: draft-ietf-oauth-jwt-introspection-response-03
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 22:02:37 -0000

Hi Torsten!

Thank you for this update.  It does address my key issues.

With the IETF LC feedback can you please address this idnit introduced in this update:

  ** Obsolete normative reference: RFC 7159 (Obsoleted by RFC 8259)

Thanks,
Roman

> -----Original Message-----
> From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net]
> Sent: Tuesday, July 23, 2019 5:06 PM
> To: Roman Danyliw <rdd@cert.org>
> Cc: oauth@ietf.org; Vladimir Dzhuvinov <vladimir@connect2id.com>
> Subject: Re: [OAUTH-WG] AD Review: draft-ietf-oauth-jwt-introspection-
> response-03
> 
> Hi Roman,
> 
> the latest revision -05 should address all points you raised.
> 
> https://www.ietf.org/id/draft-ietf-oauth-jwt-introspection-response-05.txt
> 
> kind regards,
> Torsten.
> 
> > On 23. Jul 2019, at 02:56, Roman Danyliw <rdd@cert.org> wrote:
> >
> > Hi Torsten!
> >
> > Separately from the below, idnits is troubled by the lack of an RFC2119
> section and the presence or absence of some reference despite citation:
> >
> > ==[ snip ]==
> >
> > Miscellaneous warnings:
> >  ----------------------------------------------------------------------------
> >
> >  == The document seems to lack the recommended RFC 2119 boilerplate,
> even if
> >     it appears to use RFC 2119 keywords.
> >
> >     (The document does seem to have the reference to RFC 2119 which the
> >     ID-Checklist requires).
> >
> >  Checking references for intended status: Proposed Standard
> >  ----------------------------------------------------------------------------
> >
> >     (See RFCs 3967 and 4897 for information about using normative
> references
> >     to lower-maturity documents in RFCs)
> >
> >  == Missing Reference: 'RFC5322' is mentioned on line 471, but not defined
> >
> >  == Missing Reference: 'RFC3966' is mentioned on line 537, but not defined
> >
> >  == Missing Reference: 'RFC4627' is mentioned on line 562, but not defined
> >
> >  ** Obsolete undefined reference: RFC 4627 (Obsoleted by RFC 7159)
> >
> >  == Unused Reference: 'RFC2119' is defined on line 606, but no explicit
> >     reference was found in the text
> >
> >  == Unused Reference: 'RFC2246' is defined on line 611, but no explicit
> >     reference was found in the text
> >
> >  == Outdated reference: A later version (-06) exists of
> >     draft-ietf-oauth-jwt-bcp-04
> >
> >  == Outdated reference: A later version (-13) exists of
> >     draft-ietf-oauth-security-topics-11
> >
> >  ** Obsolete normative reference: RFC 2246 (Obsoleted by RFC 4346)
> > ==[ snip ]==
> >
> > Roman
> >
> >> -----Original Message-----
> >> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Roman
> Danyliw
> >> Sent: Monday, July 22, 2019 8:51 PM
> >> To: Torsten Lodderstedt <torsten@lodderstedt.net>
> >> Cc: oauth@ietf.org
> >> Subject: Re: [OAUTH-WG] AD Review: draft-ietf-oauth-jwt-introspection-
> >> response-03
> >>
> >> Hi Torsten!
> >>
> >>> -----Original Message-----
> >>> From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net]
> >>> Sent: Monday, July 22, 2019 6:59 AM
> >>> To: Roman Danyliw <rdd@cert.org>
> >>> Cc: oauth@ietf.org
> >>> Subject: Re: [OAUTH-WG] AD Review: draft-ietf-oauth-jwt-introspection-
> >>> response-03
> >>>
> >>> Hi Roman,
> >>>
> >>> thanks a lot for your review feedback.
> >>>
> >>> I just published a new revision of the draft incorporating changes
> >>> based on your comments.
> >>>
> >>> https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-respons
> >>> e-04
> >>
> >> Thanks for the update. I have one refinement below based on the new
> >> language around TLS.  Details are inline ...
> >>
> >>>> On 17. Jul 2019, at 18:17, Roman Danyliw <rdd@cert.org> wrote:
