[secdir] Secdir review of draft-ietf-oauth-dyn-reg-24
Charlie Kaufman <charliekaufman@outlook.com> Sat, 07 March 2015 03:36 UTC
Return-Path: <charliekaufman@outlook.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F66F1A1BDC; Fri, 6 Mar 2015 19:36:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ezCVf1jUVrCB; Fri, 6 Mar 2015 19:36:51 -0800 (PST)
Received: from COL004-OMC4S6.hotmail.com (col004-omc4s6.hotmail.com [65.55.34.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 604C31A00EC; Fri, 6 Mar 2015 19:36:51 -0800 (PST)
Received: from COL401-EAS166 ([65.55.34.201]) by COL004-OMC4S6.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.22751); Fri, 6 Mar 2015 19:36:51 -0800
X-TMN: [9SAeI4aVyd9GcVz5axexMrRtnZaVaTG2]
X-Originating-Email: [charliekaufman@outlook.com]
Message-ID: <COL401-EAS166C02CA0AFF8EE26977D29DF1D0@phx.gbl>
From: Charlie Kaufman <charliekaufman@outlook.com>
To: secdir@ietf.org
Date: Fri, 06 Mar 2015 19:36:57 -0800
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AdBYghT9Omda/yxXSmeeerKGSxaeiA==
Content-Language: en-us
X-OriginalArrivalTime: 07 Mar 2015 03:36:51.0210 (UTC) FILETIME=[F2DC56A0:01D05887]
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/LbHWvpNKGxqbzDc3sCzrH6Tuda8>
Cc: draft-ietf-oauth-dyn-reg.all@tools.ietf.org, iesg@ietf.org
Subject: [secdir] Secdir review of draft-ietf-oauth-dyn-reg-24
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Mar 2015 03:36:53 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. Document editors and WG chairs should treat these comments just like any other last call comments. This document specifies a protocol whereby an instance of installed software on a node can register itself with an OAuth 2.0 authorization server and in doing so (normally) acquire a secret to be used in subsequent authentications. According to the introduction: "This specification generalizes the registration mechanisms defined by the OpenID Connect Dynamic Client Registration 1.0 [OpenID.Registration] specification and used by the User Managed Access (UMA) Profile of OAuth 2.0 [I-D.hardjono-oauth-umacore] specification in a way that is compatible with both, while being applicable to a wider set of OAuth 2.0 use cases." I am not an expert on the evolution of OAuth, and I would expect others on Secdir are, so they be more able to evaluate the goodness of the particular design decisions, but this appears to me to be consistent with the way OAuth does related things and the particular attributes that this document specifies as being relevant to the process seem right. The security considerations section of the document is somewhat unorthodox in that it specifies security aspects of the protocol (e.g., that it MUST run over TLS 1.2 and MAY run over other transport-layer mechanisms. In most recent RFCs, the security considerations section is not normative but rather reviews the security aspects of the protocol. I'm not objecting though... this organization seems entirely reasonable. I will throw in one vague concern and one specific issue: 1) This document is all about infrastructure to allow software (as opposed to the end user or service using the software) to authenticate itself. This has been the holy grail of many authorization architectures for a long time, but the technology to accomplish it securely is by and large still not in place. I worry that specifying protocols for doing it might fool people into thinking they are getting more security than they really are. There may be some other document containing the rationale and scenarios for attempting this, but it was not obvious (at least to me) from reading the document. 2) The software_version values are specified as opaque where the only operation to be done on them is comparisons for equality. It's not clear (at least to me) the intended usage of this field, but generally version numbers work best when they have multiple parts (at least major version and minor version and sometimes lower level indicators) and where the different parts can be compared for "greater than" and "less than" in addition to tests for equality. That allows forward compatibility when a new version is released that is intended to be compatible with an existing version while detecting incompatibility in the case where a major version number changes. --Charlie
- [secdir] Secdir review of draft-ietf-oauth-dyn-re… Charlie Kaufman