OAuth 2.0 Threat Model and Security Considerations
draft-ietf-oauth-v2-threatmodel-08
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2012-10-15
|
08 | Amy Vezza | State changed to RFC Ed Queue from Approved-announcement sent |
2012-10-12
|
08 | (System) | IANA Action state changed to No IC |
2012-10-12
|
08 | Amy Vezza | State changed to Approved-announcement sent from IESG Evaluation::AD Followup |
2012-10-12
|
08 | Amy Vezza | IESG has approved the document |
2012-10-12
|
08 | Amy Vezza | Closed "Approve" ballot |
2012-10-12
|
08 | Amy Vezza | Ballot approval text was generated |
2012-10-12
|
08 | Amy Vezza | Ballot writeup was changed |
2012-10-12
|
08 | Stephen Farrell | Ballot writeup was changed |
2012-10-08
|
08 | Sean Turner | [Ballot comment] I've cleared. Thanks for addressing my discusses. |
2012-10-08
|
08 | Sean Turner | [Ballot Position Update] Position for Sean Turner has been changed to No Objection from Discuss |
2012-10-06
|
08 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2012-10-06
|
08 | Torsten Lodderstedt | New version available: draft-ietf-oauth-v2-threatmodel-08.txt |
2012-10-02
|
07 | Stephen Farrell | State changed to IESG Evaluation::Revised ID Needed from IESG Evaluation::AD Followup |
2012-09-20
|
07 | Tero Kivinen | Closed request for Last Call review by SECDIR with state 'No Response' |
2012-08-31
|
07 | Miguel García | Request for Telechat review by GENART Completed: Ready with Nits. Reviewer: Miguel Garcia. |
2012-08-30
|
07 | Cindy Morgan | State changed to IESG Evaluation::AD Followup from IESG Evaluation |
2012-08-30
|
07 | Sean Turner | [Ballot comment] 1) The base spec (https://datatracker.ietf.org/doc/draft-ietf-oauth-v2/) is now a "framework". Not sure that should also be reflected in this draft. 2) It … [Ballot comment] 1) The base spec (https://datatracker.ietf.org/doc/draft-ietf-oauth-v2/) is now a "framework". Not sure that should also be reflected in this draft. 2) It might be worth changing the note in s1 to a s1.1 and title it "disclaimer". 3) I'm thinking this might 4) s4.2.1: Often times we do the whole MTI (mandatory to implement) is not MTU (mandatory to use), but here it sounds like you really want to say: Authorization servers should consider such attacks when developing services based on OAuth, and should require *the use of* transport-layer security for any requests where the authenticity of the authorization server or of request responses is an issue (see Section 5.1.2). 5) Nits: s4.1.2: r/side/site s4.2.3: r/clients or unless/clients unless ? |
2012-08-30
|
07 | Sean Turner | Ballot comment text updated for Sean Turner |
2012-08-30
|
07 | Sean Turner | [Ballot discuss] Hoping these will be fairly easy to work through. 1) Entirely possible I missed this bit: My favorite bit in the base spec … [Ballot discuss] Hoping these will be fairly easy to work through. 1) Entirely possible I missed this bit: My favorite bit in the base spec is this bit: ... "leaves a few required components partially or fully undefined (e.g. client registration, authorization server capabilities, endpoint discovery). Without these components, clients must be manually and specifically configured against a specific authorization server and resource server in order to interoperate." s2.3 of this draft says: The OAuth protocol leaves deployments with a certain degree of freedom how to implement and apply the standard. and then goes on to talk about collocating servers. Is that fact that there's a list, which probably includes a whole lot more than those three things listed in the base spec, worth some additional text? I guess there's the note in s1, but shouldn't the fact that the framework isn't entirely specified be specifically called out? 2) s4.1.1: When you say "a particular client" in the 1st attack (from source code or binary) is that the attacker got my particular client's secret or that the attacker got client X's secret and everybody who uses client X now has no secret (I'm thinking like 1M people using a client that they've downloaded)? If it's the latter, it'd be better to clarify/amplify that a bit. 3) While processing the OAuth framework draft, the discussion around the SHOULD in s3.1.2.1 (Endpoint Request Confidentiality) basically came down to folks not really wanting to implement TLS for this bit. Basically, if we forced the MUST most folks would have ignored it. I think (correct me if I'm wrong) that this correlates to the discussion in s4.4.1.5/6 of this draft where the draft says the "client should point to a HTTPS ..." Are we saying for all those clients there's no countermeasure? |
