Re: [secdir] review of draft-ietf-oauth-introspection-09
Stephen Kent <kent@bbn.com> Thu, 04 June 2015 16:18 UTC
Return-Path: <kent@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64E401A9023 for <secdir@ietfa.amsl.com>; Thu, 4 Jun 2015 09:18:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3RCVM9rcfOqk for <secdir@ietfa.amsl.com>; Thu, 4 Jun 2015 09:18:37 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FB681A9005 for <secdir@ietf.org>; Thu, 4 Jun 2015 09:18:37 -0700 (PDT)
Received: from ssh.bbn.com ([192.1.122.15]:37492 helo=COMSEC.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1Z0Xqg-0001Lf-Bs; Thu, 04 Jun 2015 12:18:30 -0400
Message-ID: <55707A56.5000105@bbn.com>
Date: Thu, 04 Jun 2015 12:18:30 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Justin Richer <jricher@mit.edu>
References: <556CACEC.2030501@bbn.com> <8CBCFD65-237C-4683-B84B-B058DD5E166F@mit.edu>
In-Reply-To: <8CBCFD65-237C-4683-B84B-B058DD5E166F@mit.edu>
Content-Type: multipart/alternative; boundary="------------040606060907060309060607"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/VGRxciiBCFb6dpj8ETZ01B0UoYI>
Cc: secdir <secdir@ietf.org>
Subject: Re: [secdir] review of draft-ietf-oauth-introspection-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jun 2015 16:18:39 -0000
Justin, > Stephen, thanks for the review. Comments inline. > >> ... >> >> The text says: >> >> The introspection endpoint MUST be protected by a transport-layer >> security mechanism as described in Section 4. >> >> It might be clearer to say here that the token endpoint MUST >> communicate security with the introspection endpoint, and that TLS >> 1.2 is the mandatory-to-implement mechanism for such security. Also, >> the text should be clearer about the relationship between an >> authorization server and an introspection endpoint. In some places >> the two terms seem to be used interchangeably. >> > > This language was imported from the soon-to-be-published OAuth Dynamic > Registration drafts, including the forward reference. We don’t want to > repeat the requirement text. I didn't review the dynamic registration docs, or I would have made the same comment there :-). If you don't want to repeat requirements text, then I suggest you might re-word the sentence I cited so that it's clearer. Saying that an endpoint must be protected by a transport layer security mechanism seems needlessly ambiguous. > ... >> >> How does a protected resource know which other parameters an >> introspection endpoint requires/accepts? >> >> > > We’re assuming it would be either an extension or deployment-specific. an extension to what? it seems that a primary motivation for this document is to fix problems that arose because of inadequate specifications for OAuth token syntax. In that light, this description of "other parameters" seems to perpetuate this sort of problem. > > >> This section mandates (MUST) protection against “unauthorized token >> scanning” but mandates no standard way to do so. [Also, when would a >> scanning “attack” be authorized ;-)] >> >> > > Is there something more specific we can recommend here? Perhaps in the > security considerations section. yes, the SC section is where there should be suggestions on how to protect against such attacks. if you can't recommend something specific, then mandating that something be done seems possibly vacuous, a MUST that will never be realized in practice (see RFC 6919). > > And the attack could actually take place where an authorized protected > resource goes fishing for other valid tokens. The attack isn’t > authorized, but the client is … and yes that’s not what we meant but > I’m sticking to it. ;) so, as I said, the attack is not authorized, and the phrase "unauthorized attack" will make most security experts cringe. is cringing a goal? > >> ... >> >> IANA must only accept registry updates from the Designated Expert(s) >> >> and should direct all requests for registration to the review mailing >> >> list. >> >> How about: >> >> IANA *MUST* accept registry updates *only* from the Designated Expert(s) >> >> and *SHOULD* direct all requests for registration to the review mailing >> >> list. >> > > > This text was imported from a template, I’d be glad to change it if > there’s a better one. one should not assume that a doc that has made it through the RFC approval process is perfect. > >> Section 3.1.1 >> >> If a proposed Name matches one already registered as per 7519, ought >> it not have an “equivalent” (vs. “comparable”) definition if it is to >> be accepted? >> >> > > It really is comparable, since the contexts are pretty different. if the contexts are so different, and thus the semantics are not equivalent, why is the reuse of the name, and the potential confusion acceptable? > >> Section 4 >> >> The text lists four checks to be performed by an authorization >> server, yet the introduction to this list says “For instance:” A more >> normative introduction would seem appropriate here. I realize that >> the text says that not all of these checks may be applicable in all >> OAuth 2.0 contexts, but since each check begins with “If the token …” >> isn’t that a sufficient caveat? >> >> > > This is not a normative requirement, since everything is contextual to > the nature of the tokens issued by the authorization server. so you're saying that there is no set of checks that every authorization server can be expected to perform? not even token expiration? Steve
- [secdir] review of draft-ietf-oauth-introspection… Stephen Kent
- Re: [secdir] review of draft-ietf-oauth-introspec… Justin Richer
- Re: [secdir] review of draft-ietf-oauth-introspec… Stephen Kent
- Re: [secdir] review of draft-ietf-oauth-introspec… Justin Richer
- Re: [secdir] review of draft-ietf-oauth-introspec… Justin Richer