> >>>>
> >>>> Hi!
> >>>>
> >>>> The following is my AD review of draft-ietf-oauth-jwt-introspection-
> >>> response-03.
> >>>>
> >>>> (1) Section 4.  Per introspection_encrypted_response_alg, how is
> >>>> either
> >>> signing or encryption being requested?  Is it by also including an
> >>> introspection_signed_response_alg?  If that's the case, it is worth
> >>> explicitly saying.
> >>>
> >>> The response is always signed. The resource server may decide to
> >>> additionally turn on encryption.
> >>>
> >>> Section 3 states “Depending on the specific resource server policy the
> >>> JWT is either signed, or signed and encrypted. “
> >>
> >> With the new language you added for item #2, I now understand.  Thanks
> for
> >> clearing it up.
> >>
> >>>> (2) Section 4.  Per introspection_encrypted_response_enc, I'm having
> >>> trouble deconflicting these two sentences:
> >>>>
> >>>> [1] If "introspection_encrypted_response_alg" is specified, the
> >>>> default for
> >>> this value is A128CBC-HS256.
> >>>>
> >>>> [2] When "introspection_encrypted_response_enc" is included,
> >>> "introspection_encrypted_response_alg" MUST also be provided
> >>>>
> >>>> Sentence [2] explicitly states that
> >> "introspection_encrypted_response_alg"
> >>> is required.  However, the first sentence seems more tentative by
> >>> saying that "if introspection_encrypted_response_enc" is present.
> >>>
> >>> introspection_encrypted_response_enc is optional but must not be
> >>> specified without introspection_encrypted_response_alg
> >>>
> >>> I changed the text to better get this across:
> >>>
> >>> introspection_encrypted_response_alg
> >>> OPTIONAL. JWE algorithm (alg value) as defined in JWA for encrypting
> >>> introspection responses. If this is specified, the response will be
> >>> encrypted using JWE and the configured algorithm. The default, if
> >>> omitted, is that no encryption is performed. If both signing and
> >>> encryption are requested, the response will be signed then encrypted,
> >>> with the result being a Nested JWT, as defined in JWT.
> >>>
> >>> introspection_encrypted_response_enc
> >>> OPTIONAL. JWE algorithm (enc value) as defined in JWA for
> >>> authenticated encryption of introspection responses. The default, if
> >>> omitted, is A128CBC- HS256. Note: This parameter MUST NOT be
> specified
> >>> without setting introspection_encrypted_response_alg.
> >>
> >> Thanks for this new text.  It is clearer.
> >>
> >>
> >>>>
> >>>> (3) I want to talk through the personally identifiable information
> >>>> being
> >>> specified as new introspection fields per Section 8.3 (e.g., name,
> >>> birthday) being exposed.  I was looking to ensure that it would always
> >>> be encrypted in transit (and that only authorized clients could get
> >>> it).  I read that in Section 3, "[d]epending on the specific resource
> >>> server policy the JWT is either signed, or signed and encrypted" and
> >>> that per Section 4 that "[t]he authorization server determines what
> >>> algorithm to employ to secure the JWT for a particular introspection
> >>> response."  Section 6.2 explicitly notes the threat of token data
> >>> leakage (a more general case of my concern so thanks for that text).
> >>> [RFC7662], Section 4 notes only that "the server MUST support
> >>> Transport Layer Security (TLS) 1.2", but "support" is different than
> >>> "the server MUST _use_ TLS". Therefore, it seems like there could be a
> >>> case where the server could return an introspection response in the
> >>> clear (e.g., no TLS, introspection_sig
> >>>> ned_response_alg).  Am I missing something?
> >>>>
> >>>> My bias is to say something on the order of "TLS MUST be used”.
> >>>
