Can you reply to this today, Rifaat?

Thanks,
-- Mike


________________________________
From: Michael Jones
Sent: Saturday, July 6, 2024 12:55:19 PM
To: Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com>
Cc: oauth <oauth@ietf.org>
Subject: RE: [OAUTH-WG] Shepherd Review for OAuth 2.0 Protected Resource 
Metadata draft


What puzzles me of talking about downgrade attacks in this context is between 
what points in time you are anticipating that a downgrade might occur.  The 
Resource Server advertises its proposed authentication methods in a 
WWW-Authenticate response.  The client then chooses one of them, probably 
within milliseconds of receiving the WWW-Authenticate response.  When in that 
flow are you thinking that a downgrade might occur?



Remember that the client is essentially instantaneously using fresh information 
provided by the resource server.  It is not using information provided at some 
prior time.



If not the text already proposed in the PR, what specifically would you suggest 
that we say about downgrade possibilities?



                                                                -- Mike



From: Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com>
Sent: Saturday, July 6, 2024 5:05 AM
To: Michael Jones <michael_b_jo...@hotmail.com>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Shepherd Review for OAuth 2.0 Protected Resource 
Metadata draft





A fair question is whether allowing clients to choose from among
 supported authentication methods represents an opportunity for a downgrade 
attack.
 Since resource servers will only enumerate authentication methods acceptable 
to them, by definition,
 any choice made by the client from among them is one that the resource server 
is OK with.
 Thus, the resource server allowing the use of different supported 
authentication methods
 does not represent an opportunity for a downgrade attack.



A resource server could be configured to accept a method that is considered 
secure at one time, that might be considered insecure later on.

A resource server could also be misconfigured with insecure methods.



For this reason, I still think that a discussion of a potential downgrade 
attack is warranted in the security consideration section.



Regards,

 Rifaat











On Sat, Jul 6, 2024 at 12:30 AM Michael Jones 
<michael_b_jo...@hotmail.com<mailto:michael_b_jo...@hotmail.com>> wrote:

The PR https://github.com/oauth-wg/draft-ietf-oauth-resource-metadata/pull/45 
is intended to address these shepherd review comments.  Please review.



                                                                Thanks,

                                                                -- Mike



From: Rifaat Shekh-Yusef 
<rifaat.s.i...@gmail.com<mailto:rifaat.s.i...@gmail.com>>
Sent: Thursday, July 4, 2024 5:30 AM
To: oauth <oauth@ietf.org<mailto:oauth@ietf.org>>
Subject: [OAUTH-WG] Shepherd Review for OAuth 2.0 Protected Resource Metadata 
draft



Mike, Phil, Aaron,



The following is my shepherd review for OAuth 2.0 Protected Resource Metadata
https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-05.html

Comments/Questions

5.4. Compatibility with other authentication methods

Would this not open the door for potential downgrade attacks if the list of 
authentication methods include weaker methods?
I think this should be discussed in the Security Consideration section.


Nits

Section 1, second sentence:
“This specification is intentionally as parallel as possible …”
It feels like there is a missing word after “intentionally”; maybe “designed”, 
“specified”?

Regards,

 Rifaat


_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org

Reply via email to