[GNAP] RS validation of access tokens
Justin Richer <jricher@mit.edu> Sat, 29 July 2023 04:54 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE955C14CF1D for <txauth@ietfa.amsl.com>; Fri, 28 Jul 2023 21:54:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.108
X-Spam-Level:
X-Spam-Status: No, score=-1.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_DOTEDU_SHORT=1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l4EeP99uT4eG for <txauth@ietfa.amsl.com>; Fri, 28 Jul 2023 21:54:13 -0700 (PDT)
Received: from outgoing-exchange-1.mit.edu (outgoing-exchange-1.mit.edu [18.9.28.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC658C14CF09 for <txauth@ietf.org>; Fri, 28 Jul 2023 21:54:12 -0700 (PDT)
Received: from w92exedge3.exchange.mit.edu (W92EXEDGE3.EXCHANGE.MIT.EDU [18.7.73.15]) by outgoing-exchange-1.mit.edu (8.14.7/8.12.4) with ESMTP id 36T4sAZ6014323 for <txauth@ietf.org>; Sat, 29 Jul 2023 00:54:11 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1690606451; bh=TxUUGyS9Wa+jaRlS695HTU8c0P3GvBIB7zbbrf2IWqQ=; h=From:Subject:Date:Message-ID:Content-Type:MIME-Version; b=TkNm4TP6evF/vB3oMBJtDD1I9QdLJpM6zaTRw/H8BwH7iE0h/e3gpJiEUGFPxq5ML DMthY5JiTT9q3UY71OqBkbFa1r1bxF5tcJZ81kI4SmScHXR8gI6VXuX71SrHI5etYD DbMpUsQdvVrR/BLTw+6pQhuLrShipOT5cinmIHjeO0g3VTQitmSeoRJ5seq2xPVeZx hUiXVX3q462COmkWAAxpHB3fsvNK+uUD2+fQqkJ7bZyvi0RnhQ4G3GIz2k5RVYFVYW OZ95zNMEhYGNvA3zcUXT+B7v4kWcHWACvZky9w2DKDCIchnnx/tgsJ4twaRS+jl34+ t983gogVgM91g==
Received: from oc11expo14.exchange.mit.edu (18.9.4.19) by w92exedge3.exchange.mit.edu (18.7.73.15) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Sat, 29 Jul 2023 00:53:18 -0400
Received: from oc11exhyb7.exchange.mit.edu (18.9.1.112) by oc11expo14.exchange.mit.edu (18.9.4.19) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Sat, 29 Jul 2023 00:54:10 -0400
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (104.47.70.101) by oc11exhyb7.exchange.mit.edu (18.9.1.112) with Microsoft SMTP Server (TLS) id 15.0.1497.48 via Frontend Transport; Sat, 29 Jul 2023 00:54:10 -0400
Received: from DM6PR01MB4444.prod.exchangelabs.com (2603:10b6:5:78::15) by SJ0PR01MB6287.prod.exchangelabs.com (2603:10b6:a03:292::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6631.29; Sat, 29 Jul 2023 04:54:07 +0000
Received: from DM6PR01MB4444.prod.exchangelabs.com ([fe80::7fe8:9de9:e874:3835]) by DM6PR01MB4444.prod.exchangelabs.com ([fe80::7fe8:9de9:e874:3835%4]) with mapi id 15.20.6631.026; Sat, 29 Jul 2023 04:54:06 +0000
From: Justin Richer <jricher@mit.edu>
To: GNAP Mailing List <txauth@ietf.org>
Thread-Topic: RS validation of access tokens
Thread-Index: AQHZwdi0c/de8pB27ESKA8Z4SYp9ng==
Date: Sat, 29 Jul 2023 04:54:06 +0000
Message-ID: <42276B6A-3792-44FD-97A5-A75F6280831A@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR01MB4444:EE_|SJ0PR01MB6287:EE_
x-ms-office365-filtering-correlation-id: 89e4dc06-3ac7-4293-26f9-08db8fefd690
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: K17ck/ViYNzf21FgvJgzamyHCHboCyBl6fB+IaI51CKeOLvV1807nzNFEBZ8Lrp46TtQz35j2GPdso9YkH96IPyDQNr9wSoKKmUR0XdFKtRgOhoeoSXpLNFAgfGf3lqy4apPAIOdojRQzkn7RIVbCU0wO7gUGeD0FxkpklJGAkiiyRSFtOnuLvPpP636HqpBkGWgd73XHs9PGOC0Ny0uxlZlOV6pNkWMjkIFx6RvaIBat5sbTa9CgcRPpQVFZKrNVoIyiIrw3RsS3OCDKtZexaDlis+K+qPibKXvFUVEz4ixSqkzg8kVlsvsA5/3qGav+3Y03O06EnncjGN1i6bVAB7TGTmCZs/Gish/WimjLvE5KysDzNxx+I5z3GIZWzk5+Ev5Zl/gqroIVvAiPC0Lr1TsjOe2pFFIh3w4uQnBPfEAliZGSaYPKGxo26E8mlDfQrz8t8ZrEZ408QI1AiHrO4LjW27hiOode0IGc/1cYcDJHSfjygnDugyq7RcBe0DLe6ijULXByXytTg7IFfKwrdy4UVPbAvINzL+ryf4PXQZ+8VhAiWu9LCXX/Irpmlpnx81CoebWj7zvC8uKXqaeiumTLSHTjuXqUtDdLi6o/u4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR01MB4444.