Re: [secdir] Security review of draft-ietf-oauth-token-exchange-14
Brian Campbell <bcampbell@pingidentity.com> Mon, 10 September 2018 21:44 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47E14130EF7 for <secdir@ietfa.amsl.com>; Mon, 10 Sep 2018 14:44:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZNGhy2s0DTBz for <secdir@ietfa.amsl.com>; Mon, 10 Sep 2018 14:44:49 -0700 (PDT)
Received: from mail-it0-x22a.google.com (mail-it0-x22a.google.com [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BD40130DE1 for <secdir@ietf.org>; Mon, 10 Sep 2018 14:44:49 -0700 (PDT)
Received: by mail-it0-x22a.google.com with SMTP id p79-v6so31619229itp.3 for <secdir@ietf.org>; Mon, 10 Sep 2018 14:44:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fOcQTZCX87Q7YFTdrOBrMwkd/5uUoIGQV84RF6Jhjq8=; b=kNP7r66Xh/izm2FcM81TPeCN0SO5HiXD7andH4h9heOcVTLJpMK3QI4ZR+2HGjeWg5 xfJ615sCOw+nF67HRFPiiYWVpMbZULbRFkYsbRYC9FXZ+ymmZYquBvu8WelachrI0dbV LClGI6OnU9LcSyVhxAZHUaikzX40YltFzGKG4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fOcQTZCX87Q7YFTdrOBrMwkd/5uUoIGQV84RF6Jhjq8=; b=Nx0vrKRaQzGdI9hYM615883blP6AORlflY607gGE0ABsJ998OSj7+z8G0ZsdYGiKty KMF0/Clvq9aPKI21hjLLyQ/ehUMVBTICi+CfeAzbP0zdU4z6eV789NMBElZiSdRGvYwG 2X6P3Wtfez84zgUzJ6jamXa6PI/PYuZbAPJz1n7HEgH/TUYLa7HqMuPX5aaJ1+w3Dul7 w3UrYfdfkkB0W32zQRho4iiqHVJGbvbolRSdKViPIHUndGFmP4CalQOpFDEIME/BUdhD 2bBoU71YeFZAkxhualEC6NPSickFpywx3vJ86XXcAjoYdMZW2YTbSCdwTQl2Bv792c0r AjEw==
X-Gm-Message-State: APzg51AnQSXXq9gSh2bDRD2LuJLRGZM4ZvESKsvfSBDImz693ukqTkAM uG39o3tWNBVzkg8cAVqNek8QVti0TJIq0gKIrCeSZ6pblQcZ47vxWcDkc2MaMQnDH8p8YZYAPOu u4RvOy1FI3ktvLPw=
X-Google-Smtp-Source: ANB0Vdby3zrmIcUyjV5ZbcLbjnzk2OXaaAhlQnC40A1KAjhSkcWz9ngc3VCuxtNGvXKVDqKXORBU5ITN3WZ062OfC+k=
X-Received: by 2002:a24:6fd3:: with SMTP id x202-v6mr19399611itb.71.1536615888601; Mon, 10 Sep 2018 14:44:48 -0700 (PDT)
MIME-Version: 1.0
References: <201808080746.w787kd74021069@rumpleteazer.rhmr.com> <CAAX2Qa2GB9srzCarcfZcx8oyB2K7jFS=MK4vdZU9XQFbRgr=OQ@mail.gmail.com> <CA+k3eCT_q6sqSJrLav+LOctkE_ophdsp1Egm2YEzL3Ld3QrVfg@mail.gmail.com> <20180810212645.GU40887@kduck.kaduk.org> <CA+k3eCTz4cjWx7WQA7PUjgu3zC8L7YeDwRNrt9VTMV7waXveFw@mail.gmail.com>
In-Reply-To: <CA+k3eCTz4cjWx7WQA7PUjgu3zC8L7YeDwRNrt9VTMV7waXveFw@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 10 Sep 2018 15:44:22 -0600
Message-ID: <CA+k3eCRDg1_DkthGo3CnUhKVDbp6OuC+q55QCFWUUnvy=0fWAg@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: hilarie@purplestreak.com, The IESG <iesg@ietf.org>, secdir@ietf.org, draft-ietf-oauth-token-exchange.all@ietf.org
Content-Type: multipart/alternative; boundary="00000000000032653405758b4492"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/yx-QsSLrGnsYP-GZvOjcDMO9oME>
Subject: Re: [secdir] Security review of draft-ietf-oauth-token-exchange-14
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Sep 2018 21:44:52 -0000
Hi Hilarie, I've published <https://mailarchive.ietf.org/arch/msg/oauth/Dqlg3JQqhChHy83j4IwqhLeoR88> a new draft -15 of OAuth Token Exchange <https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-15>, which I hope/believe addresses the comments you raised. <https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-15> Thanks again for the review, Brian On Mon, Aug 13, 2018 at 11:36 AM Brian Campbell <bcampbell@pingidentity.com> wrote: > > On Fri, Aug 10, 2018 at 3:26 PM Benjamin Kaduk <kaduk@mit.edu> wrote: > >> ... >> With the disclaimer that I haven't read token-exchange recently and am >> mostly going off my memory of the mailing list discussions, it seems like >> the key consideration here is that token exchange allows you to convert a >> token that may be opaque to you into one that has inspectable fields, and >> those fields can be privacy sensitive. So a JWT response should only be >> given to a requestor that trusted to know such information; a lot of the >> time, that has large overlap with being trusted to have the token in the >> first place, but potentially there is some amount of non-overlap. >> >> The considerations from 7523 of course also apply, and sensitive >> information should not be sent over unencrypted channels, but isn't the >> above paragraph an aspect inherently new to token exchange? > > > I don't think it's unique to token exchange. RFC 7523, for example, > defines the use of a JWT as an authorization grant used to obtain an access > token from a authorization server. Unless encrypted as a JWE, the JWT in > that scenario has fields that are inspectable to the client. And an OAuth > access token is considered opaque to the client but whether or not > information in the token is actually accessible to a client is an > implementation detail of the authorization server. The latter is true for > OAuth in general and not just these more specialized exchanges. > > The idea behind maybe incorporating some text similar to (but adapted to > the context) what's in the privacy considerations of RFC 7523 > <https://tools.ietf.org/html/rfc7523#section-7> is that the > considerations are pretty much the same - use TLS in transit, minimize the > amount of information in the token, encrypt the token if disclosure of its > information to the client is a concern. > > > > > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [secdir] Security review of draft-ietf-oauth-toke… Hilarie Orman
- Re: [secdir] Security review of draft-ietf-oauth-… Brian Campbell
- Re: [secdir] Security review of draft-ietf-oauth-… Benjamin Kaduk
- Re: [secdir] Security review of draft-ietf-oauth-… Brian Campbell
- Re: [secdir] Security review of draft-ietf-oauth-… Brian Campbell