Re: [OAUTH-WG] Comments on draft-ietf-oauth-security-topics-06.txt
Denis <denis.ietf@free.fr> Wed, 23 May 2018 11:58 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D88012DA69 for <oauth@ietfa.amsl.com>; Wed, 23 May 2018 04:58:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.577
X-Spam-Level:
X-Spam-Status: No, score=-1.577 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FT0MOZ0g8kbg for <oauth@ietfa.amsl.com>; Wed, 23 May 2018 04:58:46 -0700 (PDT)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [IPv6:2a01:e0c:1:1599::15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09F85126D45 for <oauth@ietf.org>; Wed, 23 May 2018 04:58:46 -0700 (PDT)
Received: from [192.168.0.13] (unknown [88.182.125.39]) by smtp6-g21.free.fr (Postfix) with ESMTP id DA508780331 for <oauth@ietf.org>; Wed, 23 May 2018 13:58:43 +0200 (CEST)
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
References: <152681629717.2793.15028642368623108299@ietfa.amsl.com> <34B9FBE9-788E-4B1C-B2A4-08FD14EC2BD5@lodderstedt.net> <1fe04f5e-b968-5a6d-efe8-b47da5e28592@free.fr> <689F7720-B5D8-4686-A8E1-79E2ABEBEDF1@authlete.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <b2df8f14-9d2e-b572-708f-d8c50fcdcd05@free.fr>
Date: Wed, 23 May 2018 13:58:42 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <689F7720-B5D8-4686-A8E1-79E2ABEBEDF1@authlete.com>
Content-Type: multipart/alternative; boundary="------------6D160DDAA5F81616877E4663"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/x4mYRW2mkz5m97TkUeRfBtKaWFY>
Subject: Re: [OAUTH-WG] Comments on draft-ietf-oauth-security-topics-06.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 May 2018 11:58:48 -0000
Hi Joseph, Among these 39 slides, to which attack(s) are you referring ? I wrote:"It is quite hard to understand under which /context(s) /and conditions OAuth 2.0 could be safely used". For each counter-measure, it would be useful to explain under which context(s) or under which assumptions it should be used. Denis > Hi Denis, > >> On 22 May 2018, at 14:05, Denis <denis.ietf@free.fr >> <mailto:denis.ietf@free.fr>> wrote: >> >> In particular, the text states: >> >> "Clients shall use PKCE [RFC7636] in order to (with the help >> of the authorization server) detect and prevent attempts >> to inject (replay) authorization codes into the authorization >> response". >> >> This is incorrect, since RFC7636 should be used when the >> authorization code is returned from the authorization endpoint >> within a communication path that is _not protected_ by Transport >> Layer Security (TLS). >> > That is not really the full story as we've seen attacks where URLs > that you would expect to be protected by TLS are vulnerable; one > example is: > > https://www.blackhat.com/docs/us-16/materials/us-16-Kotler-Crippling-HTTPS-With-Unholy-PAC.pdf > > IMHO it would be sane to use PKCE anywhere where a code is returned in > the URL and there isn't another proof of possession / token binding > mechanism in play. > > Joseph >
- [OAUTH-WG] I-D Action: draft-ietf-oauth-security-… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-secur… Torsten Lodderstedt
- [OAUTH-WG] Comments on draft-ietf-oauth-security-… Denis
- Re: [OAUTH-WG] Comments on draft-ietf-oauth-secur… Joseph Heenan
- Re: [OAUTH-WG] Comments on draft-ietf-oauth-secur… Denis
- Re: [OAUTH-WG] Comments on draft-ietf-oauth-secur… Joseph Heenan