Re: [OAUTH-WG] Call for adoption: OAuth Security Topics

Hannes Tschofenig <hannes.tschofenig@gmx.net> Mon, 20 February 2017 10:52 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50F121299B0 for <oauth@ietfa.amsl.com>; Mon, 20 Feb 2017 02:52:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.488
X-Spam-Level:
X-Spam-Status: No, score=-4.488 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-1.887, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nd6D3PUybOAb for <oauth@ietfa.amsl.com>; Mon, 20 Feb 2017 02:52:49 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 214F41299AA for <oauth@ietf.org>; Mon, 20 Feb 2017 02:52:48 -0800 (PST)
Received: from [192.168.91.176] ([195.149.223.239]) by mail.gmx.com (mrgmx001 [212.227.17.190]) with ESMTPSA (Nemesis) id 0MRGTX-1cn9Pe3sB5-00UX8F; Mon, 20 Feb 2017 11:52:46 +0100
To: Denis <denis.ietf@free.fr>, oauth@ietf.org
References: <ae7d8912-2a13-4d19-62b4-0b1d1106a555@gmx.net> <541A5105-B963-4FA4-94E4-D794A73B3358@ve7jtb.com> <CAB3ntOupmVPnW4D2QXfJ1rjbMnF-8T9hvcy5cC6EaTDawyuA_A@mail.gmail.com> <CAAP42hC-eM2twsZySvrw26-nL88QBpAU_3MLsztp7JFT=daC0Q@mail.gmail.com> <14c5b7d3-9faa-0e2f-1411-689ab13d4fad@manicode.com> <CABzCy2AxvPnj9tj9y=bGyu2vB1SaBn6UXVWwV+ckvf-SLHkPOA@mail.gmail.com> <0a8ab2ad-9f14-6915-464f-119a724422c7@free.fr>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <1ebcff74-2c29-6b5c-a3cd-081cddbb3a2e@gmx.net>
Date: Mon, 20 Feb 2017 11:52:44 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <0a8ab2ad-9f14-6915-464f-119a724422c7@free.fr>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="qPb66TK8jB4Efe1vw2fEgmMEuJuRIx4iC"
X-Provags-ID: V03:K0:8HWNyiPXc+JePJe6IvlG/L5B2hQE4qxTt5RcDYMhWyfzJCGfIjw hZIfJm15Vu7m9/KxlPeNAZKrHBrULsaafaJqQjBtiFmcuC6SZlHkJcgguMV5eReTdQoOwIQ yPy2mmJGFxmlh3nv8D4dp8A2uAgDy7yL4e72Z0j3JEsND6B0z/dZTH9doPF8l6lZMgm1KwY +BgF7gW77Lb4FVBlQUuBw==
X-UI-Out-Filterresults: notjunk:1;V01:K0:JiUeumzYzIg=:8P1mo7ShB6GGv3ZgUj3epT lA8Ke/mvSnuooaPWaHwG2JtQF8lA4umkk7cTP+CYJoaIlXkmadNAkDOzGfZivqiEyz+eT5qKt lIPFrSZ0r/8GnXPh7fpvlxhb7dMumR4QIGtSGJFqz+a1y4TzSYIdhI8oMElZRWA0/23/+jWH7 9GqzRvYzF7+sOojggH/Y1bUAy6xBnO8inL66RmN27UHYt7OToRh9CEnTg5CkrX0mVYFNn1+Db QYjbuR2rBvwpaOwiYroKgGMUEACHT7hFI+smGawLnHBxcVjLF/dochDzf3iWdFyqgn1skoyuf AZYF8zXmEhFX7AQyQo9fDCYZ7TXmyD6hsOkx85HPaAdgjkdbwsZ9+hvF/sBT7bGS+B0YXcdDS Vt3JfJ+7xpe20J7j85C2b43+Lcm94YKWqBIVJDUCbHxRZPd5guLrTuU1GEs8jzgp2kFrJDMay rr8rAQ62nmSTzUA6J/7+XSy3dk4nsyVmbyYDufL8Jh5Q7XinTRYWgCEZs85i9INiXCl1HPgHJ 24OIim9lQN1cxD8tHtnaNlkQH3nyBe6Tn7OP2i9NfVqZZuh9XGQdDMlt8Mbzfaa6/pdx2urm2 TNlUCZVeZoM0Q61qijlJYPOzRHUI1Q4YMSeZ/X+8RXERZxy9lSQxCtZAKm0o/GtqDMXMxifcc hBMZviMvWfv97KlG2u8ipmzOaP2P2In3j/8c0JkI4mu1Mdc/9eH1yj+ymLxKpATl8B1H7YOCn n4PZp+y/DcOZm1RuqSek4uzLjcleXTNPs3FwylaDQI2XcpzYHrHcUfK4q/Y=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/wUyHK9g6Vfvxa16_HJrWcctUI90>
Subject: Re: [OAUTH-WG] Call for adoption: OAuth Security Topics
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Feb 2017 10:52:55 -0000

Hi Denis,

thanks for your feedback regarding the scope.

