IETF Logo Mail Archive

Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Fri, 17 October 2014 17:57 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B77B1A010F; Fri, 17 Oct 2014 10:57:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FobvMgGnljTp; Fri, 17 Oct 2014 10:57:32 -0700 (PDT)
Received: from mail-qa0-x236.google.com (mail-qa0-x236.google.com [IPv6:2607:f8b0:400d:c00::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 287911A0007; Fri, 17 Oct 2014 10:57:32 -0700 (PDT)
Received: by mail-qa0-f54.google.com with SMTP id i13so858696qae.13 for <multiple recipients>; Fri, 17 Oct 2014 10:57:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:mime-version:subject:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=HYBYr63npCrxVDnARX9Gn2ypi9rwGmNHdeq3tRNCRns=; b=DpmNHeJquokKjFU7DhOgmq75NuNTHZjfdhACe5ZYQqVODPbrZc2DwVM2LKP9o2zQP5 CCB19BxlVt+YH4RdY76swpzwVc5m0FQor6ZVVlB7sp6+mG8sZWMmjJyHma9wPbf6647V hELNr0NbdaMCW5kinxyxVrk//0yWM9eNgu2AsEDDO9oz6odwA1l1HP/4qWVHj3dFtQRd N3GmDMxibt2CQNT4U3V6vld0PIDG/GlUC77mnRfq6ub8VuxYEjRS47jGYEsALxNRNPqD xT5nbDFSRGjN1DDxvQzX0tsQfj4qSeGFbgtRYMlYKs6fmI0BDAmslpKm8U7rZUiJuUs2 0k4w==
X-Received: by 10.140.108.67 with SMTP id i61mr13416313qgf.90.1413568651254; Fri, 17 Oct 2014 10:57:31 -0700 (PDT)
Received: from [192.168.1.3] (209-6-114-252.c3-0.arl-ubr1.sbo-arl.ma.cable.rcn.com. [209.6.114.252]) by mx.google.com with ESMTPSA id i2sm1412471qay.32.2014.10.17.10.57.29 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 17 Oct 2014 10:57:29 -0700 (PDT)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Google-Original-From: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-A0C9A7EB-9CB9-45F4-9FBA-F2CA715DEAB9"
Mime-Version: 1.0 (1.0)
X-Mailer: iPhone Mail (11D257)
In-Reply-To: <CA+k3eCS=TRmfR2to2wfJsQrkyRd3gGEPJ-x7ao4dLcN-V7ctiA@mail.gmail.com>
Date: Fri, 17 Oct 2014 13:57:30 -0400
Content-Transfer-Encoding: 7bit
Message-Id: <371475C1-25C7-4B64-B3AC-539C3701EB7F@gmail.com>
References: <20141016034735.18695.61014.idtracker@ietfa.amsl.com> <CA+k3eCQKxWri1kjjig90AhrsQ=D0H=CLfKGuSa513sKDar52Rw@mail.gmail.com> <A9B4CF00-6D06-4FE1-83EE-CC0D141C9AD3@oracle.com> <CAL02cgQO1nuozW-F6riDgo4QFkp3Gv89SSWzJcbO-0eayyGufg@mail.gmail.com> <28A05FEA-9EEA-4E95-9B9F-587120A74BAA@ve7jtb.com> <CA+k3eCS=TRmfR2to2wfJsQrkyRd3gGEPJ-x7ao4dLcN-V7ctiA@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/vM0Sg3jzLCOlltw4bDk6ATFryyg
Cc: "draft-ietf-oauth-assertions@tools.ietf.org" <draft-ietf-oauth-assertions@tools.ietf.org>, Richard Barnes <rlb@ipv.sx>, "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, The IESG <iesg@ietf.org>, oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Oct 2014 17:57:36 -0000

I just caught up on the thread again and think Brian's message below may be the most helpful to resolve this discuss.  

It sounds like we have agreement that a MUST is preferred for bearer tokens and that's what this draft is about.  Would a language tweak help when HoK is mentioned?  The WG will have more time to figure out what is needed for that in the draft mentioned that is on development.

