IETF Logo Mail Archive

Re: [secdir] Security review of draft-ietf-oauth-dyn-reg-management-12

Ben Laurie <benl@google.com> Fri, 03 April 2015 17:12 UTC

Return-Path: <benl@google.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A97CC1ACDD4 for <secdir@ietfa.amsl.com>; Fri, 3 Apr 2015 10:12:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.389
X-Spam-Level:
X-Spam-Status: No, score=-1.389 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 111uStiOkOUr for <secdir@ietfa.amsl.com>; Fri, 3 Apr 2015 10:11:59 -0700 (PDT)
Received: from mail-qg0-x235.google.com (mail-qg0-x235.google.com [IPv6:2607:f8b0:400d:c04::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BAD61ACDD9 for <secdir@ietf.org>; Fri, 3 Apr 2015 10:11:55 -0700 (PDT)
Received: by qgfi89 with SMTP id i89so13821063qgf.1 for <secdir@ietf.org>; Fri, 03 Apr 2015 10:11:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=IliLy1MPAyklnTRhcqgfQ86UAk1dfjb+HbhSXfYGhH8=; b=QV9zX1JxG+1/s43Us5hXLlBUDAT51J2pvZVw9oOqJ/lEqWBNfxt1oVuB2Z0B1elU6z WMgPN3Cnx8t+gq+3dI5bpEW6MxwG+ExL7zequ8mOffdRIHZlNxx6zaCjycTvVbPaiF/L SqILnsJCdUcMP5vsdmolxPWnqdur9YrKEtsPNcgB6/kTTRU5Pv2IJe9K0FYDlxYk7yV6 ISvcNKifycO4vJqvAYcDVAQQ8PFQpOUWaqo2M0aVWWToU2bsA/slMUxyRSB6ekis0lH2 YTvjUN7FbL+9tCyhafDwz2XJXVA5dQQZNzEVkjc4rGbRGRTFehm8FCeGgPx2z0aL6qNG PfVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=IliLy1MPAyklnTRhcqgfQ86UAk1dfjb+HbhSXfYGhH8=; b=LDPCDAHk0WczhKMGtFrAUSzbU3AJM64LdxiSAOEGZ0KJlIucdjMgGYjybjleuAB3dI QaxH2DUwBHOdZ2a9OavMVVNoFkVEmLRu1+b321e+Zhwjh1zeisXWmiZJx5vBAf0w/3B5 ciFeJ+V57+TFay97YoQ+3IrXwyGJwxOIj3hDBT/+cldOcF7fEvCCeKp5eThJzQnoF1Fg kvrmzlPZnXIWbcsBdHiHUUgRLZmhKGPIJJgdps1SxxIm0/+viU6yBn86xCkH09clBUsl p1OTV5zjCupGVs/sE4v+SXx+3InLL/wRpfXcdaOCnQRn9vA27Nh63/VvW5FmvQM+gHpD TGqw==
X-Gm-Message-State: ALoCoQnMXJXqwIry4eqDSgtcyiSVMihSSmpLiS+zEkugUT0/4RfFuIbI/2U8QkLtmuCM+fhSqpuR
MIME-Version: 1.0
X-Received: by 10.141.18.146 with SMTP id u140mr3822751qhd.48.1428081114744; Fri, 03 Apr 2015 10:11:54 -0700 (PDT)
Received: by 10.229.178.135 with HTTP; Fri, 3 Apr 2015 10:11:54 -0700 (PDT)
In-Reply-To: <118C77E9-FAD2-48C1-A6E1-4D20D219449F@mit.edu>
References: <CABrd9STmvLWy_Bz7e+pN_0vANxajtD+fMzVM+trwn6+k50Mifw@mail.gmail.com> <118C77E9-FAD2-48C1-A6E1-4D20D219449F@mit.edu>
Date: Fri, 03 Apr 2015 18:11:54 +0100
Message-ID: <CABrd9SRVeW5ieSyZSZ3ykT2taZAfKnC7nhnRAf=+BSUKnT-L5A@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Justin Richer <jricher@mit.edu>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/yIcYJDAwlybiYFsjnDmKEphVKZU>
Cc: draft-ietf-oauth-dyn-reg-management.all@tools.ietf.org, The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Security review of draft-ietf-oauth-dyn-reg-management-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2015 17:12:00 -0000

On 3 April 2015 at 17:57, Justin Richer <jricher@mit.edu> wrote:
> Ben, thanks for the review. Responses to particular points inline.
>
>> On Apr 1, 2015, at 8:29 AM, Ben Laurie <benl@google.com> wrote:
>> Issue: "Configuration Endpoint" (not a security issue)
>>
>> It looks like the definition of this is deferred to
>> draft-ietf-oauth-dyn-reg, but I couldn't find it there either.
>
> I’m confused by this issue: “Client Configuration Endpoint” is defined as a term in §1.2 and its function and use are defined in §2, which is the majority of the spec’s content. I see no use of “configuration endpoint” apart from the full term of “client configuration endpoint” in the current document version.

Sorry about that, I think I just got lost. You appear to be correct.

>> Issue: " Since the client configuration endpoint is an OAuth 2.0 protected
>>   resource, it SHOULD have some rate limiting on failures to prevent
>>   the registration access token from being disclosed though repeated
>>   access attempts."
>>
>> I am not sure what this is getting at. Limits on key re-use? Some kind
>> of BEAST defence? Something else?
>>
>> Without some quantification of the threat, it seems hard to act on
>> this requirement.
>
> The rate limiting is going to take a number of different forms depending on the platform and deployment characteristics of the authorization server, so we don’t recommend any particular approach. This is also something that’s going to be changing quickly over the years, and instead of prescribing a specific solution we thought it better to describe the problem here and say that it must be mitigated.

Solution to what? This is precisely my issue - you haven't described
the problem, you've described a solution to some problem I'm finding
hard to guess.

In other words: how could the registration access token be disclosed
through repeated access attempts?

v2.23.0 | Report a Bug | By Email