IETF Logo Mail Archive

Re: [regext] I-D Action: draft-ietf-regext-rdap-openid-18.txt

Pawel Kowalik <kowalik@denic.de> Tue, 18 October 2022 07:19 UTC

Return-Path: <kowalik@denic.de>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5CE6C1524DD for <regext@ietfa.amsl.com>; Tue, 18 Oct 2022 00:19:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=denic.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6FqspXGDs2FO for <regext@ietfa.amsl.com>; Tue, 18 Oct 2022 00:19:36 -0700 (PDT)
Received: from mout-b-105.mailbox.org (mout-b-105.mailbox.org [IPv6:2001:67c:2050:102:465::105]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D165C14F73B for <regext@ietf.org>; Tue, 18 Oct 2022 00:19:34 -0700 (PDT)
Received: from smtp102.mailbox.org (smtp102.mailbox.org [10.196.197.102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-105.mailbox.org (Postfix) with ESMTPS id 4Ms4xC6735z9swh for <regext@ietf.org>; Tue, 18 Oct 2022 09:19:27 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=denic.de; s=MBO0001; t=1666077567; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RAgPLyeC/a2gsnL+DsElMMG94p0Jiip8D5n154O9znU=; b=0Zcm5+p9ja5BghoFlDsRokUQBOah4S0x0ic1HqBR9UzpVXKLz99W3OyMrlh9Zu8Z2Oa20M 8dr0IZTzA9F/C/Vy5x4oyqAzERASl3nw0muHrRRDkRKMJ6xhKYPMpnbxkYbmGCIp15VOiK lBCOUejWab+lrZVH55n0GLmrAf0BUyiC8Qn2PpSkDvsw+KWrMYvkaowRhyNEmm5qr1uKxZ bn0Gi25v9xK9TaHF2ATwS3fFB5EcbI2hWhT5rMLnBWjWQUPhm+yMwaMu2dAOL1sRBSn2kI X4+yl0DsnJ/NMe7lHPFcGzmBLVB7K3qjRJmGhKXHHlUn101KRmYMeYcTEPFFOQ==
Message-ID: <30759a3c-803b-4272-5755-3d8064a4fc56@denic.de>
Date: Tue, 18 Oct 2022 09:19:23 +0200
MIME-Version: 1.0
Content-Language: en-GB
To: regext@ietf.org
References: <166601174018.24122.2194661681253850980@ietfa.amsl.com> <d5943e3bac624018872f50fd52b51ec1@verisign.com>
From: Pawel Kowalik <kowalik@denic.de>
In-Reply-To: <d5943e3bac624018872f50fd52b51ec1@verisign.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-MBO-RS-ID: 1fa9011729c994c0131
X-MBO-RS-META: zcxdjxdfzu6kcof3wc1716jyibdb7fju
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/Fdg4YzKrE0wRVVFr-Rb6tXULa7I>
Subject: Re: [regext] I-D Action: draft-ietf-regext-rdap-openid-18.txt
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Oct 2022 07:19:40 -0000

Am 17.10.22 um 15:32 schrieb Hollenbeck, Scott:

>> [SAH] This update addresses most of the feedback received during the recent WG last call. There are still a few open issues for which I'm hoping to see WG discussion:
Thank you Scott.
>> 1. How do we address web service clients?

[PK] I think the elements we need for web service clients were already 
elaborated in the discussion over the version 17.
I'm happy to support with text proposal if needed.


One additional point that appeared in the side discussion is whether 
such client shall be able to request additional claims from the OP.
Currently the specification only allows RDAP server to request claims 
which leaves the web client without such possibility, which in turn may 
end up in a broken experience.
The proposal here is to add a "scope" query parameter to the /login path 
which RDAP server may use to request additional claims from the OP on 
behalf of the client.

>>
>> 2. Are there any security concerns associated with return of the "userID", "iss", and "userClaims" members of the "farv1_session" data structure?

[PK] The specification does not foresee any (even optional) 
authentication of the client application. In this sense each client has 
to be treated as a public client.
There is a risk of malicious client obtaining access to those PII data 
because all the user sees in the consent step is RDAP requesting data to 
the OP.
Device flow is in this sense more vulnerable to phishing attacks to 
obtain PII and also access to RDAP data as such.
A countermeasure could be the RDAP server offering an own 
consent/confirmation screen displaying some identifiable information 
about the client requesting access.

>> 3. Anything else I might have inadvertently missed.

[PK] "userClaim" is marked OPTIONAL in 4.1.1 whereas the following 
chapters indicate it is mandatory most of the times:

4.2.3.  Login Response
4.4.  Session Status
4.5.  Session Refresh

I suggested to change:
...response MUST include a "farv1_session" data structure that includes 
a "userClaims" object and a "sessionInfo" object.

to

..response MUST include a "farv1_session" data structure that includes a 
"sessionInfo" object and an optional "userClaims" object.


Kind Regards,

Pawel

v2.23.0 | Report a Bug | By Email