2012-08-30
|
07 | Sean Turner | [Ballot comment] 1) The base spec (https://datatracker.ietf.org/doc/draft-ietf-oauth-v2/) is now a "framework". Not sure that should also be reflected in this draft. 2) It … [Ballot comment] 1) The base spec (https://datatracker.ietf.org/doc/draft-ietf-oauth-v2/) is now a "framework". Not sure that should also be reflected in this draft. 2) It might be worth changing the note in s1 to a s1.1 and title it "disclaimer". 3) I'm thinking this might 4) s4.2.1: Often times we do the whole MTI (mandatory to implement) is not MTU (mandatory to use), but here it sounds like you really want to say: Authorization servers should consider such attacks when developing services based on OAuth, and should require *the use of* transport-layer security for any requests where the authenticity of the authorization server or of request responses is an issue (see Section 5.1.2). 5) Nits: s4.1.2: r/side/site s4.1.2: (aside no action required) if the attacker can overcome the web application, then I'd say the standard web server protection measures aren't very good ;) s4.2.3: r/clients or unless/clients unless ? |
2012-08-30
|
07 | Sean Turner | [Ballot Position Update] New position, Discuss, has been recorded for Sean Turner |
2012-08-30
|
07 | Pete Resnick | [Ballot comment] I think having all of this analysis written down is fine, but I'm not convinced this document will end up being useful. It's … [Ballot comment] I think having all of this analysis written down is fine, but I'm not convinced this document will end up being useful. It's quite a bit of information in a form that I'm not sure any implementer will be able to get through and act on. But I certainly don't think we should dispose of all of this information. I just wish there was more meat on these bones. In particular: Introduction: Note: This document cannot assess the probability nor the risk associated with a particular threat because those aspects strongly depend on the particular application and deployment OAuth is used to protect. While this may be generally true, I do think it's possible to assess some sort of relative risk between this massive list of threats. I find the lack of such an assessment, along with the sheer volume of this document, makes the document significantly less useful than it might be. A few small comments on some earlier bits of the document that I hope will be useful for edits throughout the document, but if they don't get done, the world will not end: 3.7 says: Deployment-independent client_id with pre-registered redirect_uri and with client_secret This is an option for native applications only, since web application would require different redirect URIs. This category is not advisable because the client secret cannot be protected appropriately (see Section 4.1.1). You bet it's not advisable. :-) And I think that itself is a fine thing to say. But then 4.1.1 goes on to say: Attack: Obtain Secret From Source Code or Binary: This applies for all client types. It does? I thought it only applied to client types that are pre-configured with client secrets? Then in the Countermeasures, it says: Countermeasures: o Don't issue secrets to public clients or clients with inappropriate security policy - Section 5.2.3.1 OK, but that's effectively "don't use this deployment model", right? o Public clients require user consent - Section 5.2.3.2 That's worded badly. Do you mean, "Require user consent" as the counter measure? o Use deployment-specific client secrets - Section 5.2.3.4 Isn't this identical to the first bullet? o Client secret revocation - Section 5.2.3.6 That's not worded as a countermeasure. Do you mean, "Routinely revoke client secrets"? How can you do secret revocation without disabling entire implementations? In general, throughout the document, there are lots of things labeled "countermeasures" that are worded in noun form instead of verb form. For example, in 4.1.2 you have listed as a countermeasure: o Limited scope tokens - Section 5.1.5.1 It would be much clearer if these were all reworded as the action one should take, not the topic area regarding the counter measure. (If I have additional time, I'll add to this list of comments.) |
2012-08-30
|
07 | Pete Resnick | [Ballot Position Update] New position, No Objection, has been recorded for Pete Resnick |
2012-08-30
|
07 | Stewart Bryant | [Ballot comment] On the basis of a quick scan of the text I can see no Routing issues with this document and am thus taking … [Ballot comment] On the basis of a quick scan of the text I can see no Routing issues with this document and am thus taking a position of no objection. |
2012-08-30
|
07 | Stewart Bryant | [Ballot Position Update] New position, No Objection, has been recorded for Stewart Bryant |
2012-08-29
|
07 | Adrian Farrel | [Ballot comment] I am ballotting No Objection based ona quick read and assuming that the Applications and Security ADs have done their jobs. |
2012-08-29
|
07 | Adrian Farrel | [Ballot Position Update] New position, No Objection, has been recorded for Adrian Farrel |
2012-08-29
|
07 | Ron Bonica | [Ballot Position Update] New position, No Objection, has been recorded for Ronald Bonica |
2012-08-28
|
07 | Robert Sparks | [Ballot Position Update] New position, No Objection, has been recorded for Robert Sparks |
2012-08-28
|
07 | Russ Housley | [Ballot Position Update] New position, No Objection, has been recorded for Russ Housley |
2012-08-28
|
07 | Wesley Eddy | [Ballot Position Update] New position, No Objection, has been recorded for Wesley Eddy |
2012-08-23
|
07 | Jean Mahoney | Request for Telechat review by GENART is assigned to Miguel Garcia |
2012-08-23
|
07 | Jean Mahoney | Request for Telechat review by GENART is assigned to Miguel Garcia |
2012-08-23
|
07 | Brian Haberman | [Ballot Position Update] New position, No Objection, has been recorded for Brian Haberman |
2012-08-17
|
07 | Martin Stiemerling | [Ballot Position Update] New position, No Objection, has been recorded for Martin Stiemerling |
2012-08-16
|
07 | Torsten Lodderstedt | New version available: draft-ietf-oauth-v2-threatmodel-07.txt |
2012-08-13
|
06 | Barry Leiba | [Ballot Position Update] New position, Yes, has been recorded for Barry Leiba |
2012-08-02
|
06 | Stephen Farrell | Placed on agenda for telechat - 2012-08-30 |
2012-08-02
|
06 | Stephen Farrell | State changed to IESG Evaluation from Waiting for AD Go-Ahead::Revised ID Needed |
2012-08-02
|
06 | Stephen Farrell | Ballot has been issued |
2012-08-02
|
06 | Stephen Farrell | [Ballot Position Update] New position, Yes, has been recorded for Stephen Farrell |
2012-08-02
|
06 | Stephen Farrell | Created "Approve" ballot |
2012-08-02
|
06 | Stephen Farrell | Ballot writeup was changed |
2012-07-13
|
06 | Miguel García | Request for Last Call review by GENART Completed. Reviewer: Miguel Garcia. |
2012-07-11
|
06 | Stephen Farrell | State changed to Waiting for AD Go-Ahead::Revised ID Needed from Waiting for AD Go-Ahead |
2012-07-11
|
06 | (System) | State changed to Waiting for AD Go-Ahead from In Last Call |
2012-07-10
|
06 | Stephen Farrell | Ballot writeup was changed |
2012-07-09
|
06 | Pearl Liang | IANA has reviewed draft-ietf-oauth-v2-threatmodel-06, which is currently in Last Call, and has the following comments: IANA understands that, upon approval of this document, there … IANA has reviewed draft-ietf-oauth-v2-threatmodel-06, which is currently in Last Call, and has the following comments: IANA understands that, upon approval of this document, there are no IANA Actions that need completion. |
2012-06-28
|
06 | Jean Mahoney | Request for Last Call review by GENART is assigned to Miguel Garcia |
2012-06-28
|
06 | Jean Mahoney | Request for Last Call review by GENART is assigned to Miguel Garcia |
2012-06-28
|
06 | Samuel Weiler | Request for Last Call review by SECDIR is assigned to Warren Kumari |
2012-06-28
|
06 | Samuel Weiler | Request for Last Call review by SECDIR is assigned to Warren Kumari |
2012-06-27
|
06 | Cindy Morgan | State changed to In Last Call from In Last Call |
2012-06-27
|
06 | Cindy Morgan | State changed to In Last Call from Last Call Requested |
2012-06-27
|
06 | Cindy Morgan | The following Last Call announcement was sent out: From: The IESG To: IETF-Announce Cc: oauth@ietf.org Reply-To: ietf@ietf.org Subject: Last Call: (OAuth 2.0 Threat Model and … The following Last Call announcement was sent out: From: The IESG To: IETF-Announce Cc: oauth@ietf.org Reply-To: ietf@ietf.org Subject: Last Call: (OAuth 2.0 Threat Model and Security Considerations) to Informational RFC The IESG has received a request from the Web Authorization Protocol WG (oauth) to consider the following document: - 'OAuth 2.0 Threat Model and Security Considerations' as Informational RFC The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2012-07-11. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document gives additional security considerations for OAuth, beyond those in the OAuth specification, based on a comprehensive threat model for the OAuth 2.0 Protocol. The file can be obtained via http://datatracker.ietf.org/doc/draft-ietf-oauth-v2-threatmodel/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-ietf-oauth-v2-threatmodel/ballot/ No IPR declarations have been submitted directly on this I-D. |
2012-06-27
|
06 | Stephen Farrell | Last call was requested |
2012-06-27
|
06 | Stephen Farrell | Ballot approval text was generated |
2012-06-27
|
06 | Stephen Farrell | Ballot writeup was generated |
2012-06-27
|
06 | Stephen Farrell | State changed to Last Call Requested from AD Evaluation::AD Followup |
2012-06-27
|
06 | Stephen Farrell | Last call announcement was generated |
2012-06-27
|
06 | Stephen Farrell | Last call announcement was generated |
2012-06-27
|
06 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2012-06-27
|
06 | Torsten Lodderstedt | New version available: draft-ietf-oauth-v2-threatmodel-06.txt |
2012-05-29
|
05 | Amy Vezza | Note added 'Barry Leiba (barryleiba@computer.org) is the document shepherd.' |
2012-05-29
|
05 | Stephen Farrell | State changed to AD Evaluation::Revised ID Needed from Publication Requested |
2012-05-28
|
05 | Barry Leiba | PROTO writeup for draft-ietf-oauth-v2-threatmodel-05 (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the … PROTO writeup for draft-ietf-oauth-v2-threatmodel-05 (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header? This documents security considerations for the OAuth framework that go beyond the level of considerations that are reasonable to include in the protocol documents themselves. Those documents have informative references to this one, and this is intended to provide additional information for implementation and deployment of OAuth. The intended status is Informational, and the document header says so. (2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary Relevant content can frequently be found in the abstract and/or introduction of the document. If not, this may be an indication that there are deficiencies in the abstract or introduction. This document gives additional security considerations for OAuth, beyond those in the OAuth specification, based on a comprehensive threat model for the OAuth 2.0 Protocol. The document: o Documents any assumptions and scope considered when creating the threat model. o Describes the security features in-built into the OAuth protocol and how they are intended to thwart attacks. o Gives a comprehensive threat model for OAuth and describes the respective counter measures to thwart those threats. Working Group Summary Was there anything in WG process that is worth noting? For example, was there controversy about particular points or were there decisions where the consensus was particularly rough? This document began life as a working document for the development of a Security Considerations section of the base OAuth protocol document. It quickly became far too large for that purpose, and at IETF 80 a design team was set up to extract the key points for a proper Security Considerations section, leaving the remainder for this Informational document. Throughout the development, the goal has been to include as much as possible. There's been some discussion of whether this has resulted in a document that's too long to be practical. And that concern has resulted in some pushback at the end of its life cycle, resisting the addition of new material that seemed non-specific to OAuth. There have nevertheless been some compromises made, as some participants considered it important in a few cases to highlight threats that apply to services in general, but that might be falsely construed either as not applying to OAuth, or as being mitigated in some way by OAuth. Document Quality Are there existing implementations of the protocol? Have a significant number of vendors indicated their plan to implement the specification? Are there any reviewers that merit special mention as having done a thorough review, e.g., one that resulted in important changes or a conclusion that the document had no substantive issues? If there was a MIB Doctor, Media Type or other expert review, what was its course (briefly)? In the case of a Media Type review, on what date was the request posted? In the end, we have a document that's thorough and well written, and that represents the consensus of the working group, with a liberal view toward inclusion. The authors have already noted, in the acknowledgments, key contributors and reviewers. Personnel Who is the Document Shepherd? Who is the Responsible Area Director? Barry Leiba is the document shepherd. Stephen Farrell is the responsible AD. (3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG. The document has had good review and is ready for publication. The shepherd has reviewed several versions, both pre- and post-working-group-adoption, and has reviewed the final version carefully. A few changes were made during shepherd review, and the shepherd has no issues with the document. (4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? No. (5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place. The document has had thorough review from the OAuth community, including a number of participants from the IETF Applications and Security areas. The shepherd is happy with the level of review. (6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. No concerns. (7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why. There are no IPR disclosures related to this document, and no one involved with the document is aware of any issues in this regard. (8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures. See 7. (9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? The working-group consensus is solid; the group as a whole understands and agrees with it. (10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) No. As with any document of this nature, there are those who think other threats and scenarios should be included, and some are necessarily left out. That said, we believe there's no "extreme discontent", and that enough is included so that everyone is reasonably happy that the topic is thoroughly covered. (11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough. There are a couple of things called out by idnits. The ones about FQDNs and IP addresses are not applicable. There is a remaining citation to RFC1750 that needs to be changed to RFC4086, and we should put in an RFC Editor note for now. (12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews. None required. (13) Have all references within this document been identified as either normative or informative? Yes. (14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion? This document depends upon and normatively references the OAuth v2 base specification, which is in IESG Evaluation. (15) Are there downward normative references references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure. No. (16) Will publication of this document change to the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary. This document does not change the status of any other document. (17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226). No actions are requested of IANA, and the IANA Considerations section says so. (18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries. None. (19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc. No formal language is used in this document. |
2012-05-28
|
05 | Barry Leiba | Intended Status changed to Informational |
2012-05-28
|
05 | Barry Leiba | IESG process started in state Publication Requested |
2012-05-27
|
05 | Torsten Lodderstedt | New version available: draft-ietf-oauth-v2-threatmodel-05.txt |
2012-05-25
|
04 | Torsten Lodderstedt | New version available: draft-ietf-oauth-v2-threatmodel-04.txt |
2012-05-25
|
03 | Torsten Lodderstedt | New version available: draft-ietf-oauth-v2-threatmodel-03.txt |
2012-02-19
|
02 | (System) | New version available: draft-ietf-oauth-v2-threatmodel-02.txt |
2011-11-22
|
02 | Barry Leiba | WGLC ends on 9 Dec |
2011-11-22
|
02 | Barry Leiba | IETF state changed to In WG Last Call from WG Document |
2011-10-26
|
01 | (System) | New version available: draft-ietf-oauth-v2-threatmodel-01.txt |
2011-07-01
|
00 | (System) | New version available: draft-ietf-oauth-v2-threatmodel-00.txt |