Hello Brian,
Section 2 states:
Under the attacker model defined in [I-D.ietf-oauth-security-topics],
the mechanism defined by this specification aims to prevent token
replay at a different endpoint.
More precisely, if an adversary is able to get hold of an access
token or refresh token because it set up a counterfeit authorization
server or resource server, the adversary is not able to replay the
respective token at another authorization or resource server.
The problem to be solved is NOT to prevent token replay at a different
endpoint, but to prevent token replay at the same or a different endpoint.
The text is only considering an adversary, but is omitting to consider
collusion attacks between clients.
Since [I-D.ietf-oauth-security-topics] is "OAuth 2.0 Security Best
Current Practice", the comments I sent to the list are applicable to
this document too.
DPoP is not able to counter collusion attacks between clients and this
should be clearly advertised in the abstract, in the main objectives
(section 2)
and in the security considerations (section 9).
Denis
Hello WG,
Just a quick note to let folks know that -03 of the DPoP draft was
published earlier today. The usual various document links are in the
forwarded message below and the relevant snippet from the doc history
with a summary of the changes is included here for convenience.
Hopefully folks will have time to read the (relativity) short document
before the meeting(s) in Singapore where (spoiler alert) I plan to ask
that the WG consider adoption of the draft.
Thanks,
-03
o rework the text around uniqueness requirements on the jti claim in
the DPoP proof JWT
o make tokens a bit smaller by using "htm", "htu", and "jkt" rather
than "http_method", "http_uri", and "jkt#S256" respectively
o more explicit recommendation to use mTLS if that is available
o added David Waite as co-author
o editorial updates
---------- Forwarded message ---------
From: <internet-dra...@ietf.org <mailto:internet-dra...@ietf.org>>
Date: Thu, Oct 31, 2019 at 11:53 AM
Subject: New Version Notification for draft-fett-oauth-dpop-03.txt
To: Torsten Lodderstedt <tors...@lodderstedt.net
<mailto:tors...@lodderstedt.net>>, Michael Jones <m...@microsoft.com
<mailto:m...@microsoft.com>>, John Bradley <ve7...@ve7jtb.com
<mailto:ve7...@ve7jtb..com>>, Brian Campbell
<bcampb...@pingidentity.com <mailto:bcampb...@pingidentity.com>>,
David Waite <da...@alkaline-solutions.com
<mailto:da...@alkaline-solutions.com>>, Daniel Fett
<m...@danielfett.de <mailto:m...@danielfett.de>>
A new version of I-D, draft-fett-oauth-dpop-03.txt
has been successfully submitted by Brian Campbell and posted to the
IETF repository.
Name: draft-fett-oauth-dpop
Revision: 03
Title: OAuth 2.0 Demonstration of Proof-of-Possession at the
Application Layer (DPoP)
Document date: 2019-10-30
Group: Individual Submission
Pages: 15
URL: https://www.ietf.org/internet-drafts/draft-fett-oauth-dpop-03.txt
Status: https://datatracker.ietf.org/doc/draft-fett-oauth-dpop/
Htmlized: https://tools.ietf.org/html/draft-fett-oauth-dpop-03
Htmlized: https://datatracker.ietf.org/doc/html/draft-fett-oauth-dpop
Diff: https://www.ietf.org/rfcdiff?url2=draft-fett-oauth-dpop-03
Abstract:
This document describes a mechanism for sender-constraining OAuth 2.0
tokens via a proof-of-possession mechanism on the application level.
This mechanism allows for the detection of replay attacks with access
and refresh tokens.
Please note that it may take a couple of minutes from the time of
submission
until the htmlized version and diff are available at tools.ietf.org
<http://tools.ietf.org>.
The IETF Secretariat
/CONFIDENTIALITY NOTICE: This email may contain confidential and
privileged material for the sole use of the intended recipient(s). Any
review, use, distribution or disclosure by others is strictly
prohibited.. If you have received this communication in error, please
notify the sender immediately by e-mail and delete the message and any
file attachments from your computer. Thank you./
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
