Re: [OAUTH-WG] About Big Brother and draft-campbell-oauth-resource-indicators-00
John Bradley <ve7jtb@ve7jtb.com> Tue, 22 November 2016 16:10 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C41EC12969B for <oauth@ietfa.amsl.com>; Tue, 22 Nov 2016 08:10:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nLEtjklALlF0 for <oauth@ietfa.amsl.com>; Tue, 22 Nov 2016 08:10:37 -0800 (PST)
Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7822D129693 for <oauth@ietf.org>; Tue, 22 Nov 2016 08:10:37 -0800 (PST)
Received: by mail-qk0-x22a.google.com with SMTP id x190so31274904qkb.0 for <oauth@ietf.org>; Tue, 22 Nov 2016 08:10:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=xwxn2SQl9comYo9Mh/kFzWw34oT35jkq+zGul6yrl+U=; b=1GbQ+jHKTCP4CiNIvMZGoQQWXV7AxwR+yIN/t3B0ZfTNdMaHEoMWaXqzSDqmMYABcm tPxeOryUOaz/aImeE4Fe3mO73xwILGYZeTHy17zE6njgbkAbIyDVdw2kQHW2/YYfuf1w YnUw6d/YzFyOMWFJgDFEbUHi7+gsEshLlJyPN9YC77Mj9u8H/pMg3PkAsUEbpPkU7jwu t36Mf/pbIrNcjL8bRL0VMwd0jSnviFZxEPTExNHuxOTAVzaaFhGLEgObUTUo5T9HaC8M ZbFP62xHfMfHN6/U8SdiFnQeVNNMvi6FoqsNNoEmcmjOWlIdCTISsvDqM56KLZ7njxXu 7jPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=xwxn2SQl9comYo9Mh/kFzWw34oT35jkq+zGul6yrl+U=; b=iiTCaXHrJoodepcFsJkqurbt3AYeAT87FQw2cfEBoaakXGOoa8bTPctsn4UvVfKQws ecfhO6oz+jHOYU1cNLuCPXsH3XcoH8dl1wMv6rhFryETqcfHQUqGcM/d0xT9LiDmUuyf Qj/ebQoDbZm3eJrqGDx2pOrGdej/LY20ksq6luS4KLfGzEHP+8drrv+iH/IJt5oPDPfy MBf7zSpvYkE+mXf/I8aArKs+YTRvG8Gxf6+9DcZOrrnrgN5oAfrxL0gqeVKGT6mTjcvV VhON11y4L4dzbD+a9GDvTWMrxcrAbg+RCST9PX7Nzyr1GaKvP3k7CMhGoXwCfPJwYZIT +EVQ==
X-Gm-Message-State: AKaTC036sBEvgMV7irRvstMj8UDf+sxSPMMegSZXEtZ5itjGXeyt7Q7icJnXzyheRVwJ7iUU
X-Received: by 10.55.91.193 with SMTP id p184mr22596627qkb.301.1479831036409; Tue, 22 Nov 2016 08:10:36 -0800 (PST)
Received: from [192.168.1.216] ([191.115.236.136]) by smtp.gmail.com with ESMTPSA id e24sm7050915qkj.12.2016.11.22.08.10.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 22 Nov 2016 08:10:35 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.1 \(3251\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <5161dc3d-aac7-acb3-d4b3-7e6864a0520b@free.fr>
Date: Tue, 22 Nov 2016 13:10:31 -0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <468C84B4-B2B3-4CC8-8AD1-A25A0D6893EF@ve7jtb.com>
References: <f5f049b9-1aca-9949-ffd6-c9ce1396ef31@free.fr> <7fe51b7f-cc68-abda-79ed-9b6d75e00bc4@gmx.net> <5161dc3d-aac7-acb3-d4b3-7e6864a0520b@free.fr>
To: Denis <denis.ietf@free.fr>
X-Mailer: Apple Mail (2.3251)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/wTGOkHTimahwTCFXXDjvZet6rtM>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] About Big Brother and draft-campbell-oauth-resource-indicators-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2016 16:10:40 -0000
The privacy problem is a touch hypothetical the way that OAuth currently works. There is not standard access token, a AS producing access tokens that could be used across a number of RS in different security domains would be a security disaster, unless they are proof of possession tokens. If all of the RS trust each other by being in the same security domain they can all collude and the AS can know where the tokens are used without the resource being indicated to the AS directly. If the RS are in different security domains then potentially some privacy is disclosed. The only way to deal with that is the alternative of POP AT that the WG is documenting separately. I think it is fine to say that if the AS are in separate security domains and privacy is a issue, then use PoP rather than resource to protect the AT from replay. The reason for using a URI for the resource is that it is something the client knows. If we use a abstract name the client might be tricked into giving a token to the wrong resource. John B. > On Nov 22, 2016, at 9:34 AM, Denis <denis.ietf@free.fr> wrote: > > Hi Hannes, > > I do not deny the fact that it is necessary to provide some information to the authorization server > to indicate the resource server where the access token shall only be used. > > Let us illustrate the concept with a simple scenario. > > A user first connects to a resource server and announces some actions he would like to perform. > In its response, the resource server indicates "demonstrate that you are older than 18 and incorporate > in your access token the random value (some kind of challenge) I have just generated for you only". > > The client forwards that random value to the authorization server which is blindly copied and pasted > into the access token. If the resource server does not recognize this value, the access will be denied. > > In this way, the authorization server has no way to know where the access token will be used. > > On the contrary, an absolute URI would allow the authorization server to know which resources the user is accessing. > The