Can you reply to this today, Rifaat?
Thanks,
-- Mike
________________________________
From: Michael Jones
Sent: Saturday, July 6, 2024 12:55:19 PM
To: Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com>
Cc: oauth <oauth@ietf.org>
Subject: RE: [OAUTH-WG] Shepherd Review for OAuth 2.0 Protected Resource
Metadata draft
What puzzles me of talking about downgrade attacks in this context is between
what points in time you are anticipating that a downgrade might occur. The
Resource Server advertises its proposed authentication methods in a
WWW-Authenticate response. The client then chooses one of them, probably
within milliseconds of receiving the WWW-Authenticate response. When in that
flow are you thinking that a downgrade might occur?
Remember that the client is essentially instantaneously using fresh information
provided by the resource server. It is not using information provided at some
prior time.
If not the text already proposed in the PR, what specifically would you suggest
that we say about downgrade possibilities?
-- Mike
From: Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com>
Sent: Saturday, July 6, 2024 5:05 AM
To: Michael Jones <michael_b_jo...@hotmail.com>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Shepherd Review for OAuth 2.0 Protected Resource
Metadata draft
A fair question is whether allowing clients to choose from among
supported authentication methods represents an opportunity for a downgrade
attack.
Since resource servers will only enumerate authentication methods acceptable
to them, by definition,
any choice made by the client from among them is one that the resource server
is OK with.
Thus, the resource server allowing the use of different supported
authentication methods
does not represent an opportunity for a downgrade attack.
A resource server could be configured to accept a method that is considered
secure at one time, that might be considered insecure later on.
A resource server could also be misconfigured with insecure methods.
For this reason, I still think that a discussion of a potential downgrade
attack is warranted in the security consideration section.
Regards,
Rifaat
On Sat, Jul 6, 2024 at 12:30 AM Michael Jones
<michael_b_jo...@hotmail.com<mailto:michael_b_jo...@hotmail.com>> wrote:
The PR https://github.com/oauth-wg/draft-ietf-oauth-resource-metadata/pull/45
is intended to address these shepherd review comments. Please review.
Thanks,
-- Mike
From: Rifaat Shekh-Yusef
<rifaat.s.i...@gmail.com<mailto:rifaat.s.i...@gmail.com>>
Sent: Thursday, July 4, 2024 5:30 AM
To: oauth <oauth@ietf.org<mailto:oauth@ietf.org>>
Subject: [OAUTH-WG] Shepherd Review for OAuth 2.0 Protected Resource Metadata
draft
Mike, Phil, Aaron,
The following is my shepherd review for OAuth 2.0 Protected Resource Metadata
https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-05.html
Comments/Questions
5.4. Compatibility with other authentication methods
Would this not open the door for potential downgrade attacks if the list of
authentication methods include weaker methods?
I think this should be discussed in the Security Consideration section.
Nits
Section 1, second sentence:
“This specification is intentionally as parallel as possible …”
It feels like there is a missing word after “intentionally”; maybe “designed”,
“specified”?
Regards,
Rifaat
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org
