[OAUTH-WG] Re: Call for adoption - PIKA

Michael Jones <michael_b_jones@hotmail.com> Tue, 25 June 2024 21:53 UTC

Return-Path: <michael_b_jones@hotmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77ED3C169402 for <oauth@ietfa.amsl.com>; Tue, 25 Jun 2024 14:53:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.232
X-Spam-Level:
X-Spam-Status: No, score=-0.232 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GIw5A3ATgOco for <oauth@ietfa.amsl.com>; Tue, 25 Jun 2024 14:53:49 -0700 (PDT)
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12olkn2021.outbound.protection.outlook.com [40.92.22.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5043C157938 for <oauth@ietf.org>; Tue, 25 Jun 2024 14:53:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OpPJZbK0Y1+INqQuTNu9wvva95kK/2UO58UzWJkixEtlPmRMZpsxZSYb2LIf5lIKfcliDLYvb+oPAT/Fr9ps1892LV+Yr9a55svlI0dCBP0nQo5vvP0dNVxuNtouBKEzcsOZvCVzFq4vnyaKExWQeIPSfXwA8/FFzXzAJw+W/VJuE8JIwSlCjJv/KsFcGg2eB/eb8qlxb4SE3iDzAIacixt7Ot08kuXrfxe0kNmTEdz+9a8XrMhdiS5o3vedWVFkq8U94TDEUg7+VTCTh6tpYoJSAjdnWQySyU8CDxqnVCGA1rX3yIJKby9JrwpweQV+u8iuCh784dEWAsbOhy2w5w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qJxQmKR1ybHo9cy40yYI+YvacTvYFdrKfG0tH2ykEE0=; b=dn6yG0oQoLveibZwxlXF6DFnwd8H9+knot0SKmIu+897euMtAJwvx7axz5zsfLKIR1fmTgsE506rjkvtY/JGdmyvSFfaJ5O4LKPENoaTHnfaACebjMTuAZJqG7wADgIisIVlrteyi0lfcb8hJ8IWhLDwlV9MzwUO3DdBnhwzmsAgFko+Ic2NSIVHrpPOJzf0KTULTgQRx0sk5O/3x80F0t17HmpCPYiPb15ygpKMMAVrU+4f55xFNPd5DpjaTBbBFEoIteMd54O7+akrnwDncFfPgX9Pnp+0ylJF+H/jKe64cHq4Bq7P1UbQOdizuxF+jGfXCIptILEfWHYq6dcT4w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qJxQmKR1ybHo9cy40yYI+YvacTvYFdrKfG0tH2ykEE0=; b=ZudEzIlgs5XwIe0if0GSnj9LfRjSPWF41en4nfgzsFWnmAszbrdtF7HqkPrOQLAhAj/+D8PA4jRZmliQhReETwg1U26TKh5yI69ZWVRTUrwPz9dJFVfEF8p+o+PKLW8oRIZWDM0ztHHy07Y9vcG/wPtpCIbbojSamCNf64ct0vQX65bxz4HMIy3ghdwTPJG3vZSwGBgR+jEIQf7XofK0lN6EOM/TR54XLBgMaMUwtFYqzSPQxVwBNbJHuxbZ1vhNZhBnNNH86ypfisjd6sbt7iBZ2CzoVM2D4ZSGizcDkBI/NdFxca105oNhMUPWsWTQt+xh4j+ImLufG2VBaaQDDw==
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com (2603:10b6:a03:295::14) by MN6PR02MB10632.namprd02.prod.outlook.com (2603:10b6:208:4ef::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7698.30; Tue, 25 Jun 2024 21:53:47 +0000
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::6394:e79c:c32a:4c6a]) by SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::6394:e79c:c32a:4c6a%5]) with mapi id 15.20.7698.025; Tue, 25 Jun 2024 21:53:47 +0000
From: Michael Jones <michael_b_jones@hotmail.com>
To: Richard Barnes <rlb@ipv.sx>, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Thread-Topic: [OAUTH-WG] Re: Call for adoption - PIKA
Thread-Index: AQHax0Izszw+UeEgZkqlClD9h3jNcbHZAyRA
Date: Tue, 25 Jun 2024 21:53:47 +0000
Message-ID: <SJ0PR02MB7439E4391F43BC7D045859F2B7D52@SJ0PR02MB7439.namprd02.prod.outlook.com>
References: <CADNypP9GmF4vp1uzLXK0YYZAHUDjK7RHbhEb4MCXkB7N3Oq4+w@mail.gmail.com> <CAL02cgQYom9P+yGMODkHNE125mZnQxRdUTNQbP4ck4y48cgGTA@mail.gmail.com>
In-Reply-To: <CAL02cgQYom9P+yGMODkHNE125mZnQxRdUTNQbP4ck4y48cgGTA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-tmn: [7upLaSPPhg/IqPoOuubPsDLF02+YGXqr]
