IETF Logo Mail Archive

Re: [OAUTH-WG] security considerations for draft-ietf-oauth-mtls-12

Brian Campbell <bcampbell@pingidentity.com> Thu, 01 November 2018 14:37 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95DC4124D68 for <oauth@ietfa.amsl.com>; Thu, 1 Nov 2018 07:37:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mPybyksxmiWG for <oauth@ietfa.amsl.com>; Thu, 1 Nov 2018 07:37:38 -0700 (PDT)
Received: from mail-it1-x12e.google.com (mail-it1-x12e.google.com [IPv6:2607:f8b0:4864:20::12e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B07D9124BAA for <oauth@ietf.org>; Thu, 1 Nov 2018 07:37:38 -0700 (PDT)
Received: by mail-it1-x12e.google.com with SMTP id p64-v6so2313519itp.0 for <oauth@ietf.org>; Thu, 01 Nov 2018 07:37:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ARUglijxYIeRcO6Qq5XAc0+Hbj5ZmaSNNwOQMEnxuI4=; b=iPMpljGb/3c1kcJBrn5YBFt4s3gpw8VkkO/YLV6PQ/9x0His+7EnQo9nRcSE2QzlFE juLhUiR+/yG4vlcOh+mAtAC17IDg/W6ca7vYIsnTMO90cTUjy0x0XGOx4c4dnmeZNSpB 7F25xHAcA6mFU9yMMzD4V+xM+eji3uOA/rKUU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ARUglijxYIeRcO6Qq5XAc0+Hbj5ZmaSNNwOQMEnxuI4=; b=P6nSLuDoHeiqA/Yy/4eMElDhcAwzZagzGSDUJoW0ovcAproLrNyAU0vF4MEKsj+hjL fdkT+zfNeBDa3Ntfyv1PUpdLJC3WXG76AJA6kV4HmYq/oqXInxh/z5YqlLTYaUqcGwZD OcSFgcEGPqsnrl277O1zuNpihS3XMuwwH6gKG8xQ5bTricM+7U5YqQv0wZ3ImWJKIK3c NAHG1peuFeqvJ/K9vOlVT8+ouksVr7r9+eSg3JaLfgxVcNAu3QZ6ogxCdqvF6A7hgb1A 0J/likY9CT9B8blQ4th4p4yOnRdC2Z4fMRvsFsCKlEqreC5invko089bEGjZgG14k388 VTZw==
X-Gm-Message-State: AGRZ1gKuj/wtHLlI+FG52AOGoPIN3CuOQ4hk0xGrH55KD3P54o9ZwTGF Y1imF9Ng1FF1Q5rO8Z+yHqvNxPOLrzU92cWH8GbksqhOTh7QH2UveJhvsTHTBwaK2VnDc4C5B0k mSIPcf/ixiwoUp/uP1U8=
X-Google-Smtp-Source: AJdET5f0W6K2vRYfRZByBQ4zndZcAuwY/noPAU8+HBLOyhf0J3nM8VvQI5vYW916jXWFRKecJrEcZmaf6OUCnO4JXbY=
X-Received: by 2002:a24:bcc1:: with SMTP id n184-v6mr5710433ite.174.1541083057889; Thu, 01 Nov 2018 07:37:37 -0700 (PDT)
MIME-Version: 1.0
References: <CALgdmdsoj9uaVyha5x7anxt4iU_0f8FqyfjNH00Syd-MKSQ_UQ@mail.gmail.com>
In-Reply-To: <CALgdmdsoj9uaVyha5x7anxt4iU_0f8FqyfjNH00Syd-MKSQ_UQ@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 01 Nov 2018 08:37:11 -0600
Message-ID: <CA+k3eCT78Vszyh4Ue+yZ+5pK22yxrhHMwEGty=sXTDs5ttOvVg@mail.gmail.com>
To: jmg+oauth@newcontext.com
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003c629d05799b5c4b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/z0lM1NdjnOGT0RThBZsxBt-noJI>
Subject: Re: [OAUTH-WG] security considerations for draft-ietf-oauth-mtls-12
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2018 14:37:41 -0000

To be honest, I thought that was a relatively well known aspect of TLS 1.2
(and prior) and a noted difference of the new features in TLS 1.3. Also,
I'd note that we're well past WGCL for this document. But, with that said,
I suppose adding some privacy considerations text on the subject is
worthwhile. Would you propose some text for the WG to consider, John-Mark?
Bearing in mind that the implications of a certificate presented by, and
representing, an OAuth client are somewhat different than for an end-user
doing client cert authentication.




On Wed, Oct 31, 2018 at 4:12 PM John-Mark Gurney <jmg+oauth@newcontext.com>
wrote:

> I would suggest that the security considerations section of
> draft-ietf-oauth-mtls-12 be expanded to include the privacy
> implications of using this on versions of TLS before 1.3.  On all
> versions of TLS before 1.3, the client cert is not encrypted and can
> be used by third parties to monitor and track users.  I recently
> posted a blog entry about this:
> https://blog.funkthat.com/2018/10/tls-client-authentication-leaks-user.html
>
> Thanks.
>
> John-Mark Gurney
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email