> >>> Section 6.2. now starts with “The authorization server MUST use
> >>> Transport Layer Security (TLS) 1.2 (or higher) in order to prevent token
> data
> >> leakage."
> >>
> >> Works for me to was use TLS.  I'd recommend a statement that provides
> >> more guidance "The authorization server MUST use Transport Layer
> Security
> >> (TLS) 1.2 (or higher) per RFC7525 in order to prevent token data leakage."
> >>
> >>>> (4) I also want to talk through an unscrupulous protected resource
> >>>> trying to
> >>> harvest introspection meta-data.  I was looking for guidance related
> >>> to the authorization of the introspection transactions.  I found:
> >>>>
> >>>> Section 2.2 of [RFC7662] says important things like "For instance,
> >>>> an
> >>> authorization server MAY limit which scopes from a given token are
> >>> returned for each protected resource to prevent a protected resource
> >>> from learning more about the larger network than is necessary for its
> >> operation."
> >>>>
> >>>> Section 4 of [RFC7662] says "If left unprotected and un-throttled,
> >>>> the
> >>> introspection endpoint could present a means for an attacker to poll a
> >>> series of possible token values, fishing for a valid token.  To
> >>> prevent this, the authorization server MUST require authentication of
> >>> protected resources that need to access the introspection endpoint and
> >>> SHOULD require protected resources to be specifically authorized to
> >>> call the  introspection endpoint."
> >>>>
> >>>> Section 6.2 of this draft provides guidance on defending against
> >>> unauthenticated clients.
> >>>>
> >>>> How does the authorization server restrict a protected resource that
> >>>> _can_
> >>> authenticate to it from getting meta-data is shouldn't have access to?
> >>> Something on the order of "the authorization server <uses the
> >>> following
> >>> data> to determine what a given protected resource is allowed to see”.
> >>>
> >>> I added Section 6.3, which states “The authorisation server determines
> >>> the token data a resource server is allowed to see based on the
> >>> resource server’s client_id and suitable token data, e.g. the scope
> value."
> >>
> >> Great. Thanks for the clarity.
> >>
> >>>>
> >>>> (5) Editorial Nits
> >>>>
> >>>> ** Section 3.  Per "This JWT MAY furthermore contain all other
> >>>> claims
> >>> described in Section 2.2. of [RFC7662] and beyond (e.g. as defined in
> >>> [OpenID.Core])", would it be more timeless to say the fields specified
> >>> in "OAuth Token Introspection Response" registry?
> >>>>
> >>>
> >>> This text pre-dated the addition of the IANA registry section. Thanks
> >>> for spotting the inconsistency.
> >>>
> >>> I modified the text as you suggested.
> >>>
> >>>> ** Section 4.  The first sentence of each parameters descriptions
> >>>> don't
> >>> parse -- for example with introspection_signed_response_alg: "JWS
> >>> [RFC7515] 'alg' algorithm JWA [RFC7518] REQUIRED", fully expanded
> >>> that's "JSON Web Signature (JWS) [RFC7515] "alg" algorithm JSON Web
> >>> Algorithms
> >>> (JWA) [RFC7518] REQUIRED ...".  The same is true for the write-ups in
> >>> Section 5.
> >>>
> >>> modfied text
> >>>
> >>>>
> >>>> ** Section 4.  Editorial.  Per "introspection_encrypted_response_enc":
> >>>> s/REQUIRED for encrypting introspection responses/ REQUIRED for
> >>>> authenticated encryption of introspection responses/
> >>>>
> >>>
> >>> done
> >>
> >> Thanks for all of the above.
> >>
> >> Regards,
> >> Roman
> >>
> >>> kind regards,
> >>> Torsten.
> >>>
> >>>
> >>>> Regards,
> >>>> Roman
> >>>>
> >>>> _______________________________________________
> >>>> OAuth mailing list
> >>>> OAuth@ietf.org
> >>>> https://www.ietf.org/mailman/listinfo/oauth
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email