use of an absolute URI should be deprecated because of this privacy concern. > > Denis > >> Hi Denis >> >> draft-campbell-oauth-resource-indicators gives the authorization server >> information about the resource server the access token will be used with. >> >> Without this information there is the risk that the access token is >> replayed at other resource servers and with the proof-of-possession / >> token binding work there obviously has to be an indication of where the >> token is used. >> >> The reason for using an absolute URI is that the resource server needs >> to take the information from the incoming access token and to compare it >> with its own information in order to determine whether the token is >> indeed intended for itself. >> >> If the authorization server does not know to whom it gives rights to >> access protected information then this is also a privacy risk (namely >> unauthorized access). >> >> Ciao >> Hannes >> >> On 11/15/2016 12:50 PM, Denis wrote: >>> Hello everybody, >>> >>> Since I am not present at the meeting, I read the minutes from the first >>> session, in particular: >>> >>> Brian Campbell and John did a draft allowing the client to tell the >>> AS where it plans to use the token >>> draft-campbell-oauth-resource-indicators >>> >>> This enables the AS to audience restrict the access >>> token to the resource >>> Phil Hunt: We should keep the audience restriction >>> idea on the table >>> >>> The introduction contains the following sentences: >>> >>> Several years of deployment and implementation experience with OAuth >>> 2.0 [RFC6749] has uncovered a need, in some circumstances, >>> for the client to explicitly signal to the authorization sever where >>> it intends to use the access token it is requesting. >>> >>> A means for the client to signal to the authorization sever where it >>> intends to use the access token it's requesting is important and >>> useful. >>> >>> The document contains a "security considerations" section but >>> unfortunately no "privacy considerations" section. >>> >>> Clause 2 states: >>> >>> The client may indicate the resource server(s) for which it is >>> requesting an access token by including the >>> following parameter in the request. >>> >>> resource >>> >>> OPTIONAL. The value of the resource parameter indicates a resource >>> server where the requested >>> access token will be used.*It MUST be an absolute URI*, as specified >>> by Section 4.3 of[RFC3986], >>> >>> With such an approach, the authorization server would have the ability >>> to *act as a Big Brother *and hence to know exactly >>> where the user will be performing activities. >>> >>> However, some users might be concerned with their privacy, and would >>> like to restrict the use of the access token >>> to some resource servers without the authorization server knowing which >>> are these resource servers. >>> >>> The key point is whether the information is primarily intended to the >>> authorization server or to the resource server(s). >>> >>> I believe that it is primarily intended to the resource server(s) rather >>> than to the authorization server in order to be included >>> in an access token. Obviously, the information needs to transit through >>> the authorization sever, that should simply be copied >>> and pasted into the access token. Its semantics, if any, does not >>> necessarily needs to be interpreted by the authorization sever. >>> >>> I believe that a "privacy considerations" section should be added. >>> >>> The sentence "*It MUST be an absolute URI*, as specified by Section 4.3 >>> of [RFC3986]" should be removed or >>> replaced by : "*It MAY be an absolute URI*, as specified by Section 4.3 >>> of [RFC3986]". >>> >>> Obviously, other changes would be necessary too. >>> >>> Denis >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] About Big Brother and draft-campbell-o… Denis
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Brian Campbell
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Vivek Biswas
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Jim Willeke
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Steinegger, Roland Heinz (TM)
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Denis
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Hannes Tschofenig
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Denis
- Re: [OAUTH-WG] About Big Brother and draft-campbe… John Bradley
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Mike Jones
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Denis
- Re: [OAUTH-WG] About Big Brother and draft-campbe… George Fletcher
- Re: [OAUTH-WG] About Big Brother and draft-campbe… Denis
- [OAUTH-WG] Comments on draft-ietf-oauth-token-bin… Denis
- [OAUTH-WG] Comments on draft-ietf-oauth-pop-archi… Denis