Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"

Denis <denis.ietf@free.fr> Fri, 08 November 2019 07:38 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF6F212009E for <oauth@ietfa.amsl.com>; Thu, 7 Nov 2019 23:38:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N-pUYqiJc68m for <oauth@ietfa.amsl.com>; Thu, 7 Nov 2019 23:38:10 -0800 (PST)
Received: from smtp.smtpout.orange.fr (smtp13.smtpout.orange.fr [80.12.242.135]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8205A12003E for <oauth@ietf.org>; Thu, 7 Nov 2019 23:38:09 -0800 (PST)
Received: from [192.168.1.11] ([90.79.49.31]) by mwinf5d72 with ME id PKe62100G0gNo7u03Ke6ux; Fri, 08 Nov 2019 08:38:07 +0100
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Fri, 08 Nov 2019 08:38:07 +0100
X-ME-IP: 90.79.49.31
To: Daniel Fett <fett@danielfett.de>, oauth@ietf.org
References: <VI1PR08MB5360FBBAF0D3A38BDBED618BFA790@VI1PR08MB5360.eurprd08.prod.outlook.com> <CAMVRk++o2MdndK37FfADzEZJx988o=PvPWN_mhdgDK=OU1dtow@mail.gmail.com> <3ECDBBC5-F183-4227-857A-A95C53C74274@mit.edu> <d021c84a-36f3-f371-2903-2b6051ee654f@free.fr> <8324a1d3-2fe8-430c-facc-1f3c5d7db260@danielfett.de>
From: Denis <denis.ietf@free.fr>
Message-ID: <21a36a19-1f24-25d9-9478-1e282a1bea19@free.fr>
Date: Fri, 8 Nov 2019 08:38:07 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <8324a1d3-2fe8-430c-facc-1f3c5d7db260@danielfett.de>
Content-Type: multipart/alternative; boundary="------------628A7CF4E5224EC905CAC7CD"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/zxP_X6YV5t5OPZu--bIx2kGjeoc>
Subject: Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Nov 2019 07:38:12 -0000

Daniel,

No. It is not a correct summary. One client can allow another client to 
get an access token that belongs to it.
The key point is that a software only solution can't prevent this 
collaborative attack and since, at this time,
the OAuth WG is not considering the use of secure elements, the attack 
cannot be countered.

Please have a look at: 
https://www.ietf.org/mail-archive/web/oauth/current/msg16767.html

Denis

> Hi Denis,
>
> Am 07.11.19 um 09:16 schrieb Denis:
>>
>> *Whatever kind of cryptographic is being used, when two users 
>> collaborate, a software-only solution will be unable to prevent the 
>> transmission *
>> *       of an attribute of a user that possess it to another user 
>> that does not possess it. *
>>
> To stay in OAuth lingo, what you are saying is: Two collaborating 
> clients can exchange their access tokens and use them.
>
> Is that a correct summary of your attack?
>
> -Daniel
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth