[secdir] review of draft-ietf-oauth-introspection-09
Stephen Kent <kent@bbn.com> Mon, 01 June 2015 19:06 UTC
Return-Path: <kent@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDEB11B31A4 for <secdir@ietfa.amsl.com>; Mon, 1 Jun 2015 12:06:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wuI7HqMFTmuD for <secdir@ietfa.amsl.com>; Mon, 1 Jun 2015 12:06:00 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEC241B3229 for <secdir@ietf.org>; Mon, 1 Jun 2015 12:05:29 -0700 (PDT)
Received: from ssh.bbn.com ([192.1.122.15]:54723 helo=COMSEC.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1YzV1Q-0005PB-V9; Mon, 01 Jun 2015 15:05:17 -0400
Message-ID: <556CACEC.2030501@bbn.com>
Date: Mon, 01 Jun 2015 15:05:16 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: secdir <secdir@ietf.org>, ietf@justin.richer.org, derek@ihtfp.com, Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary="------------030106030509090506080205"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/E8t6nlJ2SoUVEKwBm9Q3H_ynJfM>
Subject: [secdir] review of draft-ietf-oauth-introspection-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jun 2015 19:06:04 -0000
I reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.These comments were written with the intent of improving security requirements and considerations in IETF drafts.Comments not addressed in last call may be included in AD reviews during the IESG review.Document editors and WG chairs should treat these comments just like any other last call comments. This document describes an API for use with OAuth 2.0. The API enables the recipient of a token to query an authorization server to determine the set of metadata presented to the server (by the OAuth client) when the token was issued. This API is intended to overcome the lack of a standard way to convey token metadata in the OAuth 2.0 context. I didn’t find any significant security problems with the document, but there are a number of places where the exposition needs improvement. Specific comments Section 2 The text says: The introspection endpoint MUST be protected by a transport-layer security mechanism as described in Section 4. It might be clearer to say here that the token endpoint MUST communicate security with the introspection endpoint, and that TLS 1.2 is the mandatory-to-implement mechanism for such security. Also, the text should be clearer about the relationship between an authorization server and an introspection endpoint. In some places the two terms seem to be used interchangeably. Section 2.1 The texts says: The endpoint MAY allow other parameters to provide further context to the query. How about: The endpoint MAY *accept* other parameters to provide further context to the query. How does a protected resource know which other parameters an introspection endpoint requires/accepts? This section mandates (MUST) protection against “unauthorized token scanning” but mandates no standard way to do so. [Also, when would a scanning “attack” be authorized ;-)] The text says: For example, the following example shows a protected resource calling the token introspection endpoint to query about an OAuth 2.0 bearer. How about: For example, the following example shows a protected resource calling the token introspection endpoint to query about an OAuth 2.0 bearer *token*. Section 2.2 He text says: The authorization server MAY respond differently to different protected resources making the same request.For instance, an authorization server MAY limit which scopes from a given token are returned for each protected resource in order to prevent protected resources from learning more about the larger network than is necessary for their function. How about: *An*authorization server MAY respond differently to different protected resources making the same request.For instance, an authorization server MAY limit which scopes from a given token are returned *to* each protected resource in order to prevent *a *protected resources from learning more about the larger network than is necessary for *its* *operation*. Section 3.1 Experience suggests a longer review period is appropriate, e.g., to accommodate holidays, vacations, etc. The text says: IANA must only accept registry updates from the Designated Expert(s) and should direct all requests for registration to the review mailing list. How about: IANA *MUST* accept registry updates *only* from the Designated Expert(s) and *SHOULD* direct all requests for registration to the review mailing list. Section 3.1.1 If a proposed Name matches one already registered as per 7519, ought it not have an “equivalent” (vs. “comparable”) definition if it is to be accepted? Section 4 The text lists four checks to be performed by an authorization server, yet the introduction to this list says “For instance:” A more normative introduction would seem appropriate here. I realize that the text says that not all of these checks may be applicable in all OAuth 2.0 contexts, but since each check begins with “If the token …” isn’t that a sufficient caveat? The text says: If an authorization server fails to perform any applicable check, the resource server could make an errant security decision based on that response. How about: If an authorization server fails to perform any applicable check, the resource server could make an *erroneous* security decision based on that response. The text says: per RFC 6125 [RFC6125]. How about: as specified in [RFC6125]. The discussion of introspection endpoint response caching seems to omit a simple, useful heuristic. Since the expiration time for a token is an optional parameter in the response, why not say that IF this parameter is present, the response MUST NOT be cached beyond that time? Section 5 This section says: “One way to limit disclosure is to require authorization to call the introspection endpoint and to limit calls to only registered and trusted protected resource servers.” But Section 4 says: “… the authorization server MUST require authentication of protected resources that need to access the introspection endpoint and SHOULD require protected resources to be specifically authorized to call the introspection endpoint.”It seems that the requirement imposed in Section 4 already mandate what is merely suggested in Section 5.
- [secdir] review of draft-ietf-oauth-introspection… Stephen Kent
- Re: [secdir] review of draft-ietf-oauth-introspec… Justin Richer
- Re: [secdir] review of draft-ietf-oauth-introspec… Stephen Kent
- Re: [secdir] review of draft-ietf-oauth-introspec… Justin Richer
- Re: [secdir] review of draft-ietf-oauth-introspec… Justin Richer