IETF Logo Mail Archive

[secdir] Security review of draft-ietf-oauth-dyn-reg-management-12

Ben Laurie <benl@google.com> Wed, 01 April 2015 12:29 UTC

Return-Path: <benl@google.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C8761A8A23 for <secdir@ietfa.amsl.com>; Wed, 1 Apr 2015 05:29:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.389
X-Spam-Level:
X-Spam-Status: No, score=-1.389 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z5ZFL-9Iv5W8 for <secdir@ietfa.amsl.com>; Wed, 1 Apr 2015 05:29:32 -0700 (PDT)
Received: from mail-qc0-x22e.google.com (mail-qc0-x22e.google.com [IPv6:2607:f8b0:400d:c01::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42BDC1A8AB2 for <secdir@ietf.org>; Wed, 1 Apr 2015 05:29:32 -0700 (PDT)
Received: by qcbii10 with SMTP id ii10so16291332qcb.2 for <secdir@ietf.org>; Wed, 01 Apr 2015 05:29:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=iWLcEORnTgNzhhM+wIqPy+syI9smdhMl5WdGufEb/7M=; b=mhzLR4eMFiak3KyQVndy+9IbW6QRqphzxZp5F0rj/hHGhGgimCNGwm7gULqgnOCr1s svuhT6pQVrZ8xlHHB+Pxl/N6D0V1johm9Lajk1jOEGgWGDWF7GubEL5ziSgbIVBX66O0 3YjlgJ38fP82vmFPXSf/SEh1XJMztXQNPIfQun3kSXvWGmv2A/ssPtaFE6voY1Fs8FVb CgP+GOUDO0o2eRsAmTt+DyO8wfu2unqqe2ZuUTZW7+/Qkxgu0jcO2sBS2SN3OIi/qf3n 8j1SGNeWNpWHoyXdnOUluUm9du8UlCO3daZPADdo7FDAEyjIyDkfZangqYh3QsYNRvpF ggbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=iWLcEORnTgNzhhM+wIqPy+syI9smdhMl5WdGufEb/7M=; b=GP/s7obobDwpgqdO+q8N5lZCirFLSqNZkzfxJENEPsKA/JUtWEov+F6nFu7SZPCBsK zVXteMGYovxP9MU9V/YpUqbyJH7mlveDklQmOBLY0/JFn0kyNTYktAQzymLX8kLHtxIy YfolqfplcR/JDyneU9EuLm+xacd/ogymrgePKfZa3xzIQa3Npvh6dvb37IlDvVQY8sKw sG1izjQdy0ES3mCKlzSQHAu8lEa3AVPw1kknj+Pb6seBUAKE99+hYB6sxRIj5BRakH4f xLgdafXaSXRmosKAsu4Wcd9Qe2YlpF5gXdfb4hi8t7evHZHMX0hcldNIA3WzPvjwOCLw 0PdQ==
X-Gm-Message-State: ALoCoQnrIOR/aLdYm4Fx8xkbnE5Yr1SbjW0fC5YixMMNqnkcbBYu1cnAgj1e+pL3kNsgwA9x4EF/
MIME-Version: 1.0
X-Received: by 10.55.49.138 with SMTP id x132mr47416846qkx.19.1427891371455; Wed, 01 Apr 2015 05:29:31 -0700 (PDT)
Received: by 10.229.178.135 with HTTP; Wed, 1 Apr 2015 05:29:31 -0700 (PDT)
Date: Wed, 01 Apr 2015 13:29:31 +0100
Message-ID: <CABrd9STmvLWy_Bz7e+pN_0vANxajtD+fMzVM+trwn6+k50Mifw@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: "secdir@ietf.org" <secdir@ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-oauth-dyn-reg-management.all@tools.ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/Y4J9WX7JsuhoN3TqKh4-s2qDgic>
Subject: [secdir] Security review of draft-ietf-oauth-dyn-reg-management-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Apr 2015 12:29:34 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

Summary: ready with issues.

Nit: the Security Consideration section contains normative
requirements. I don't know if this is strictly wrong, but it is
unusual. The style I am used to has the normative requirements in the
main body of the I-D, with Security Considerations confining itself to
explaining what is going on security-wise.

Issue: "Note that the authorization server decides the frequency of the
   credential rotation and not the client.  Methods by which the client
   can request credential rotation are outside the scope of this
   document."

Clients are presumably as likely as servers to cause credential
compromise, hence a mechanism by which a client can request a new
credential seems wise.

Of course, this could be used by an attacker to lock a client out, so
more thought required.

Issue: size limits.

There don't appear to be any limits (minimum server must accept, max
client must send) for client data. Not necessarily a security issue,
but seems likely to cause interop problems.

Issue: "Configuration Endpoint" (not a security issue)

It looks like the definition of this is deferred to
draft-ietf-oauth-dyn-reg, but I couldn't find it there either.

Issue: "The server MUST support TLS 1.2" - it seems unwise to mandate
a particular version of TLS - work on TLS 1.3 is already under way,
and TLS 1.2 is not (it seems) that far off deprecation!

Issue: " Since the client configuration endpoint is an OAuth 2.0 protected
   resource, it SHOULD have some rate limiting on failures to prevent
   the registration access token from being disclosed though repeated
   access attempts."

I am not sure what this is getting at. Limits on key re-use? Some kind
of BEAST defence? Something else?

Without some quantification of the threat, it seems hard to act on
this requirement.

v2.23.0 | Report a Bug | By Email