Re: [Wimse] Attempts to apply pieces of OAuth DPoP to workload identity
Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 30 November 2023 09:14 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83CAAC15154A for <wimse@ietfa.amsl.com>; Thu, 30 Nov 2023 01:14:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5gXa0M46My5s for <wimse@ietfa.amsl.com>; Thu, 30 Nov 2023 01:14:55 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BF71C151533 for <wimse@ietf.org>; Thu, 30 Nov 2023 01:14:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1701335691; x=1701940491; i=hannes.tschofenig@gmx.net; bh=/kTgm2fJE9PmiGGfu6qLumminBgBREKHu7NJYZ6ooVk=; h=X-UI-Sender-Class:Date:Subject:To:Cc:References:From: In-Reply-To; b=Kp6MnWRK3rhumgBsAujvG6scpGjC2x6rk7C+KvG2mGfsDXj6po88AcT44PQ97D+j JvVnkyhoXEgUXBXU0xnQbjBghHtNyM3oo+DKckBzXjQeimJ0m4D9+CdOAcfBCFvrl 63E9wO6KvyzIu+v+n5rZGWRgEAObrmoK8p8TNlpQh+tC+BWz9lMkc4ZqQuiMrRLgh KEWa7dTxc2X9zJqUw/qlE5OSt/6n+5+V1Ivp7thVI9KHbHdOkAhu+QdZe/2uzEuEG EuYjucQCHC1z5yH4f6XnWsHkaCCyS7b2ZAjA141M2p87Q9YSoS34g5N2R126H797J Ub6m8bbd8u24y4S+9g==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from [172.16.254.186] ([185.176.157.173]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MyKHm-1rTapZ1qjk-00yeWj; Thu, 30 Nov 2023 10:14:51 +0100
Content-Type: multipart/alternative; boundary="------------M6qU06u5vgLSoiZrUfDsHU2D"
Message-ID: <60fe135d-4498-44f5-8c8f-eb89ab597e38@gmx.net>
Date: Thu, 30 Nov 2023 10:14:43 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Evan Gilman <evan@spirl.com>
Cc: wimse@ietf.org
References: <CAOB-mKm6oG5AY-GUDnbPJ5=UXh9sqDm56AWRTzqkVWt8L=pRAA@mail.gmail.com> <6afafc01-c92c-4164-b8ec-4a88b770ea53@gmx.net> <CAOB-mK=BJ5HxPedPw+yNTU6rbbhkD6eBEgef2Rhrf2dY=e8LmQ@mail.gmail.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <CAOB-mK=BJ5HxPedPw+yNTU6rbbhkD6eBEgef2Rhrf2dY=e8LmQ@mail.gmail.com>
X-Provags-ID: V03:K1:8c+dicDk9zVbK9Bc0Vqpg9NAtuY1vp0HUt9w0Bnr3GziZrH6oDZ 25rjh3Nmwk0rHIAfFCMcA9CxoaWDO0CbQiyrD7O63vo5B4a9zQiA0261BMSQxjTqIBSEdUO ebPCceoRmdWQ8n41FKoSZbZ/Ntln1nmCS/3UN9ZcKQU9EYBZ3Mbd9weg86hUhnO2KDYXaMx b16g5jXYXrM6dEWDC8D+A==
UI-OutboundReport: notjunk:1;M01:P0:ciwm5tX9qcI=;2zLvFsh1gQADPb3vAVBvcuNBQqc wDRYLbkpzgGm3ZerVn/zKNx6TURx5BvssHq0LiakMRORVGNAXF59wuqPtirOOcVVLxua133KE XBuS4jc317bm7NHOVzMMJg2go684HkmKchWBXemq9v+VCVNvH/OtCEsmBFkm/GiTpeQEbdLzd vUDS89WgolFrFeBQ2lEJpTm0jZPWV9toe7CE+DECjiwlI24xHa52OANkCRdwRsvy9VUw8T8Ux oqf++cA83xcGczOf+g0O0CmwGmldTcG8SEeA7mCWha/b03IyLX9r5XQbwqpw+MwPa3cuCGGW4 t56LThMbtJJn5lVfLrAUk8bbWxuFahrD9AD3uQ+cxibVKbnVLsJZjXAlEeBi4vLMoOML1Pf98 GNFwGjDfLuPYZcZL6GrNCsyY1AzoNkJsnKewYLcY2/WPwE1cdGB/D/5txIPwQh4eofwvhzUKu EAI2PelT/rNXYD/u/78AaQNDh3VeJx0z8Wb8lwYDAGXiGdACEfHenuHDAbgrODQrLvcS7uVGk t3s6Vt2MFRvyS72XnxQeqIeBtrJ7M5yZFGAtZSsDiX34cSOkUpqmu+/7xPgvTLfaR7LtGB/dh tpMwmMcEc8LzenMbRXs/7YQySLIp5SOXQJyxou2KHc1ch49xZ5ysL+d7QkZihxMlXoCGphD1k DVi95Y6Y060Clgm0nbFGFrGMfUYJLa9oFnhiz/MXM7QzUaB2EgLNpgvmGmQwo3mPPSREt8u3D 7A6yWiEhPXNrN3UaX7yq/MHvGeYkauJ70FHqrGzXVG1J9ED2hH7rR6zATDQMbcO4hOuDouT94 2E8dQdXiAXwjiigekLSGOHsAUjlOx8SFOj09VbIlFf6AktxGuhqEZlJRHhRG2BGDJ9iYvAVuH n9m4rOTBeFSiAm5wz2/vzGvLU8/UnX9+iClMwQH4UTZvrqmeGgGV4OboIh+oE53JSjrvGqt4p 9cPoL4bqcm8ASJVJn3DBM98oG+8=
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/cNHU8JffzB0ysZifc3viAFjEBbI>
Subject: Re: [Wimse] Attempts to apply pieces of OAuth DPoP to workload identity
X-BeenThere: wimse@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wimse>, <mailto:wimse-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse/>
List-Post: <mailto:wimse@ietf.org>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wimse>, <mailto:wimse-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Nov 2023 09:14:57 -0000