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR02MB7439:EE_|MN6PR02MB10632:EE_
x-ms-office365-filtering-correlation-id: c855a4f3-5a04-40c7-a270-08dc95614a5a
x-microsoft-antispam: BCL:0;ARA:14566002|461199026|9400799022|102099032|440099026|3412199023|4302099011|1602099010|56899031;
x-microsoft-antispam-message-info: /p0tyOzgV67xZEMShqAX9xxAWYjRdHnjM68fsfFQ11CU3YybHvp1koE3l8mO6NXu82UGJV2MFE8Cuelc4YuCD9Ugih43k9ZKly+inWmHcLvPFLUdtDP8aAgHqvJmwqNhQwGgcWOVyECjdK73AKG0jK0G2z4Aaik++V9CO5qe+XBzuqho1zetsKn5fwxjuduLeKbsGgJdz9BJzNOxnAaDGrjxTHnr16fdbnLkJK0tSrIz+h8Enhc8BwaG2wuYaPmGaEnifpxSkHCdkKJw9qFihibboNmIgn9BOTFN7iCnI6sXFlu5OGhfn8nf9QtbaW+GU3H6vGYG+JnFBa3p0N1OP+09bzi8IMwOgBUnEOVJTeY4y/4YTZXxyyfa2fRqcxkT8Gf77wx4uF/FH6kcGntiyc3RzQyD/d8FKdUy3xL1Pbvd1vKEBPy6YRt5C/aCDvZl/Vbh5k6p0b9jIvMl7xOrtOGxSUg3OlzMOdTZPXRbuo/cGYh6HYjR8484VEYPFIrZsGdzNaBhcsXgM/XVGDPbk1w7GC7Z0X4n3Ljq1ujed8CXgUx4hwQAnOHFx2+yj/+l8c7udXCoG/kDjNaR5bGrQlc7jeC9Uc0V5qlk7klP4nHRVOw2GBfqL7+KfbChy7zEPbSaesdXss2AaziOprFSk4CD7M49pK5DQQqMEdLjekfoboAIXviCTs5/nIcWS8CBZ7PtltHbqcc8rtJilnKnnASBhldOfvx5ZrFoTzHIu54=
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: MxuNssT1Z3KIZ/asKWvJq2uEGUSobz3EnDC4th6FDjoCucrDkbyPwyLz6oI+Z46gWemhnxfY32rY1ZCooVCSfyp232xxJXhFnrGPAZbsjH3D3iWrpWImLD2ZjShO8vpwpohyG1+6B8DpT9L+DMJOksKySRsF7KIYmu8dukFNWbmLj+9BLTrVf3l4lwslbgFjk4q5dqye+hlLhlgkHjKa696py+npPLzSkHYPqNEimqFSqSceG0vCMs2FbvLYaaCTzyZPf3v2cnWgHaBQ4i/6/dw1cKlTsLCVDqmyt/WjwQKnxwT10lLE/pBzHOrBFuLzv631pfoP9lc7ofL83SWJ/mHyOj5sDb1TfACaHxYEVUsjR3eRUPPXLPKJbXZu4sS7K6oBYvWyENsB7hj9N1Dx54id2aqM3KlkMoRTRt07yAEVdrnKIs/vDApWqPnA8RMKkQZ4CHE8v7KWPpRSTJ0Z2IAivURWwaT2UUoF1esSxS0n9Vqgh4exvDgIyj2KlDdd6R5c+lAwt90Bti/TVzrYv27TBagoUDwPDnx9MTfBGej+tEYO+DATJlp/UcYzhfcMqu3WONmARfxL8noul+82JF2/QqMkZhyzhVCHjkgr9UIaFYJFwHxZOrhq6/WdFpYP0COWohNwZcGE9AlEK7OlLnuPY+WQl58vsSaNWagrukSqnmcfYE3NqJVrj2KkcpD8MpDt4KJnsi30QDJR3qtSBKczFys+vgaAbxSdpleuQqK8QDSby2fx799rA37FRIMlmcOiqY4G638sGkaGCIbWoZ7GqbiSQZt4fJLjFgeFsmQuLLUQKpZstW81TiMMSGPbygsjpNfgJUABYn9vMJdUER0I+PnoES4SR8v44HGTnJ3qRay9Hms3A5AgGrP3kEsZ9Do5KpRAkKBubhl0odSMyTLnRDMCWVhP63k2E/mqPnDehVam4h7XJJhsuVXXGEB9HKg/Mi4Hoem2eyf0cGOjrcUyx4vNShaf9A/WsWEd5ps1sCkK2ApOk0Cm4FSBP65vv0blm4R26xecIlCQCdXkLrAuNNg6u0SBQq8CMc+fTlLBnaYKHcLJ0w50NbdqfyrAYAlQS3jEnMGsYV0rosd3cYh2iKY/A6tEvvxELadxbMAYjcjnMO2NVB6m7SWTu7q5JGmifuKvgCAUesifJW2nBbi/28hLBUYhY1FSoONulW2o2VmbbuFXbdZsoVnWOEbKp12cn4vf/Mh7S1BpjKLz2M6cNSSKakufkG+ftorxXas=
Content-Type: multipart/alternative; boundary="_000_SJ0PR02MB7439E4391F43BC7D045859F2B7D52SJ0PR02MB7439namp_"
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-99c3d.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR02MB7439.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: c855a4f3-5a04-40c7-a270-08dc95614a5a
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jun 2024 21:53:47.1280 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN6PR02MB10632
Message-ID-Hash: VN3NM4QGBXQ2V5WTAVDKTNYLLGJTAYEW
X-Message-ID-Hash: VN3NM4QGBXQ2V5WTAVDKTNYLLGJTAYEW
X-MailFrom: michael_b_jones@hotmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - PIKA
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ytLIGqfljNBTnJU62fJo0Qlx2qY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

