Re: [secdir] review of draft-ietf-oauth-introspection-09
Justin Richer <jricher@mit.edu> Mon, 01 June 2015 21:27 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 821AE1A0047 for <secdir@ietfa.amsl.com>; Mon, 1 Jun 2015 14:27:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1TR2vNB42KFy for <secdir@ietfa.amsl.com>; Mon, 1 Jun 2015 14:27:06 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97EEA1A002F for <secdir@ietf.org>; Mon, 1 Jun 2015 14:27:05 -0700 (PDT)
X-AuditID: 12074424-f79b06d000000cfd-21-556cce27bb88
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id 36.74.03325.82ECC655; Mon, 1 Jun 2015 17:27:04 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id t51LR3dN011107; Mon, 1 Jun 2015 17:27:03 -0400
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t51LQxk7027191 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 1 Jun 2015 17:27:00 -0400
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
Content-Type: multipart/signed; boundary="Apple-Mail=_A9461030-61D6-4135-BDB9-E731667472C4"; protocol="application/pgp-signature"; micalg="pgp-sha256"
X-Pgp-Agent: GPGMail 2.5b6
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <556CACEC.2030501@bbn.com>
Date: Mon, 01 Jun 2015 17:26:58 -0400
Message-Id: <8CBCFD65-237C-4683-B84B-B058DD5E166F@mit.edu>
References: <556CACEC.2030501@bbn.com>
To: Stephen Kent <kent@bbn.com>
X-Mailer: Apple Mail (2.2098)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrBKsWRmVeSWpSXmKPExsUixCmqratxLifUoGkmh8XKSTvYLZbuvMdq sXE2o8WHhQ9ZHFg8pp4P9Vi8aT+bx5IlP5k8ln99wBLAEsVlk5Kak1mWWqRvl8CVsfeuRMHd C8wVe+8cY2pg3DeBuYuRk0NCwERi5ap7ULaYxIV769lAbCGBxUwSezdGdjFyAdkbGCU2PDzG BOE8YJK4t/kXWIewgIXE430/WUBsXgE9iUdPH7ODFDELTGGUWLN0JzvEWCmJptfHGEFsNgFV ielrWphAbE4BdYnPS7eCrWMRUJH4sPI62FBmgRKJudNfMUIMtZJYdn4bK8RJahKz7l0Hi4sI yEt8O7YVaDEH0HxZia9b5SYwCs5CcsYsZGfMAhubJLH6xiEWCFtbYtnC18wQtqbE/u7lWMQ1 JDq/TWSFsOUltr+dAxW3lFg88wZUva3Erb4FTBC2ncSjaYtYFzByr2KUTcmt0s1NzMwpTk3W LU5OzMtLLdI118vNLNFLTSndxAiKVHYXlR2MzYeUDjEKcDAq8fBmdGeHCrEmlhVX5h5ilORg UhLlDTydEyrEl5SfUpmRWJwRX1Sak1p8iFEFaNejDasvMEqx5OXnpSqJ8FqeAarjTUmsrEot yocpk+ZgURLn3fSDL0RIID2xJDU7NbUgtQgmK8PBoSTBexmkUbAoNT21Ii0zpwQhzcTBeYhR goMHaPhesOHFBYm5xZnpEPlTjIpS4rxLQRICIImM0jy4XliCfcUoDvSWMO8WkCoeYHKG634F NJgJaHC7ANjgkkSElFQDo2/PS+EnNvt3VKTmTo0/6WS+wF9atZnzx4pnXY4XxT5ZlNRLH1cr jZarfVxwo37GyUkvxA7lGE86/eVG4Yay41zxm999vnXxmZuhf8oM/wt+967em1F9i6fLtk3H Om6+x/S/WUv3pRqK82a9vMsn2yi6M0Bh73m7bXvmhxzef2BdKfOxmd5tcUosxRmJhlrMRcWJ AB9ef6+LAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/hSTLA6QP9T0BHZ7t8E6t_VAZHlo>
Cc: secdir <secdir@ietf.org>
Subject: Re: [secdir] review of draft-ietf-oauth-introspection-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jun 2015 21:27:09 -0000
Stephen, thanks for the review. Comments inline. > On Jun 1, 2015, at 3:05 PM, Stephen Kent <kent@bbn.com> wrote: > > I reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written with the intent of improving security requirements and considerations in IETF drafts. Comments not addressed in last call may be included in AD reviews during the IESG review. Document editors and WG chairs should treat these comments just like any other last call comments. > > This document describes an API for use with OAuth 2.0. The API enables the recipient of a token to query an authorization server to determine the set of metadata presented to the server (by the OAuth client) when the token was issued. This API is intended to overcome the lack of a standard way to convey token metadata in the OAuth 2.0 context. > > I didn’t find any significant security problems with the document, but there are a number of places where the exposition needs improvement. > > Specific comments > > Section 2 > > The text says: > > The introspection endpoint MUST be protected by a transport-layer security mechanism as described in Section 4. > > It might be clearer to say here that the token endpoint MUST communicate security with the introspection endpoint, and that TLS 1.2 is the mandatory-to-implement mechanism for such security. Also, the text should be clearer about the relationship between an authorization server and an introspection endpoint. In some places the two terms seem to be used interchangeably. This language was imported from the soon-to-be-published OAuth Dynamic Registration drafts, including the forward reference. We don’t want to repeat the requirement text. > > Section 2.1 > > The texts says: > > The endpoint MAY allow other parameters to provide further context to the query. > > How about: > > The endpoint MAY accept other parameters to provide further context to the query. Thanks, that’s a better wording. > > How does a protected resource know which other parameters an introspection endpoint requires/accepts? > > We’re assuming it would be either an extension or deployment-specific. > > This section mandates (MUST) protection against “unauthorized token scanning” but