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(366004)(136003)(346002)(376002)(39860400002)(396003)(451199021)(36756003)(86362001)(4744005)(38070700005)(33656002)(2906002)(75432002)(38100700002)(83380400001)(122000001)(186003)(6512007)(26005)(786003)(6506007)(966005)(8676002)(166002)(71200400001)(6486002)(91956017)(478600001)(66446008)(64756008)(8936002)(66476007)(66556008)(5660300002)(66946007)(316002)(41300700001)(2616005)(6916009)(76116006); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: RX+/8LDfD774PPAPUCIL5H+sCNZM3zLa/UyTr5i6mn9iuY+glVX4OB3SAC4rZyeX9FmXIgCvgfU/9IbmZDc/Ae7l1YV0enM4FKsOwB25D2hd/cDV/PaS/TKTeE3peaV2U7xSYsduT1bm/5Q1SpEifpsWUHm1h32j7EprZ3MWW5RQtxA1wx/zQf/v6IOcgnq+FDXZh6aIa3oYy2ex4zghjFPsz2kahIClm2uQRKMbbWl8DaTip7JZTMDHeayYpjKRRHaMOZ/059JoBKK94c4jkWjOKN6+jT3BBFa+ro1DNvM3Ps2yW/fLe7eg49OYDnTwDnN6IIVQoLHcwCGr9rAxUhKCh2h+pW028DG47BZPnW/lx2jpsbTE8CJJ5WSbOFyQ1S4jMQFRowGyEX42bmH7M1zwCpu0HmpwXgwkpd1n+CWGlM6AIVxD9TV04lqnqI0r7On6CNy6WX7bHjRYCS2cHrekHpm9utFZrJnY7DzzBCheV7axYInzDxVhzY6q01rJhvgPP+j0kco7h2pCt2OV89noBJsjoGqRVTjIKg5FIdW7AbflQy/XQ9Z+zR3rsMm0u6QZet3ZZl4dVEdZJtLjirBtVZJP/pBQR8fp+KLJFrbkHc6yQC8vkX5lccQwHphJ6pU1/wmQc8r/5p3ADSpmi1JiZNDfKp8yn+qBUTjL/TgMh2lNeVz8b6i1Js16/1Z5gl8miHjVhSGwX1ug3jzOI5cmeByvlIiMJuatFC+1ainJPWyybuV22L2nezEqwWTyxOHZ2i0QlddUk0L/Y4Bq3C1e1UmVkpQmdhehyWzi6jfixgViGbDSB3FZ99Dtvwqocbq90Xkx3tUy08syO1pQNDc3K4dgvzFBeZZaDExLAg6VlkoCBXmu7Zvl8+osndG6myDkbdj8PRZSeuYzPFotk9Nyh8R6IKVgKLfkyD4+TyjqplR+ewvPWa1Jj9Txyen0eYa4JfF+1TANGLicF4UJyBhk/OInLZKQ9VSgtm1QwIZXyOpYqbgdiTsLp21rzdDMLjWjke9lnMXd7JiKqrqGSUIQiGrIi5ZTQwZCZtVS8ZMU93FcsMDZQMamjkKkCdn3pz07TLS5X73ve3VE7/XKp/ixepYxcn2FSyeHEkbLJwX9ebgwnLsfLCpEyrvAuUwn1xRNf/rIAVaJ/WcJVSBoNkVxp+ItwSewIJz2L2wo2JWHayNZ58BG0k4K/gXp+lSacC9vY2KYL3J/vLaVZP2s9jFMlgo5od7/t1m/pEldl/IxRHA/iek6IlPr11OsO/yKgAG2MkQ1Oq3eHc1hXJK5UTuJIyOh4Zykz7q+KmxKFeY4lUDZUCQjm9wIzcl4hDfCJH5U+vaF5ihFmkbQ8aTj8wR7A2wGuruWI/ep7yYvM4SILcKRntozMW6+RAbZgbgCDzfpekUtCJdU9DgZTyM+1SlTvJD1I1SQGzkLAQIADaheyhLhk2ZtwoPuxkQpPsjEkRCd9b0l8hCE0wSehafaqK9SI4HLKicIycUhmYgefpJKKcCWblzNLcbq9uNVH02wh1O/1JBdv5R/Y4PV2mJm4YzAGAVkwvABWdxVTmtQME987ur5OaaJ2vM8o46PCkyn
Content-Type: multipart/alternative; boundary="_000_42276B6A379244FD97A5A75F6280831Amitedu_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR01MB4444.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 89e4dc06-3ac7-4293-26f9-08db8fefd690
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jul 2023 04:54:06.2604 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: zsmMEO7xswuW64BBnr6sA+BQiAWii/oSPXQh98HF6oxx96lyi0ajiv2U30VUWDAv
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR01MB6287
X-OriginatorOrg: mit.edu
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/OyPiwQOrgwJNESIDiRewhVgml9Y>
Subject: [GNAP] RS validation of access tokens
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Jul 2023 04:54:13 -0000
As discussed in the meeting today, the following issue raises a question on the security properties of the RS processing tokens during a specific kind of attack: https://github.com/ietf-wg-gnap/gnap-resource-servers/issues/56 While the editors believe that this can be addressed sufficiently with a security consideration, the conversation in the room indicated that there is further discussion that needs to be had first. The editors and chairs are planning to reach out to the research team that filed the issue for clarification. With the OAuth Security Workshop coming up, this might prove a good opportunity to discuss the issue with the security and research community. The editors will bring the results of those discussions back to the list. If you have something to add to the attack and model as described, please add to the discussion on the GitHub issue. — Justin
- [GNAP] RS validation of access tokens Justin Richer
- Re: [GNAP] RS validation of access tokens Justin Richer
- Re: [GNAP] RS validation of access tokens Yaron Sheffer
- Re: [GNAP] RS validation of access tokens Justin Richer
- Re: [GNAP] RS validation of access tokens Adrian Gropper
- Re: [GNAP] RS validation of access tokens Justin Richer