Dear all,
I have a few comments about the leakage of access tokens and the
underlying assumptions:
Section 2, A5 should be clarified:
"a resource server can be compromised by an attacker": Is the assumption
that the attacker cannot get access to the resources stored at the
compromised RS (or only parts of it)? Otherwise, the attacker does not
need to get an AT anymore. A more differentiated view on RS
compromisation is already given in Section 4.8.2, but this is not
reflected in A5.
Also, A5 states that "an access token may be sent to an
attacker-controlled resource server due to a misconfiguration," which
does not require the compromisation of an honest RS.
Perhaps one could be more generic here and just say that the AT leaks to
the attacker. However, a misconfigured RS endpoint not only gets the
request to this endpoint (containing an AT) but can also respond and
provide the RO with wrong resources. At the same time, if, say, the RO
thinks that she is connected to her cloud storage, the attacker would
get access to all uploaded data.
Is this really what A5 should express, or is the primary focus on the
leakage of the AT?
Also, for this or the next version of this document, the Cuckoo's Token
attack (see Section IV-A of http://arxiv.org/abs/1901.11520/ ), should
be addressed. We also discussed this issue extensively at the last OSW
in Stuttgart.
Typo: Section 3.5: MTLS -> mTLS
Best regards
Pedram Hosseyni
--
Pedram Hosseyni, M.Sc.
Room V38 2.438
Institute of Information Security - SEC
Universität Stuttgart
Universitätsstraße 38
D-70569 Stuttgart
Germany
Phone: +49 711 685 88454
https://sec.uni-stuttgart.de
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