mandates no standard way to do so. [Also, when would a scanning “attack” be authorized ;-)] > Is there something more specific we can recommend here? Perhaps in the security considerations section. And the attack could actually take place where an authorized protected resource goes fishing for other valid tokens. The attack isn’t authorized, but the client is … and yes that’s not what we meant but I’m sticking to it. ;) > > The text says: > > For example, the following example shows a protected resource calling the token introspection endpoint to query about an OAuth 2.0 bearer. > > How about: > > For example, the following example shows a protected resource calling the token introspection endpoint to query about an OAuth 2.0 bearer token. > Thanks, that’s a typo. Good catch! > > Section 2.2 > > He text says: > > The authorization server MAY respond differently to different > protected resources making the same request. For instance, an > authorization server MAY limit which scopes from a given token are > returned for each protected resource in order to prevent protected > resources from learning more about the larger network than is > necessary for their function. > > How about: > > An authorization server MAY respond differently to different > protected resources making the same request. For instance, an > authorization server MAY limit which scopes from a given token are > returned to each protected resource in order to prevent a protected > resources from learning more about the larger network than is > necessary for its operation. I prefer the definite article in the text, but the later correction is helpful. > > > Section 3.1 > > Experience suggests a longer review period is appropriate, e.g., to accommodate holidays, vacations, etc. > > The text says: > > IANA must only accept registry updates from the Designated Expert(s) > and should direct all requests for registration to the review mailing > list. > > How about: > > IANA MUST accept registry updates only from the Designated Expert(s) > and SHOULD direct all requests for registration to the review mailing > list. This text was imported from a template, I’d be glad to change it if there’s a better one. > > Section 3.1.1 > > If a proposed Name matches one already registered as per 7519, ought it not have an “equivalent” (vs. “comparable”) definition if it is to be accepted? > > It really is comparable, since the contexts are pretty different. > > Section 4 > > The text lists four checks to be performed by an authorization server, yet the introduction to this list says “For instance:” A more normative introduction would seem appropriate here. I realize that the text says that not all of these checks may be applicable in all OAuth 2.0 contexts, but since each check begins with “If the token …” isn’t that a sufficient caveat? > > This is not a normative requirement, since everything is contextual to the nature of the tokens issued by the authorization server. > The text says: > > If an authorization server fails to perform any applicable check, the > resource server could make an errant security decision based on that > response. > > How about: > > If an authorization server fails to perform any applicable check, the > resource server could make an erroneous security decision based on that response. > Thanks, I think that’s a better word. > > The text says: > > per RFC 6125 [RFC6125]. > > How about: > > as specified in [RFC6125]. > > > That’s fine with me, thanks. > The discussion of introspection endpoint response caching seems to omit a simple, useful heuristic. Since the expiration time for a token is an optional parameter in the response, why not say that IF this parameter is present, the response MUST NOT be cached beyond that time? > > That’s a good example, I’ll add that. > > Section 5 > > This section says: “One way to limit disclosure is to require > authorization to call the introspection endpoint and to limit calls > to only registered and trusted protected resource servers.” But > Section 4 says: “… the authorization server MUST require authentication of protected resources that need to access the introspection endpoint and SHOULD require protected resources to be specifically authorized to call the introspection endpoint.” It seems that the requirement imposed in Section 4 already mandate what is merely suggested in Section 5. The requirement in section 4 came later than the suggestion in section 5. I’ll reword the security consideration to provide further justification for the requirement. Thanks for your review! — Justin
- [secdir] review of draft-ietf-oauth-introspection… Stephen Kent
- Re: [secdir] review of draft-ietf-oauth-introspec… Justin Richer
- Re: [secdir] review of draft-ietf-oauth-introspec… Stephen Kent
- Re: [secdir] review of draft-ietf-oauth-introspec… Justin Richer
- Re: [secdir] review of draft-ietf-oauth-introspec… Justin Richer