Re: [GNAP] Defense protection
Cendyne <cendyne@cendyne.dev> Sat, 29 May 2021 15:01 UTC
Return-Path: <cendyne@cendyne.dev>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35A9C3A1393 for <txauth@ietfa.amsl.com>; Sat, 29 May 2021 08:01:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.704
X-Spam-Level:
X-Spam-Status: No, score=-0.704 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_SBL=0.5, URIBL_SBL_A=0.1] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cendyne.dev
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vAZvCeTqUPPO for <txauth@ietfa.amsl.com>; Sat, 29 May 2021 08:01:26 -0700 (PDT)
Received: from mail.cendyne.dev (unknown [198.23.146.242]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D3793A1390 for <txauth@ietf.org>; Sat, 29 May 2021 08:01:26 -0700 (PDT)
Received: by mail.cendyne.dev (Postfix) with ESMTPSA id 483821F492; Sat, 29 May 2021 16:01:24 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=cendyne.dev; s=default; t=1622300484; bh=xul8dpIE39OSJjp/p0d370h5R/GowfDMDhy9xOGjTIg=; h=From:Subject:Date:References:Cc:In-Reply-To:To:From; b=WGR5IV58lsuY6mDSa0RZpGBXPhZ272IOK1xSysvPxysyWTuPX5dVKdHzDLZV0+abe dCIbz663KUci7kVCmtrxdqAQvu6jm2/grf249ifTwqF08sUQrS+njnrCebZQ+uvri2 1rMuyF6ev9ul44mkEk6ok7/ourVo0qaYX2C+8IRiaFtE3Me16Px0KbHy1243UMLT3c nZRvR0e6hPMH0oFXmOe9/7O2bYeaVLAo5/PsLs9N3KrLguac/uhPY6s28xqTv+tkOC 56xLDwOKjdh0lDm0tuz0jC6dx8xFCCmEcBcO0rZrbMORPtE3v2P4wD6nR4Cn68yLGT eV09Lurk1NVqA==
Content-Type: multipart/alternative; boundary="Apple-Mail-5A47A149-6F50-4B37-8762-F146CC6C22F3"
Content-Transfer-Encoding: 7bit
From: Cendyne <cendyne@cendyne.dev>
Mime-Version: 1.0
Date: Sat, 29 May 2021 10:01:22 -0500
Message-Id: <4B21A65B-6FBD-4D03-8D79-DCC7C8E42551@cendyne.dev>
References: <CANpA1Z0S=2wBkJ0=yeZpeBGxzF1s=qMZ4riLML3bnpPhgW6daA@mail.gmail.com>
Cc: Adrian Gropper <agropper@healthurl.com>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, GNAP Mailing List <txauth@ietf.org>
In-Reply-To: <CANpA1Z0S=2wBkJ0=yeZpeBGxzF1s=qMZ4riLML3bnpPhgW6daA@mail.gmail.com>
To: Alan Karp <alanhkarp@gmail.com>
X-Mailer: Cendyne 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/6f1CAT20emOhVTO3kSFXvrOlHIQ>
Subject: Re: [GNAP] Defense protection
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 May 2021 15:01:31 -0000
Alan, What does attenuated delegation mean and entail? I am not finding a definitive definition online. > On May 29, 2021, at 12:46 AM, Alan Karp <alanhkarp@gmail.com> wrote: > > >> On Fri, May 28, 2021 at 1:09 PM Adrian Gropper <agropper@healthurl.com> wrote: >> Thanks to Alan Karp, I have come to believe that delegation is essential and GNAP needs to speak of capabilities as first-class tokens and encourage their use. This will become the main driver for adoption of GNAP over SAML or OAuth. > > I would say attenuated delegation instead of just delegation. Revocation is important, too. > > -------------- > Alan Karp > > >> On Fri, May 28, 2021 at 1:09 PM Adrian Gropper <agropper@healthurl.com> wrote: >> Thanks to Alan Karp, I have come to believe that delegation is essential and GNAP needs to speak of capabilities as first-class tokens and encourage their use. This will become the main driver for adoption of GNAP over SAML or OAuth. >> >> - Adrian >> >> >> >>> On Fri, May 28, 2021 at 3:51 PM Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote: >>> Hi Adrian, >>> >>> Thanks for your interest! >>> >>> This is a helpful link that describes how the attackers were able to bypass MFA by stealing the signing key for SAML assertions: >>> https://www.darkreading.com/attacks-breaches/solarwinds-campaign-focuses-attention-on-golden-saml-attack-vector/d/d-id/1339794 >>> https://owasp.org/www-chapter-singapore/assets/presos/Deconstructing_the_Solarwinds_Supply_Chain_Attack_and_Deterring_it_Honing_in_on_the_Golden_SAML_Attack_Technique.pdf >>> >>> I did read one that was a bit better, but can't find the link at the moment. >>> >>> And one on shared OAuth credentials/token issuance: >>> https://www.csoonline.com/article/3607348/how-to-defend-against-oauth-enabled-cloud-based-attacks.html >>> >>> It would be good to think about attack vectors and if not prevention, minimally detection. >>> >>> Best regards, >>> Kathleen >>> >>>> On Fri, May 28, 2021 at 3:41 PM Adrian Gropper <agropper@healthurl.com> wrote: >>>> Hi Kathleen, >>>> >>>> I am not aware of the attacks on SAML and OAuth and would appreciate a link or two. >>>> >>>> I hope we can provide guidance on how GNAP can facilitate Zero Trust Architecture and believe that includes guidance on how to audit various things as systems use GNAP protocols to separate concerns among independent actors. >>>> >>>> Count me in for a brainstorming sessio, >>>> >>>> - Adrian >>>> >>>> >>>>> On Fri, May 28, 2021 at 3:29 PM Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote: >>>>> Hello! >>>>> >>>>> In light of recent attacks against SAML and OAuth, I'd like to see what defense mechanisms and detection could be built into the spec. One example would be from the recent SAML attack. If there was a detection of instances of authorization without authentication, the SAML attack used in SolarWinds might have been detected sooner. >>>>> >>>>> If you think along the lines of fraud detection, where you detect unusual events, there may be some specific to GNAP that could enable early detection of abuse, misuse, or exploits. >>>>> >>>>> Are there some planned? Would people like to brainstorm on this? >>>>> Thanks! >>>>> >>>>> >>>>> -- >>>>> >>>>> Best regards, >>>>> Kathleen >>>>> -- >>>>> TXAuth mailing list >>>>> TXAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/txauth >>> >>> >>> -- >>> >>> Best regards, >>> Kathleen >>> -- >>> TXAuth mailing list >>> TXAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/txauth > -- > TXAuth mailing list > TXAuth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth
- [GNAP] Defense protection Kathleen Moriarty
- Re: [GNAP] Defense protection Adrian Gropper
- Re: [GNAP] Defense protection Kathleen Moriarty
- Re: [GNAP] Defense protection Warren Parad
- Re: [GNAP] Defense protection Adrian Gropper
- Re: [GNAP] Defense protection Kathleen Moriarty
- Re: [GNAP] Defense protection Alan Karp
- Re: [GNAP] Defense protection Cendyne
- Re: [GNAP] Defense protection Fabien Imbault
- Re: [GNAP] Defense protection Justin Richer
- Re: [GNAP] Defense protection Fabien Imbault
- Re: [GNAP] Defense protection Denis