Re: [OAUTH-WG] Mandatory to Implement & Interoperability

[Alexey Melnikov <alexey.melnikov@isode.com>]

On 08/12/2011 14:18, Hannes Tschofenig wrote:
> Hi all,
Hi Hannes,
Some random thoughts about your message below:
> I read through this rather long mail thread again and see whether we are reaching any conclusion on this discussion.
> In turns out that there are actually two types of discussions that relate to each other, namely the TLS version support and the token type.
>
> Let me go back in time a little bit when I was still chairing another working group (years ago), namely the KEYPROV working group. There we ran into a similar issue, which looked fairly simple at the beginning. We worked on Portable Symmetric Key Container (PSKC),  later published as RFC 6030. We were at the stage where we thought we had to decide on a mandatory-to-implement cryptographic algorithm and, similar to the OAuth case, PSKC is one building block in a larger protocol suite. As you can imagine, everyone had their own deployment environment in mind and did not like the suggestion others made about what as mandatory to implement.
>
> Russ (now IETF chair and at that time security area director) told the group not to worry - we don't need to pick an algorithm. He suggested to just provide a recommendation of what is best in a specific deployment environment (at the time of writing). In fact, he proposed to publish a separate document instead to discussing it in that document.
>
> I was surprised because I was couldn't see how one would accomplish interoperability. Russ told me that this is in practice not a problem because implementations often implement a range of cryptographic algorithms anyway. Then, as part of the algorithm negotiation procedure (or some discovery) they will figure out what both end points support. He further argued that algorithm preferences will change (as algorithms get old) and we don't want to update our specifications all the time. (This was a bit motivated by the MD5 clean-up that happened at that time.) [Please forgive me if I do not recall the exact words he said many years ago.]
>
> I believe we are having a similar discussion here as well, both with the token type but also with the TLS version. We look at individual specifications because we are used to add security consideration sections to each and every document. Unfortunately, the most useful statements about security (for these multi-party protocols where the functionality is spread over multiple documents) can really only be made at a higher level. Our approach for describing security threats and for recommending countermeasures isn't suitable to all the documents we produce.
>
> Let me list a few desirable results of our standardization work:
>
> 1) Everyone wants interoperability. We can do interop testing of building blocks to see whether a client and a server are able to interact. For example, we could write a few test cases to see how two independent bearer token specifications work with each other. That approach works for some of our building blocks. I do, however, believe that we are more interested of an interoperable system consisting of several components rather than having interop between random components. Even if we do not like it, OAuth is an application level protocol that requires a number of things to be in place to make sense.
>
> 2) We want libraries to be available that allow implementers to quickly "OAuth-enable" their Web applications, i.e., by quickly I mean that an application develop shouldn't have to write everything from scratch. Most of the development time will be spent on aspects that are not subject to standardization in the working group (such as the user interface and the actual application semantic -- the data sharing that happens once the authorization step is completed). These libraries are likely to support various extensions and getting two different implementations to interwork will IMHO in practice not be a problem. However, for a real deployment it seems that the current direction where people are going is more in the line of trust frameworks where much more than just technical interoperability is needed for a working system. See the discussions around NSTIC for that matter.
>
> 3) We want the ability for algorithm negotiation/discovery, at least up to a certain degree. For example, it would would nice if a client talks to a server and they both implement TLS 1.2 then they actually use it. The requirement for crypto-agility fits in here as well.
Algorithm negotiation/discovery is always a good thing.

TLS already have this capability builtin, so doing TLS version 
negotiation at the application layer would be wrong.
> 4) We want to separate the protocol specification from the cryptographic algorithms and other faster changing components. We don't want to update our protocol specification just because an algorithm becomes obsolete or the protocol suddenly gets used in a different environment where other constraints may be prevalent.
Separating requirement on crypto from the rest of the protocol is 
generally a good thing.
> 5) The security analysis and the solution approaches will vary based on the deployment environment. During the Taipei OAuth WG meeting I tried to explain what I mean with this statement with my reference to NIST SP 800-63. For some reason I failed to get the story across and so I try it again here.
>
> The authors of NIST SP 800-63 (of which one is Tim Polk, former IETF security AD) noticed that identity management protocols will be used for a variety of different usages, each with different security properties, and varying privacy requirements. For this purpose, the NIST guys had introduced the famous "Level of Assurance (LoA)" concept. Different levels put different requirements on different parts of the protocol suite. There is no expectation that bearer assertions will be issued by an authorization server for usage with a client at LoA level 4. A client implementation for the health care environment may also not expect to accept LoA 1 only suitable mechanisms.
>
> While it may be fine for certain environments not to care about the installed code size there are certainly cases where size of code matters. I am not only thinking about the Internet of Things space but also about the vulnerabilities that are introduced by unnecessary code.
If the WG is making a claim that OAuth is always going to be a part of 
bigger environments (e.g. healthcare, military, etc), each with its own 
requirements on security mechanisms, then I think this needs to be 
captured in one of the OAuth documents. This is your escape clause from 
the de-facto requirement to specify mandatory-to-implement mechanisms.
> While I understand that it would be great if anything interworks with anything else out of the box I don't see how to get there.
>
> Hence, I suggest that we
>
> a) skip specifying a mandatory-to-implement token-type, TLS version, etc. in the individual specifications,
> b) complete re-chartering and to get some of the other needed building blocks done that get us closer to an more complete "system,
> c) develop OAuth profiles and security recommendations for different security levels (in the style of what SP 800-63 outlines),
> d) capture this discussion on mandatory-to-implement security mechanisms in a draft and socialize it with the rest of the IETF security community,
If I were your AD, I would have asked for some demonstrated effort on d) 
and possibly c) [e.g. some drafts written] before allowing a) and b) to 
go forward.
> e) have a broader discussion about what we envision the Web identity eco-system to look like. http://tools.ietf.org/html/draft-tschofenig-secure-the-web-00 tries to make a first step but it is still at an early stage.
>
> Ciao
> Hannes