Thanks,
Kathleen 

Sent from my iPhone

> On Oct 17, 2014, at 11:56 AM, Brian Campbell <bcampbell@pingidentity.com> wrote:
> 
> These drafts define the use of bearer assertions. The only mention of HoK style assertions is at the end of https://tools.ietf.org/html/draft-ietf-oauth-assertions-17#section-3 which notes that the "rules defined in this document are intended to support a client presenting a bearer assertion to an authorization server.  The use of holder-of-key assertions are not precluded by this document, but additional protocol details would need to be specified."
> 
> The requirement of having audience is for bearer assertions only (and we agree need to be that way for bearer) and not intended to preclude anything for HoK assertions. 
> 
> Does that change your opinion? Is there something that could be added or removed or clarified to allay concerns?
> 
> 
> 
>> On Thu, Oct 16, 2014 at 6:54 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>> Holder of key JWT is still in draft and we don't have a clear way to present the proof to the token endpoint.
>> 
>> Brian and I started discussing that last week as I happen to have a use case for a PoP JWT assertion flow in some other spec work.
>> 
>> I think that there is enough difference between bearer and PoP that doing a follow on profile for SAML and JWT that can also cover the proof presentment mechanisms makes the most sense.
>> 
>> I would go with restricting this to Bearer and MUST for audience,  and removing the audience requirement explicitly in the PoP profiles.
>> 
>> There are people who need the bearer version 6 months ago,  I don't want to do anything to hold it up based on future work.
>> 
>> I am happy to help with a SAML PoP/HoK draft as a follow on.   The SAML subject confirmation stuff is relatively clear so it is mostly defining the presentment mechanisms like mutual TLS and a self signed assertion. (we need to be careful not to conflate client authentication and token proof, as they are different and might both be used at the same time.
>> 
>> John B.
>> 
>>> On Oct 16, 2014, at 7:20 PM, Richard Barnes <rlb@ipv.sx> wrote:
>>> 
>>> You guys are all arguing that having an Audience can be useful.  I don't disagree.  I disagree that it should be REQUIRED in all cases.
>>> 
>>> The Google vulnerability that Brian raised was an interesting read, but as John points out, it only applies to Bearer Assertions.  There's no security requirement at all for holder-of-key assertions to have an audience, since they can't be replayed by someone who doesn't hold the key.
>>> 
>>> I could agree that an audience should be REQUIRED for bearer assertions.  Since they are vulnerable to replay, Audience protects against the Authorization Server re-using the token.  (It would be good to say this explicitly in the doc, actually.)  But for holder-of-key assertions, the Audience should be OPTIONAL.  Note that this requires that instance documents define the difference between bearer assertions and holder-of-key assertions, so that implementations can enforce these requirements.
>>> 
>>> So it seems like there are two solutions here:
>>> 1. Scope the document to bearer assertions only, and keep the MUST
>>> 2. Keep the current scope, make Audience OPTIONAL for holder-of-key assertions, and define the difference in the instance docs.
>>> 
>>> --Richard
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>>> On Thu, Oct 16, 2014 at 9:57 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>>> It is also important for a non-protocol purpose. Liability.
>>>> 
>>>> If a 3rd party uses an assertion that was not intended for it, it cannot obviously hold the asserting party responsible.  
>>>> 
>>>> Phil
>>>> 
>>>> @independentid
>>>> www.independentid.com
>>>> phil.hunt@oracle.com
>>>> 
>>>> 
>>>> 
>>>>> On Oct 16, 2014, at 8:43 AM, Brian Campbell <bcampbell@pingidentity.com> wrote:
>>>>> 
>>>>> Thanks for your review and feedback, Richard. Replies are inline below...
>>>>> 
>>>>>> On Wed, Oct 15, 2014 at 9:47 PM, Richard Barnes <rlb@ipv.sx> wrote:
>>>>>> Richard Barnes has entered the following ballot position for
>>>>>> draft-ietf-oauth-assertions-17: Discuss
>>>>>> 
>>>>>> When responding, please keep the subject line intact and reply to all
>>>>>> email addresses included in the To and CC lines. (Feel free to cut this
>>>>>> introductory paragraph, however.)
>>>>>> 
>>>>>> 
>>>>>> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
>>>>>> for more information about IESG DISCUSS and COMMENT positions.
>>>>>> 
>>>>>> 
>>>>>> The document, along with other ballot positions, can be found here:
>>>>>> http://datatracker.ietf.org/doc/draft-ietf-oauth-assertions/
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> ----------------------------------------------------------------------
>>>>>> DISCUSS:
>>>>>> ----------------------------------------------------------------------
>>>>>> 
>>>>>> "The assertion MUST contain an Audience that identifies the Authorization
>>>>>> Server as the intended audience.  Assertions that do not identify the
>>>>>> Authorization Server as an intended audience MUST be rejected."
>>>>>> 
>>>>>> Could you please identify the threat model within which this "MUST" is
>>>>>> required?  This requirement doesn't follow from any of the threats
>>>>>> elaborated in Section 8.
>>>>>> 
>>>>>> The Audience is only necessary if the Issuer wishes to constrain the set
>>>>>> of Authorization Servers with which an assertion may be used.  So ISTM
>>>>>> that this should be "MAY contain..."
>>>>> 
>>>>> 
>>>>> The audience restriction let's the issuer say specifically what relying party is allowed to consume the assertion, which ensures that the client can't use it somewhere else that it wasn't intended and that the relying party that receives the assertion can't turn around and use it to access some other service.
>>>>> 
>>>>> Strictly speaking, you are right that the audience is only necessary if the Issuer wishes to constrain the set of Authorization Servers with which an assertion may be used. But the Issuer really really really should make that constraint and fully understanding the implications of not doing so is difficult and unlikely. 
>>>>> 
>>>>> There was a vulnerability in Google apps SAML a few years back that demonstrates how important audience restriction is and how it can be difficult for even very sophisticated providers to get it all right. I haven't had time to read it again to make sure but I think that this is the paper http://www.ai-lab.it/armando/pub/fmse9-armando.pdf
>>>>> 
>>>>> I don't see what value allowing audience to be omitted brings other than that it is academically a possibility. But requiring it (hopefully, if the requirement is followed) helps reduce the possibility of a whole bunch of security problems that folks likely won't foresee.
>>>>> 
>>>>>  
>>>>>> ----------------------------------------------------------------------
>>>>>> COMMENT:
>>>>>> ----------------------------------------------------------------------
>>>>>> 
>>>>>> "keyed message digest" -> "Message Authentication Code"
>>>>>> 
>>>>>> That's the proper terminology [RFC4949], especially since there are MACs
>>>>>> that are not based on digests.
>>>>> 
>>>>> OK
>>>>>  
>>>>>> 
>>>>>> "This mechanism provides additional security properties." -- Please
>>>>>> delete this or elaborate on what security properties it provides.
>>>>> 
>>>>> Will delete.
>>>>>  
>>>>>> 
>>>>>> Section 8.2 should note that "Holder-of-Key Assertions" are also a
>>>>>> mitigation for this risk.
>>>>> 
>>>>> OK
>>>>>  
>>>>>  
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> 
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email