Re: [OAUTH-WG] New draft: Mix-up prevention - adding "iss" parameter to the authorization response
Brian Campbell <bcampbell@pingidentity.com> Mon, 26 October 2020 16:41 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 132E43A0B2B for <oauth@ietfa.amsl.com>; Mon, 26 Oct 2020 09:41:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R4dxrkREFbgF for <oauth@ietfa.amsl.com>; Mon, 26 Oct 2020 09:41:10 -0700 (PDT)
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4301D3A0AE4 for <oauth@ietf.org>; Mon, 26 Oct 2020 09:41:10 -0700 (PDT)
Received: by mail-lf1-x131.google.com with SMTP id a9so12916977lfc.7 for <oauth@ietf.org>; Mon, 26 Oct 2020 09:41:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6ecRGrkMRjQpOMjCHCS2oxkTfLGf2OtR4+txykP9iB0=; b=VMcPtZ1uohZiRx7PgMFOdAsPEbeE/UGfSZnuJf64mi1D2cXlsceQiMGtKtR/mACjZi 5I5RY6LlS5qMfl1wxK6/yupD4KZSXQEd8M0MCen5L5/5BbFReKFbgByW/MYOei4w7XYr Yy0axNZ/t7fxNckJUkjH/sGKM4f6Te6eDLCdLoZxakpWfEP4SHpYwkRhKZrYysi3kPL2 vl6AD4MG5ECot1g+erbPjyTlqaVeQe56l1P+5Y408Mfrh5+s9OQ+WnHJBHYxllfW4wX9 apMXk6cHQw+v579Myceyyj9ouirb/l8npIR5R4ZLILmShLJYvcntUwMQVwjuP0w41rVU pFhg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6ecRGrkMRjQpOMjCHCS2oxkTfLGf2OtR4+txykP9iB0=; b=Y62aXpQt18VufxESY5QsZQ/GjA9KlI34IizQoeV+hEyhedlYUHdxHl5syi6+HJ2uvj gcksRjeaWdA/8PnNzBQ0YEH0lsppdoUsOmfQO7D5wWhi50EJczGqvyJkCMaa/UzGrFkj Uhoql6HXGQC1xTfc3p4NIzpKIFWRrhAExrDqh+udIG7gj8DxI8XbRolMsWkB8rvX3J28 yigxnxFy5on3/ImP5QamNS4JmjXGmWc7cceuscV8dCNdGMf9G59Z0WRD1F9fA8ZhFzS7 U/anqH+/OnmM5zABkVHhHxr5zBvS3aAX84rAHv+FStjz8hHfsT2vEOvv12ONn6NTQYnU n+bg==
X-Gm-Message-State: AOAM531tSfnzObA7tPwMj7zDinjjDxRWNUvlibFW8zt07U6XDErxPvfn tMQtxB0+OUfB2nCJ58qFflph9v2hKr9vNjvOYIy8js9i6UqK1N/TCP4Ef78CM36hC/lF+NxypoV VVaHWS5pDHrlGeA==
X-Google-Smtp-Source: ABdhPJwnjxO2LfW9naR0xHGIRWo7OcpXrouCa5/u3ciugm2k9vUbroHo9tU5MWwZq3+QynkQhOCS4PkQQNqFoQPPxSY=
X-Received: by 2002:ac2:5f09:: with SMTP id 9mr5132408lfq.407.1603730467541; Mon, 26 Oct 2020 09:41:07 -0700 (PDT)
MIME-Version: 1.0
References: <6604cde2-a936-7e66-034b-9282380205a6@hackmanit.de>
In-Reply-To: <6604cde2-a936-7e66-034b-9282380205a6@hackmanit.de>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 26 Oct 2020 10:40:41 -0600
Message-ID: <CA+k3eCTZsW_4TuKvkm02OUVREJYoN1_c+rkSp8k66gG3GoZUYg@mail.gmail.com>
To: Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d575b805b295988f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/uoIY0W21knn2SnngQpM7RFGCJWg>
Subject: Re: [OAUTH-WG] New draft: Mix-up prevention - adding "iss" parameter to the authorization response
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2020 16:41:14 -0000
I'd suggest removing the "of an OAuth authorization grant" bit from the abstract. The term 'authorization grant' has meaning from https://tools.ietf.org/html/rfc6749?#section-1.3 that doesn't really work there in the abstract. On Mon, Oct 26, 2020 at 8:33 AM Karsten Meyer zu Selhausen < karsten.meyerzuselhausen@hackmanit.de> wrote: > Hello WG, > > adding the issuer identifier to the authorization response as a > countermeasure to mix-up attacks is well-known on this list and already > part of the security BCP (see 4.4.2 > <https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16#section-4.4.2> > ). > However, the "iss" parameter is currently not properly specified. Daniel > and I wrote an ID to solve this issue. > > We would like to ask the working group to give us feedback on our first > draft version: > https://tools.ietf.org/html/draft-meyerzuselhausen-oauth-iss-auth-resp-00 > > Abstract > > This document specifies a new parameter "iss" that is used to > explicitly include the issuer identifier of the authorization server > in the authorization response of an OAuth authorization grant. If > implemented correctly, the "iss" parameter serves as an effective > countermeasure to "mix-up" attacks. > > > The need for a proper specification of the "iss" parameter was discussed > in this thread: > https://mailarchive.ietf.org/arch/msg/oauth/DQR2ZXtGKfa-8UGtuPYyZoAaBIc/ > > Best regards, > Karsten > > > -- > Karsten Meyer zu Selhausen > IT Security Consultant > Phone: +49 (0)234 / 54456499 > Web: https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training > > Does your OAuth or OpenID Connect implementation use PKCE to strengthen the security? Learn more about the procetion PKCE provides and its limitations in our new blog post:https://www.hackmanit.de/en/blog-en/123-when-pkce-cannot-protect-your-confidential-oauth-client > > Hackmanit GmbH > Universitätsstraße 60 (Exzenterhaus) > 44789 Bochum > > Registergericht: Amtsgericht Bochum, HRB 14896 > Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Dr. Marcus Niemietz > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] New draft: Mix-up prevention - adding … Karsten Meyer zu Selhausen
- Re: [OAUTH-WG] New draft: Mix-up prevention - add… Vladimir Dzhuvinov
- Re: [OAUTH-WG] New draft: Mix-up prevention - add… Brian Campbell
- Re: [OAUTH-WG] New draft: Mix-up prevention - add… Aaron Parecki