The other critique I voiced of the approach is that the application-level X.509 certificate can be used to secure the HOST part of the issuer, but not the entire issuer, since in general, the issuer will contain a PATH.  Yes, the service hosting the issuers controls all the paths, as Richard replied earlier, but it’s not the service who is the attacker that this enables.  The attackers that not securing the PATH enables are the tenants themselves.

An attacker could host a tenant at the service and get an X.509 certificate securing the HOST part of its issuer.  However, because a legitimate tenant at another path shares the same HOST, the attacker can copy its X.509 certificate chain and utilize a substitution attack to make unauthorized statements about the victim tenant – statements that were not made by the hosting service.

This attack was not addressed, and I believe is intrinsic to the decision not to protect the entire issuer value.

I believe that adopting this draft would result in this attack occurring in practice.

                                                                Thank you,
                                                                -- Mike

From: Richard Barnes <rlb@ipv.sx>
Sent: Tuesday, June 25, 2024 1:56 PM
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Cc: oauth <oauth@ietf.org>
Subject: [OAUTH-WG] Re: Call for adoption - PIKA

Hi all,

Replying to the top of the thread again to recap the arguments so far.  (Hoping the chairs will give us a moment more to discuss before calling cloture.)

It seems like Sharon, Rohan, Watson, and I are all on the same page w.r.t. the X.509-based mechanisms in the current draft.  In particular, we're all developers of relying party software, and it seems like we're all OK with doing X.509 (contra Mike's point about application-level X.509).

If I understand Mike and Giuseppe correctly, they want to be less prescriptive about how the PIKA signer establishes their authority for an "iss" value, so that an OP could use some other mechanism (e.g., OpenID Federation).  It sounds like Mike at least is OK with the draft aside from this point.

I would be open to adding some optionality in the authority mechanism here, but I'm wary of losing the concrete interop that we get with the draft as it is.  So we would need at least a strong recommendation for X.509, even if something else can be used if the parties agree to it.  I would be more comfortable doing something along the lines of what Rohan suggests, namely defining a concrete, X.509-based thing here, and extending it to support other mechanisms via follow-on specs as needed.  If there were a single additional mechanism that people wanted, as opposed to a generic "[insert authority mechanism here]", that would also be more palatable to me.

Additional feedback would be useful on a couple of points:

1. From RPs: Is the X.509 requirement onerous to you?  Or is there enough library support out there that it's not a big deal?
2. From OPs: Is signing using a key bound to an X.509 certificate workable for you?  Or do you need some other authority framework?
3. From everyone: Is the general mechanism here useful, assuming we can align on some set of authority frameworks?

Thanks,
--Richard


On Mon, Jun 10, 2024 at 7:47 AM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com<mailto:rifaat.s.ietf@gmail.com>> wrote:
All,
This is an official call for adoption for the Proof of Issuer Key Authority (PIKA) draft:
https://datatracker.ietf.org/doc/draft-barnes-oauth-pika/

Please, reply on the mailing list and let us know if you are in favor or against adopting this draft as WG document, by June 24th.

Regards,
 Rifaat & Hannes

_______________________________________________
OAuth mailing list -- oauth@ietf.org<mailto:oauth@ietf.org>
To unsubscribe send an email to oauth-leave@ietf.org<mailto:oauth-leave@ietf.org>