The scope for this document is limited to the specifications we develop
in the IETF OAuth working group. OpenID Connect, UMA, or other
specifications need to be dealt with in other SDOs.

The document only represents a starting point for work and hence various
attacks, such as the ABC attack you mentioned, can be incorporated in
future versions of the document.

Ciao
Hannes

On 02/06/2017 01:30 PM, Denis wrote:
> 
> The scope of this draft is unclear. The title states: "OAuth Security
> Topics".**
> 
> I have some questions:
> 
>   * Does this document intend to cover only the OAuth 2.0 delegation
>     protocol (since Justin said that OAuth 2.0 is a delegation protocol)
>     or OpenId Connect as well which is not limited to a delegation
>     protocol ?
>   * Should we discuss OpenID Connect issues and/or solutions in an IETF
>     RFC ?
> 
> If this document is going to be progressed, the threats should be
> clearly separated whether they relate to a delegation model or to
> a client-server access control model. This is not currently the case.
> 
> If this document is going to be progressed, the ABC attack (in the
> context of an access control model) should be mentioned even if there exits
> no way to counter it given the current implicit assumptions made in
> OAuth 2.0, in particular the use of software only implementations.
> 
> 
> Denis
> 
>> A belated +1
>>
>>
>> On Sat, Feb 4, 2017, 9:08 AM Jim Manico <jim@manicode.com
>> <mailto:jim@manicode.com>> wrote:
>>
>>     I'm just some random idiot am an not in this working group but the
>>     work from
>>     https://tools.ietf.org/html/draft-lodderstedt-oauth-security-topics-00
>>     is one of the most up to date and useful OAuth security resources
>>     every published. I am thrilled to see more work put into it.
>>
>>     Aloha, Jim
>>
>>
>>     On 2/3/17 1:57 PM, William Denniss wrote:
>>>     I support the adoption of this document as a working group item.
>>>
>>>     On Thu, Feb 2, 2017 at 2:30 PM, Jim Willeke <jim@willeke.com
>>>     <mailto:jim@willeke.com>> wrote:
>>>
>>>         +! 
>>>         I agree this is needed.
>>>
>>>         --
>>>         -jim
>>>         Jim Willeke
>>>
>>>         On Thu, Feb 2, 2017 at 4:33 PM, John Bradley
>>>         <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>> wrote:
>>>
>>>             I am in favour of adoption.
>>>             > On Feb 2, 2017, at 4:09 AM, Hannes Tschofenig
>>>             <hannes.tschofenig@gmx.net
>>>             <mailto:hannes.tschofenig@gmx.net>> wrote:
>>>             >
>>>             > Hi all,
>>>             >
>>>             > this is the call for adoption of the 'OAuth Security
>>>             Topics' document
>>>             > following the positive call for adoption at the last IETF
>>>             > meeting in Seoul.
>>>             >
>>>             > Here is the document:
>>>             >
>>>             https://tools.ietf.org/html/draft-lodderstedt-oauth-security-topics-00
>>>             >
>>>             > The intention with this document is to have a place to
>>>             collect
>>>             > discussions and conclusions around OAuth 2.0 security
>>>             and to reference
>>>             > the actual solution specifications.
>>>             >
>>>             > Please let us know by Feb 16th whether you accept /
>>>             object to the
>>>             > adoption of this document as a starting point for work
>>>             in the OAuth
>>>             > working group.
>>>             >
>>>             > Ciao
>>>             > Hannes & Derek
>>>             >
>>>             > _______________________________________________
>>>             > OAuth mailing list
>>>             > OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>             > https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>             _______________________________________________
>>>             OAuth mailing list
>>>             OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>             https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>>         _______________________________________________
>>>         OAuth mailing list
>>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>         https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>>
>>>     _______________________________________________
>>>     OAuth mailing list
>>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>     https://www.ietf.org/mailman/listinfo/oauth
>>
>>     -- 
>>     Jim Manico
>>     Manicode Security
>>     https://www.manicode.com
>>
>>     _______________________________________________
>>     OAuth mailing list
>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/oauth
>>
>> -- 
>>
>> Nat Sakimura
>>
>> Chairman of the Board, OpenID Foundation
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>