IETF Logo Mail Archive

Re: [OAUTH-WG] review draft-ietf-oauth-security-topics-13 [3/3]

Rob Otto <robotto@pingidentity.com> Tue, 19 November 2019 10:22 UTC

Return-Path: <robertotto@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C746A1208AB for <oauth@ietfa.amsl.com>; Tue, 19 Nov 2019 02:22:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.988
X-Spam-Level:
X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LWjC4JVEpHgt for <oauth@ietfa.amsl.com>; Tue, 19 Nov 2019 02:22:16 -0800 (PST)
Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B32A1200B9 for <oauth@ietf.org>; Tue, 19 Nov 2019 02:22:16 -0800 (PST)
Received: by mail-pl1-x630.google.com with SMTP id j12so11519660plt.9 for <oauth@ietf.org>; Tue, 19 Nov 2019 02:22:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XBH22vwDleAeoyKVkxJw8r48NNXE1XbNWq7KqttyLZ4=; b=Uzs/KSHBdp2GPzoMLv/eB2F7I/nwyQfO3NWO0y3HozqN7x7l5joGBxl91KFRCVDk2c iwCLd5jvFIFPlL4dl+YGOZaVcmZs/OmL4J9kfyifg4S4gv4PbSXkA0h2h2qf60tnK6V/ ri3TA88F9gBPsjqLkpyhKGI7pDrcFb+10NnYUv4/5QyAAaXcyYTryz8wb+zZUDdWvV/g m1XHORLqsrDH0yaEupBdNtQgS8Yo5wfYes7FX3ib61FT2J9tkWyqjDB5NcG30c9cQuAi gO2fgoHRHI9FUUT0Ds6ckOkXEt2bV8L0gODVtCsRz18eaOvHlaqBfpCTSFYxXiyJbOBq 0EuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XBH22vwDleAeoyKVkxJw8r48NNXE1XbNWq7KqttyLZ4=; b=BNXRIMTnbf86LDQM8vbnI/9QKJl2akeiFH04oGDoUMkzTv0OunUW69i0ij1SZ9/9v0 wPeYL9cOjcj5MjvoS9T4II5fMuFtTYEuWyF9gJeSTFfN+oE7BMk7KDws6xaHChF6xYxo HmYB+poC1ireq4mHFBI+4eWetVgTqylQXuSgTEBSn8mWFo/V0N4DomRim0OEnvkwx0Pr zVH4q15sIv6lqoZJE43w6qxp4NCIpWsZouR1gMe7oS0pQ+tZYcmQosfmCrXJvLXAHeQc WZ7ifBXvDasqqmLkV2ZYQRgOoV1I+z6ysZTvANF/BAAMBsJ68ke+A9M8rhx+nt461AuU qhWQ==
X-Gm-Message-State: APjAAAWaUGIZPWy+k+hSBwRV4CLL25neoGshPfNbwFxcsz28rQjU9m3C naHD4TuRzLH8B0nwlwshQFYQqztwI+k2bW+5NCPBgvv9shrefXzLuT7A7qg4JaDsbSG19OoaAob +6EPjWCh8xmWhdA==
X-Google-Smtp-Source: APXvYqw/LimsPLlCi7Vc+EEl3BS+W47KXmbgJ43Q31RjGraMo58Hg6z2RrEd0V54S73fXtKcPEmyN7Suaopi7IGUD18=
X-Received: by 2002:a17:902:b481:: with SMTP id y1mr6728789plr.76.1574158935286; Tue, 19 Nov 2019 02:22:15 -0800 (PST)
MIME-Version: 1.0
References: <CA+iA6ui1TDn1LuQeOCXxh7gkt=CPwuQf5CCBqYUR0OZ2iOXwuQ@mail.gmail.com> <769719DC-33A3-4911-8322-9F1C9F235469@lodderstedt.net> <CA+iA6ugWRAQYiMVuT2euwKgosy46FoTu_Oh0v-N_1k1arf16CQ@mail.gmail.com> <1021C802-9AA1-40A6-B1ED-17649151070C@lodderstedt.net> <CA+iA6uhdYVKpPw15G0ra=PvusrJ3d7btYM4VgHuco2=hv81fgw@mail.gmail.com>
In-Reply-To: <CA+iA6uhdYVKpPw15G0ra=PvusrJ3d7btYM4VgHuco2=hv81fgw@mail.gmail.com>
From: Rob Otto <robotto@pingidentity.com>
Date: Tue, 19 Nov 2019 10:22:04 +0000
Message-ID: <CABh6VRFga_Mi0F0SKH7B9FhjQopeB-Zfxtbt6wMFFtFOAHgH_Q@mail.gmail.com>
To: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002882840597b0703e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/z79dkOfOS8YFgLxTuwFj__ySehU>
Subject: Re: [OAUTH-WG] review draft-ietf-oauth-security-topics-13 [3/3]
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2019 10:22:22 -0000

" don't use the Implicit or Resource Owner Password Credentials  grant
types"

I cannot overstate how strongly I would support this recommendation in
particular!

