IETF Logo Mail Archive

Re: [OAUTH-WG] Benjamin Kaduk's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)

Filip Skokan <panva.ip@gmail.com> Fri, 14 August 2020 10:59 UTC

Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBDA33A0B30; Fri, 14 Aug 2020 03:59:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nXqnN08-0PtL; Fri, 14 Aug 2020 03:59:32 -0700 (PDT)
Received: from mail-yb1-xb2c.google.com (mail-yb1-xb2c.google.com [IPv6:2607:f8b0:4864:20::b2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A25DF3A0F3C; Fri, 14 Aug 2020 03:59:31 -0700 (PDT)
Received: by mail-yb1-xb2c.google.com with SMTP id s195so4982706ybc.8; Fri, 14 Aug 2020 03:59:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PsDSTFMQjOuUcKy59uyBR0q2iPA/YFpGKvayb77jfDE=; b=HGDEjfrSuhEIesVmSnbT3EGwNO6aGNilwv7Rp4nDnXsvoYP/EjpbIR7SBWVMn+evRb 55R3whuMlgdT5C4UoBRjfngMqpt8mPUDVHp5bMcHi9ectcy5avRdaJ2qfQENnJRXevVp vcZ8WG0ZBR8nsBFdxDKVPdB7psYWCLxbtxDUQGTPlxwLp6AxUov8s9BQJ5r95ByftTx3 B4K33F9SavLQqZceTcE7VdJbnk2mhFdD7+ezXQxpqHVUq4mJjSQ2zpbuMnCGy4MwcBRV YB6aJ6KU869u/K9sS1YnuSSFrMhUiyUApEGn6FS5/EtoZyLA70Ob8ee2A/Ze0P3sUrWh IqzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PsDSTFMQjOuUcKy59uyBR0q2iPA/YFpGKvayb77jfDE=; b=J8OoxZowzAcceRyv9oblEl80VRs9DQJfYhjKYg/TStK74B+bQgpa26Q2a9V0K1Vdbe uIIXasJXdNJ47VJN/3o0wn/cPQQ1yBALdsYag4SgRHByBkcW/iHasKFTHLAuV9c4qSfz STlCrB7B1W5Rz8hgosLeThlKFNIUSQEmt0qGwuOWFLQY/i9rJf88yBqaFgSydEL51dmd ByLEM64Q/Z+Eh4eMbVnvNpeHi6EUMDTaMN+zRzoussQqREndioDm+a0RxPb7jdATzjB3 PeW7Y+Q+nxYf97J3BQTdY31uWhkjaeWuWZ8Prr/p0ZCIaaLfH3LfLUBqEhWhAHtskZUg 7WNw==
X-Gm-Message-State: AOAM532zLw2zX9aoqn50iurmY+Wa646pYsB7lyNgfXq1QwHqnBgQ442w x+a5aHKRTfwYsxi2yRNAS7YxuMgiMJt7GiEtlg==
X-Google-Smtp-Source: ABdhPJzpIC7hZIie2WBzXqQMztZkfAqbcSlw/dJWH5g254LAcWkl1BsQs4yrzYz+gL9CQ+SacbWzv9r4dURU4+fJFTc=
X-Received: by 2002:a25:257:: with SMTP id 84mr2725157ybc.259.1597402769596; Fri, 14 Aug 2020 03:59:29 -0700 (PDT)
MIME-Version: 1.0
References: <MN2PR00MB06863A1064A05D8029C44788F5431@MN2PR00MB0686.namprd00.prod.outlook.com>
In-Reply-To: <MN2PR00MB06863A1064A05D8029C44788F5431@MN2PR00MB0686.namprd00.prod.outlook.com>
From: Filip Skokan <panva.ip@gmail.com>
Date: Fri, 14 Aug 2020 12:58:53 +0200
Message-ID: <CALAqi_9M40enpWOMO2h5rVdiveOxh6hnA1ZLc9EJJ-H_Fp59+g@mail.gmail.com>
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, Nat Sakimura <nat@nat.consulting>
Cc: Benjamin Kaduk <kaduk@mit.edu>, Brian Campbell <bcampbell@pingidentity.com>, The IESG <iesg@ietf.org>, oauth <oauth@ietf.org>, "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "draft-ietf-oauth-jwsreq@ietf.org" <draft-ietf-oauth-jwsreq@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a525d705acd45066"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/xtsjjAu7fv4n8_7HZOuN9HGoMCg>
Subject: Re: [OAUTH-WG] Benjamin Kaduk's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Aug 2020 10:59:35 -0000

