[OAUTH-WG] RPC Security Standards Requirements Notes

Tue, 26 Jul 2022 12:47:44 -0700 

Hi all,


I spoke to a few people after the OAuth WG meeting on Monday, Jul 25, 2022.
I took some notes, which I would like to share here in order to facilitate
the discussion in the side meeting

   -

   My presentation from the IETF 114 OAuth WG Meeting is here
   
<https://datatracker.ietf.org/doc/slides-114-oauth-do-we-need-a-rpc-security-standard/>
   .
   -

   The problem is similar to / same as the “confused deputy problem"
   (described in AWS
   <https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html>
   docs, or Wikipedia
   
<https://en.wikipedia.org/wiki/Confused_deputy_problem#:~:text=The%20confused%20deputy%20problem%20occurs,explicit%20to%20change%20the%20authority.>
   )
   -

   There is no standard way of securing RPCs today. See this NIST
   publication
   <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-204.pdf>
   (Aug 2019) for a good overview of best current practices.
   -

   The MITRE proposal
   
<https://datatracker.ietf.org/doc/slides-114-oauth-token-and-identity-chaining/>
   for token chaining may be relevant
   -

   Any RPC security standard that we come up with should provide
   implementers with distinct benefits, and should not be onerous

Goals of a RPC Security Standard

It’s worth reiterating the goals of any standards effort here:

   1.

   RPCs should preserve user and scope so that the “confused deputy
   problem” does not arise
   2.

   Callers should be able to downscope the authorization of downstream calls
   3.

   This should work across services / microservices belonging to the same
   organization, belonging to different organizations (typically through
   publicly documented APIs) regardless of whether this is happening within
   the same cloud platform provider or across multiple cloud platforms
   4.

   If should be super efficient in order to not increase the latency or
   throughput of such a frequent action as a RPC


I look forward to discussing this further in the side meetings. A PDF
version of the notes is attached.

Thanks,
Atul
--

Atul Tulshibagwale
CTO, SGNL <https://sgnl.ai>
<https://twitter.com/zirotrust>  <https://www.linkedin.com/in/tulshi>

Attachment: RPC Security Standard Requirement.pdf
Description: Adobe PDF document

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to