Closed findthomas closed 9 years ago
Assigned to Rich Goodwin and George Fletcher.
Here are some thoughts on draft-ietf-oauth-v2-threatmodel-06, which was published on 27 Jun 2012 (http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-06):
General: Most of this threatmodel applies to UMA as well, particularly the OAuth-specific flows that involve PATs and AATs. The notes that follow try to identify new or extended security considerations.
Sec 2.1: List of items out of scope:
Sec 2.2: Attack assumptions:
Sec 2.3: Architectural assumptions: We have some of these types of assumptions in our charter, as part of our design principles. So our own security considerations text should mention those.
Sec 2.3.1: AM: Our AM (similar to OAuth's AS) would store the equivalents to the listed items, including authorizing user credentials (= user names and passwords), host and requester client credentials (two sets vs. OAuth's one), host and requester client-specific refresh and access tokens (ditto), and RPTs (new).
Sec 2.3.2: RS: Our host would have to store its own client credentials and refresh and access tokens to use at the AM, along with the other items listed.
Sec 2.3.3: Client: Hmm. We would probably want to break out this series of sections into AM (extended AS), host (has aspects of RS and also client), and requester (has "normal" client aspects).
Sec 3.1: Tokens: We'd have to discuss PATs, AATs, and RPTs, along with the rest.
Sec 3.1.1: Scope:
Sec 3.6: Does UMA need a state parameter for RPTs? We don't currently have one (we just have one for claims-gathering flows, which is different).
Sec 3.7: client identifier:
Sec 4: Threats: UMA needs to go through a process of identifying and documenting additional threats, attacks, and countermeasures on top of OAuth, considering:
Further, does it make sense to look at all the same components through the eyes of privacy considerations, looking for direct exposure to "too much information" and also inappropriate opportunities to correlate identities?
Domenico's comments from 10 Dec 2012:
here are my first comments about OAuth threat model applied to UMA spec.
Are the bearer tokens suffice in this case?
The OAuth 2.0 threat model doc was finalized as IETF RFC 6819: https://tools.ietf.org/html/rfc6819
Changed the issue name to reflect the fact that the threat model has been published.
Re Domenico's comments from Dec 10, 2012, I believe we have handled the "implicit"/"person to person" security considerations and also the "status"/"redirect" security considerations in Core rev 11f, Section 8.1, Redirection and Impersonation Threats (https://docs.kantarainitiative.org/uma/draft-uma-core.html#rfc.section.8.1).
Re my comments from Aug 5, 2012, I believe we have handled the "host as client", "requester as client", "AM as protection API server", and "AM as authorization API server" security considerations in Core rev 11f, Section 8.2, Client Authentication (https://docs.kantarainitiative.org/uma/draft-uma-core.html#rfc.section.8.2), as well as throughout the text. We have handled the fact that "authorizing user/requesting party" is "person to person" as already noted above.
We have accounted for privacy considerations that map to security considerations as they have come up in our analysis work.
We could probably do with more discussion about the relationship between RPTs and different kinds of UMA clients (public, confidential, etc.) to see if there are particular threat scenarios there, at least in light of the one kind of RPT profile we have so far.
One more security consideration worth discussing: Are there any security considerations related to the icon_uri supplied in Section 2.1 (scope description) and Section 2.2 (resource set description) during resource set registration? What if it's a third-party URI and it contains something malicious? The AS is vulnerable to the RS picking "good" icon sources. If the domain matching the RS's own domain, the risk is perhaps lower, but perhaps not even. There are actually two levels of risk: Loading malicious code, and displaying a misleading icon to the RO (something like the "display name" problem). Should we say anything about this? Any current practices to be aware of? Any mitigations?
Most of these have been dealt with in Core rev 11, the V1.0 candidate. Created new issue #125 as a bucket for new security considerations.
Provide commentary on any requirements layered on the forthcoming OAuth security considerations section; discuss UMA-layer implications for more meaningful authentication of requesters/requesting parties; discuss implications of user-mediated AM/host trust model; discuss short-lived token technique for lightweight requester correlation... (Someone want to take this AI?)
[Previously #18]