Best regards
Rob


On Tue, 19 Nov 2019 at 10:07, Hans Zandbelt <hans.zandbelt@zmartzone.eu>
wrote:

> How about:
>
> - don't use the Implicit or Resource Owner Password Credentials  grant
> types
> - perform exact matching of redirect URIs and make then Client/AS specific
> - use PKCE
>
> Hans.
>
> On Tue, Nov 19, 2019 at 5:58 PM Torsten Lodderstedt <
> torsten@lodderstedt.net> wrote:
>
>>
>>
>> > On 19. Nov 2019, at 17:10, Hans Zandbelt <hans.zandbelt@zmartzone.eu>
>> wrote:
>> >
>> >
>> >
>> > On Tue, Nov 19, 2019 at 10:38 AM Torsten Lodderstedt <
>> torsten@lodderstedt.net> wrote:
>> > Hi Hans,
>> >
>> > > On 18. Nov 2019, at 04:11, Hans Zandbelt <hans.zandbelt@zmartzone.eu>
>> wrote:
>> > >
>> > > Hi,
>> > >
>> > > Please find my feedback from page 21 onwards below.
>> > >
>> > > Hans.
>> > >
>> > > Overall I would argue there's room for a very concise guidance
>> section that says: do this, don't do that, without explanation, just as a
>> reference for developers; the current text provides in depth analysis but
>> that is perhaps not suitable for developers who just want to know what to
>> do (or not to do) and don't really care about the background/reasoning
>> >
>> > While section 4 gives the raw security threat analysis, we tried to
>> summarise the actionable guidance in section 3. What do you miss there?
>> >
>> > I'd rather see it even shorter and more concise, but I guess you're
>> right, it is there
>>
>> Do you want to suggest some text?
>>
>> >
>> > >
>> > > P21
>> > > first bullet
>> > > "the client has bound this data to this particular instance." ->
>> particular instance of what?
>> >
>> > This bullet refers to the note above.
>> >
>> > "Note: this check could also detect attempts to inject a code which
>> >    had been obtained from another instance of the same client on another
>> >    device, if certain conditions are fulfilled:"
>> >
>> > ok, I see
>> >
>> > >
>> > > 3rd paragraph:
>> > > "call to the tokens endpoint." -> "call to the token endpoint."
>> >
>> > Fixed
>> >
>> > >
>> > > last paragraph could forward point to the next section by adding
>> something like
>> > > "using one of the mechanisms described in the next section."
>> >
>> > Incorporated
>> >
>> > >
>> > > P22
>> > > 3rd paragraph:
>> > > is the token binding guidance still accurate? it seems to be
>> overestimating the adoption
>> >
>> > You mean this statement?
>> >
>> > "Token binding is
>> >       promising as a secure and convenient mechanism (due to its browser
>> >       integration).  As a challenge, it requires broad browser support
>> >       and use with native apps is still under discussion.”
>> >
>> > yeah, but after re-reading I guess this actually spells out the
>> adoption conditions, so it is fine
>> >
>> > Hans.
>> >
>> >
>> > Thanks,
>> > Torsten.
>> >
>> > >
>> > > --
>> > > hans.zandbelt@zmartzone.eu
>> > > ZmartZone IAM - www.zmartzone.eu
>> > > _______________________________________________
>> > > OAuth mailing list
>> > > OAuth@ietf.org
>> > > https://www.ietf.org/mailman/listinfo/oauth
>> >
>> >
>> >
>> > --
>> > hans.zandbelt@zmartzone.eu
>> > ZmartZone IAM - www.zmartzone.eu
>>
>>
>
> --
> hans.zandbelt@zmartzone.eu
> ZmartZone IAM - www.zmartzone.eu
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


-- 
<https://www.pingidentity.com>[image: Ping Identity]
<https://www.pingidentity.com>
Rob Otto
EMEA Field CTO/Solutions Architect
robertotto@pingidentity.com

c: +44 (0) 777 135 6092
Connect with us: [image: Glassdoor logo]
<https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm>
[image:
LinkedIn logo] <https://www.linkedin.com/company/21870> [image: twitter
logo] <https://twitter.com/pingidentity> [image: facebook logo]
<https://www.facebook.com/pingidentitypage> [image: youtube logo]
<https://www.youtube.com/user/PingIdentityTV> [image: Google+ logo]
<https://plus.google.com/u/0/114266977739397708540> [image: Blog logo]
<https://www.pingidentity.com/en/blog.html>
<https://www.google.com/url?q=https://www.pingidentity.com/content/dam/ping-6-2-assets/Assets/faqs/en/consumer-attitudes-post-breach-era-3375.pdf?id%3Db6322a80-f285-11e3-ac10-0800200c9a66&source=gmail&ust=1541693608526000&usg=AFQjCNGBl5cPHCUAVKGZ_NnpuFj5PHGSUQ>
<https://www.pingidentity.com/en/events/d/identify-2019.html>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email