IETF Logo Mail Archive

Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)

Richard Barnes <rlb@ipv.sx> Thu, 16 October 2014 15:39 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4007B1A6EF8 for <oauth@ietfa.amsl.com>; Thu, 16 Oct 2014 08:39:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mHEWRoJoHnpj for <oauth@ietfa.amsl.com>; Thu, 16 Oct 2014 08:39:30 -0700 (PDT)
Received: from mail-vc0-f173.google.com (mail-vc0-f173.google.com [209.85.220.173]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24A861A6EE0 for <oauth@ietf.org>; Thu, 16 Oct 2014 08:39:30 -0700 (PDT)
Received: by mail-vc0-f173.google.com with SMTP id ij19so2870610vcb.32 for <oauth@ietf.org>; Thu, 16 Oct 2014 08:39:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=FZXOPRG9YAdvFtEcmXotsI/SOsicCiS67pItvzcUd2A=; b=TjBY4D8t5Ggj2Gkn7Q5B/jr0d81cGdLdCeZkMxoDe7UJ0+uLzHN+C/nBj9WIc/sDms QMn5N6ftp3tn6UmNYrf1DSEppdp0+9Lqr0hbR93hypPjoLREfPfuDiIFJoE7KQJGVpCX aYES1ALKTQ0sN0Dq7JXNfj8rSawqtTRXE6dupN6o1mgx6oEDuVzjDl3D4g7ZXVBE026c aGtfxuwSYceGeCVYur+SHSXaXDrsBsvRXf+LjkbDwlYYSm2Y5GgRX6DK3Bntj+2WNFQk nKRWav/Xi+T+4kyZ2Y/Hv9Oq+Uy4JfklEm2Hxu+FeGbQ9yLGRjLD1i0whaf0akP9xHF8 sRqg==
X-Gm-Message-State: ALoCoQmY0fDopYHn9B+jLFc/mEKgTULnqGMDzUgFZLPdcoIRT42mwcSWaR5gKlWNiAuExPVcsHix
MIME-Version: 1.0
X-Received: by 10.52.36.113 with SMTP id p17mr1361050vdj.81.1413473969278; Thu, 16 Oct 2014 08:39:29 -0700 (PDT)
Received: by 10.31.149.205 with HTTP; Thu, 16 Oct 2014 08:39:29 -0700 (PDT)
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439BB13261@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <20141016034735.18695.61014.idtracker@ietfa.amsl.com> <4E1F6AAD24975D4BA5B16804296739439BB13261@TK5EX14MBXC286.redmond.corp.microsoft.com>
Date: Thu, 16 Oct 2014 08:39:29 -0700
Message-ID: <CAL02cgS6L3j_+Xoepk5K3v95zpLnHXr+wpEg1bV4DXrs_bQt_A@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="20cf307c9b60d6a58305058c0dfa"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/uqQd6F_VhK-Wgb0dTfecNRuRZww
Cc: "draft-ietf-oauth-assertions@tools.ietf.org" <draft-ietf-oauth-assertions@tools.ietf.org>, "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, The IESG <iesg@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Oct 2014 15:39:33 -0000

On Thu, Oct 16, 2014 at 8:29 AM, Mike Jones <Michael.Jones@microsoft.com>
wrote:

> Thanks for your review, Richard.  I'm replying to your DISCUSS about the
> audience being required below...
>
>                                 -- Mike
>
> > -----Original Message-----
> > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Richard Barnes
> > Sent: Wednesday, October 15, 2014 8:48 PM
> > To: The IESG
> > Cc: draft-ietf-oauth-assertions@tools.ietf.org;
> oauth-chairs@tools.ietf.org;
> > oauth@ietf.org
> > Subject: [OAUTH-WG] Richard Barnes' Discuss on
> draft-ietf-oauth-assertions-17:
> > (with DISCUSS and COMMENT)
> >
> > Richard Barnes has entered the following ballot position for
> > draft-ietf-oauth-assertions-17: Discuss
> >
> > When responding, please keep the subject line intact and reply to all
> email
> > addresses included in the To and CC lines. (Feel free to cut this
> introductory
> > paragraph, however.)
> >
> >
> > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
> > for more information about IESG DISCUSS and COMMENT positions.
> >
> >
> > The document, along with other ballot positions, can be found here:
> > http://datatracker.ietf.org/doc/draft-ietf-oauth-assertions/
> >
> >
> >
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> > "The assertion MUST contain an Audience that identifies the Authorization
> > Server as the intended audience.  Assertions that do not identify the
> > Authorization Server as an intended audience MUST be rejected."
> >
> > Could you please identify the threat model within which this "MUST" is
> required?
> > This requirement doesn't follow from any of the threats elaborated in
> Section 8.
>
> Sure, this is to prevent a legitimate assertion intended for one
> authorization server being captured by the attacker and sent to a different
> authorization server.  Unless there's an audience for the authorization
> server to check, there's no way for the authorization server to reject
> assertions intended to be used by a different server.  Using the audience
> is the normal way to prevent this attack.
>

That all assumes that the issuer of the assertion intends to limit it to a
specific authorization server.  That is not the case with many assertion
systems today, e.g., PKIX.



> > The Audience is only necessary if the Issuer wishes to constrain the set
> of
> > Authorization Servers with which an assertion may be used.  So ISTM that
> this
> > should be "MAY contain..."
>
> Constraining the set to the intended server is basic to the security
> guarantees.  If I can take a server intended for server1 and get server2 to
> accept it, all security bets are off.
>

That's dramatically overstating things.  The only security bet that is off
in that case is that the assertion is not limited to one authorization
server.  Which may or may not be the issuer's intent.

The only thing I could see justifying this requirement is something in the
overall OAuth architecture that requires authorizations to be scoped to a
specific authorization server.  If that exists, add a citation and I'll
clear.  Otherwise, this needs to be un-MUST-ed.

--Richard




>
> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> >
> > "keyed message digest" -> "Message Authentication Code"
> >
> > That's the proper terminology [RFC4949], especially since there are MACs
> that
> > are not based on digests.
> >
> > "This mechanism provides additional security properties." -- Please
> delete this or
> > elaborate on what security properties it provides.
> >
> > Section 8.2 should note that "Holder-of-Key Assertions" are also a
> mitigation for
> > this risk.
> >
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email