Hi Mike, Nat,

I thought we would go as far as making these normative requirements

   - if the Request Object includes a sub claim with the value of the
   client_id the AS MUST reject the request
   - if the Request Object is explicitly typed (typ) its value MUST be ...

First rejects client assertions to be passed as Request Objects. Second
rejects all future typed JWT profiles from being used as Request Objects
without worrying about the claims they may or may not contain.

Or is that breaking?

S pozdravem,
*Filip Skokan*


On Fri, 14 Aug 2020 at 00:59, Mike Jones <Michael.Jones=
40microsoft.com@dmarc.ietf.org> wrote:

> At Nat's request, I've created a pull request addressing Cross-JWT
> Confusion security considerations.  It addresses both Brian's comment and
> the IESG comments about explicit typing.  See the full PR at
> https://bitbucket.org/Nat/oauth-jwsreq/pull-requests/10.  See the source
> diffs at
> https://bitbucket.org/Nat/oauth-jwsreq/pull-requests/10/address-iesg-and-working-group-comments/diff#chg-draft-ietf-oauth-jwsreq.xml.
> Please review!
>
> This is only the first commit, albeit, one that addresses some of the must
> substantive issues.  More commits will follow addressing additional IESG
> comments.
>
>                                 -- Mike
>
> -----Original Message-----
> From: OAuth <oauth-bounces@ietf.org> On Behalf Of Benjamin Kaduk
> Sent: Thursday, August 13, 2020 2:59 PM
> To: Brian Campbell <bcampbell@pingidentity.com>
> Cc: draft-ietf-oauth-jwsreq@ietf.org; oauth-chairs@ietf.org; The IESG <
> iesg@ietf.org>; oauth <oauth@ietf.org>
> Subject: Re: [OAUTH-WG] Benjamin Kaduk's No Objection on
> draft-ietf-oauth-jwsreq-26: (with COMMENT)
>
> Oops, that's my bad.  Thanks for the correction -- I've linked to your
> message in the datatracker (but didn't bother to have the datatracker send
> a third copy of my updated-again ballot position).
>
> -Ben
>
> On Thu, Aug 13, 2020 at 03:00:33PM -0600, Brian Campbell wrote:
> > While some discussion of why explicit typing was not used might be
> > useful to have, that thread started with a request for security
> > considerations prohibiting use of the "sub" with a client ID value.
> > Because such a request JWT could be repurposed for JWT client
> > authentication. And explicit typing wouldn't help in that situation.
> >
> > On Tue, Aug 11, 2020 at 2:50 PM Benjamin Kaduk via Datatracker <
> > noreply@ietf.org> wrote:
> >
> > >
> > > --------------------------------------------------------------------
> > > --
> > > COMMENT:
> > > --------------------------------------------------------------------
> > > --
> > >
> > > [updated to note that, per
> > > https://mailarchive.ietf.org/arch/msg/oauth/Lqu15MJikyZrXZo5qsTPK2o0
> > > eaE/ and the JWT BCP (RFC 8725), some discussion of why explicit
> > > typing is not used would be in order]
> > >
> > >
> >
> > --
> > _CONFIDENTIALITY NOTICE: This email may contain confidential and
> > privileged material for the sole use of the intended recipient(s). Any
> > review, use, distribution or disclosure by others is strictly
> > prohibited.  If you have received this communication in error, please
> > notify the sender immediately by e-mail and delete the message and any
> > file attachments from your computer. Thank you._
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email