Hi Evan, thanks for your detailed response. Am 29.11.2023 um 23:42 schrieb Evan Gilman: > On Wed, Nov 29, 2023 at 7:48 AM Hannes Tschofenig > <hannes.tschofenig@gmx.net> wrote: > > This scenario assumes that WL 1 has, somehow, obtained a token to > interact with the AS (possibly in the way described in > <draft-hofmann-wimse-workload-identity-bcp>). > > > Now, WL 1 can use the AS to request a token to access two other > workloads. > > > Apologies in advance, as it's a little hard for me to reason about AS > involvement here .. but I think the example works even without it, if > we assume that WL 1 has received a platform-specific JWT by some > opaque mechanism. > > Are you concerned that > > - WL 2 would steal the token? > > - WL 3 steals the token? > > > Yes. I think "steal" the token is one vector (e.g. the service has > been compromised), but there are others as pointed out in today's call > (e.g. tokens getting logged, leaking via crash dump, etc). I consider all these cases as "stealing". Of course, there are differences in how the tokens get into the wrong hands. I think it is nevertheless good to distinguish these cases. > The general concern is that anyone who obtains the token can > impersonate WL 1. Currently, `aud` value and tight expiry is the best > mitigation we have, but these fall short in a number of ways. There is an implicit assumption in the communication model that the "edge workload", i.e. the workloads that obtain the request from outside the network (potentially from a user) are assumed to be more secure than "internal" workloads. Is this a correct assumption? (Here is a drawing for a graphical representation) +--------------+ -------->| | | Edge | | Workload | <--------| | +--------^-----+ | | | | +----v---------+ | | | Internal | | Workload | | | +--------^-----+ | | v | ... | ^ | | +----v---------+ | | | Internal | | Workload | | | +--------------+ > > You made some comments on the call today about it being important to > know for whom the token is for. I'm curious to hear your thoughts on > the importance of the `aud` mechanism beyond replay mitigation. I was trying to find out what type of threats are relevant in the scenarios being discussed. The threat that is addressed by an audience-restricted access token is that a stolen token cannot be presented elsewhere for illegitimate access to other resources. > - WL 1 uses a token with some other workload not listed in that chain? > > > From my perspective, we are talking about an identity token, and WL 1 > should be able to present its identity to whomever it needs to. And WL > 1 should be able to do that in a way that doesn't risk it being stolen > by whomever happens to see it. OK. > - the token is used by some eavesdropped sitting between the > communication paths of the WLs? > > > This is also a concern, I think it's practically indistinguishable > from a compromised WL 2 in terms of security posture (if you get the > token you win)? A very common pattern is TLS-terminating load > balancers, which could be pictured as WL 2 or could be considered a > person in the middle. In other words, it should not be the case that a > compromised load balancer leads to total compromise because the > attacker now has access to all the credentials and can attach them to > (new) arbitrary requests... same for compromised WL 2. Hope that makes > sense OK. Thanks for your quick feedback, Evan. Ciao Hannes
- [Wimse] Attempts to apply pieces of OAuth DPoP to… Evan Gilman
- Re: [Wimse] Attempts to apply pieces of OAuth DPo… Orie Steele
- Re: [Wimse] Attempts to apply pieces of OAuth DPo… Evan Gilman
- Re: [Wimse] Attempts to apply pieces of OAuth DPo… Pieter Kasselman
- Re: [Wimse] Attempts to apply pieces of OAuth DPo… Justin Richer
- Re: [Wimse] Attempts to apply pieces of OAuth DPo… Hannes Tschofenig
- Re: [Wimse] Attempts to apply pieces of OAuth DPo… Evan Gilman
- Re: [Wimse] Attempts to apply pieces of OAuth DPo… Hannes Tschofenig
- Re: [Wimse] Attempts to apply pieces of OAuth DPo… Pieter Kasselman
- Re: [Wimse] Attempts to apply pieces of OAuth DPo… Evan Gilman
- Re: [Wimse] Attempts to apply pieces of OAuth DPo… Yaron Sheffer