[OAUTH-WG] Adding use case to draft-ietf-oauth-pop-architecture-05
Hannes Tschofenig <hannes.tschofenig@gmx.net> Mon, 23 November 2015 19:49 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E4241B3318 for <oauth@ietfa.amsl.com>; Mon, 23 Nov 2015 11:49:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.785
X-Spam-Level:
X-Spam-Status: No, score=-1.785 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VbdFGKxMqStq for <oauth@ietfa.amsl.com>; Mon, 23 Nov 2015 11:49:12 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DB5C1B330E for <oauth@ietf.org>; Mon, 23 Nov 2015 11:49:11 -0800 (PST)
Received: from [192.168.10.143] ([80.92.121.34]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0MWCKz-1ZpaBQ0rRR-00XLhm for <oauth@ietf.org>; Mon, 23 Nov 2015 20:49:09 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
X-Enigmail-Draft-Status: N1110
To: "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <56536DB2.2020609@gmx.net>
Date: Mon, 23 Nov 2015 20:49:06 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="X7pl2ECBEip2xRbUJh0hgf3uxgL8dCCvW"
X-Provags-ID: V03:K0:86KE2dOkYZDQse8Jvgsm9Vq5K4Ez2FY7G9LZ1xCGx0h1a3c190H qWwf/e8WtFxlx6y/7o1U7NNMFz9mNkHVXxmPo9vINv4WP3ffgIIH5jX92L7Thc9PZMnuT1v jM/sbONrR7rwfFreAYEKMoP2R6Mgl4bbvp0FiOZ/p6BJOVdMOwJFgCumsemYI7LpKC5BxDP gA0pgTEINjEkOPqsMcU/A==
X-UI-Out-Filterresults: notjunk:1;V01:K0:HlxPLiq2M+A=:n40eec3eFp4SeBG5GMQq+k kGL3V1RXVzQLH/9ZChiSDHTapzFTaubijEeCTUv3m2lZSLuSo/Ff3NwCfVV/OyE1BYkyD/lBq dOzoGGItgSjGSlGYvaNnBQgXUtEQw+AXIqjEh5eTii9Xs0BVrIC1WzpwxE5SIjwUgEH4S4u2n cQbef5jdavhuBa+XSX0CpQNbCu/Pg2wDNoP/yCbyoo6fEIfXrf5S6nQE2tWE83+DF6z6BYhO7 4aVPs6mLThpyktDxaqF4fkzlT/h+4bCNmK5BHUsu9Dz3YfEvfHiZnHmO5e5yCex3hX+llv7tg 9a5O5t7gKvJnfOeWQ49BNCVvmqDhY6CE1/3uWWo1B+QQVQqYpcs0Do16qx6DPiXsAzbSYJ7Mp PaPgXQmledVQndTA4i5Ktzi3LTmpHzF8i6J0A1RD/WRhqlRFbdioLK/9vpTSS+7XRRXFc+dDZ +DXsaFBGo9g8nXW1otj7l0lTgbCJRKN6nvbjlLhv1QnkRxCGhS7T0mk9SOPhxvSqEQrnFKxP+ mZDxwOU0U2CdbO/DkLvF+G+byiQyxr5bILLViT7+hMBgc2HF8LngOaVCz2akJa1YJiMYTMGMH YwONjUwAA7oxW1I+3zU0HMAcAk2/3qstlfEywMJ7tVycj4ooveUh9op88QgVAbqi0V6ZAbRHZ x1LDEOTiA5Pj0hvMPBQp3vKALzK0NAMeYesV07xXAg3PFzbNmjsEVQcpF2EnZx5lFUc3M1a2T roz8EbiFmv6Xw3y3yz3FZwpa0+qjBnhtFVO9s5+8wzfv7LzQMV7nvspaLH8=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/1o8wZTpxwKOztdDMPDQI6Krq1Kk>
Subject: [OAUTH-WG] Adding use case to draft-ietf-oauth-pop-architecture-05
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2015 19:49:17 -0000
Hi all, at the Yokohama IETF meeting John gave a presentation about the need to also secure access and refresh tokens against unauthorized access and loss, see https://www.ietf.org/proceedings/94/minutes/minutes-94-oauth Unfortunately, this threat has not been documented in the current PoP architecture draft while other threats have been captured appropriately (see Section 3 of https://tools.ietf.org/html/draft-ietf-oauth-pop-architecture-05). Since we are currently finalizing the work on the PoP architecture document I wanted to contribute text about this use case: ------------------------ 3.5. Preventing Loss of Access and Refresh Tokens RFC 6749 distinguished two types of clients, namely public and confidential clients, based on their ability to authenticate securely with the authorization server. Even with confidential clients there is the risk, combined with certain deployment choices, that an attacker gains unauthorized access to access and refresh tokens. If those tokens are bearer tokens then the adversary can re-use them to gain access to the protected resource, for example to post messages to a social networking site to distribute spam. With proof-of-possession tokens an adversary not only needs to gain access to a database where those tokens are stored but it also needs to retrieve the associated keying material. Assuming that these keys are stored more securely, for example, in a hardware security module or trusted execution environment this specification offers an additional layer of defence. Since refresh tokens offer a client the ability to request access tokens the need arises to also define proof-of-possession functionality for refresh tokens (unless keys bound to the access token cannot be changed during the lifetime of the refresh token). ------------------------ Please let us know what you think about including this text into the next revision of the PoP architecture document and if you have some suggestions for improved wording. Ciao Hannes
- [OAUTH-WG] Adding use case to draft-ietf-oauth-po… Hannes Tschofenig
- Re: [OAUTH-WG] Adding use case to draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] Adding use case to draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] Adding use case to draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] Adding use case to draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] Adding use case to draft-ietf-oaut… Hannes Tschofenig