[Openid-specs-mobile-profile] Issue #52: CIBA Pairwise Identifiers Structuring Text (openid/mobile)

Manger, James James.H.Manger at team.telstra.com
Thu May 25 03:22:34 UTC 2017 

That pseudo-code is dangerous. We definitely do NOT want to hash the raw client.jwks_uri or client.notification_uri. We need to hash the domain name from these URIs. That allows the app owner to later specify a sector_identifier_uri (in the same domain) if they are deploying a related app (on a different domain) that needs to recognize the same users.

CIBA cannot say "Sector Identifier Validation at registration time is out-of-scope", as in section 4 "Pairwise identifiers" of the "24 Mai" version. It must be in-scope because CIBA is adding new rules that jwks_uri and/or notification_uri needs to be listed in the content at sector_identifier_uri.

Mandating that CIBA clients have registered a sector_identifier_uri is reasonable.
We should also mandate (or at least very strongly recommend) that sector_identifier_uri has a specific path, such as https://<sector_id>/.well-known/openid/apps.json<https://%3csector_id%3e/.well-known/openid/apps.json>. Otherwise an attacker can pretend to have a given sector_id by finding/creating a resource (or redirect) anywhere on https://<sector_id>/<https://%3csector_id%3e/> that returns a JSON array with the attacker's URI.

--
James Manger


From: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] On Behalf Of nicolas.aillery at orange.com
Sent: Wednesday, 24 May 2017 7:41 PM
To: Axel.Nennker at telekom.de
Cc: openid-specs-mobile-profile at lists.openid.net
Subject: Re: [Openid-specs-mobile-profile] Issue #52: CIBA Pairwise Identifiers Structuring Text (openid/mobile)

Hello Axel,

   I agree with mandatory sector_identifier_uri when using CIBA.
   There is also a need to add security in the section "5.  "sector_identifier_uri" Validation" of OpenID.Registration, if we want to prevent the spoofing of sector_identifier_uri by a malicious Client,

Regards,

Nicolas

De : Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] De la part de Axel.Nennker at telekom.de<mailto:Axel.Nennker at telekom.de>
Envoyé : mercredi 24 mai 2017 11:31
À : openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>
Objet : Re: [Openid-specs-mobile-profile] Issue #52: CIBA Pairwise Identifiers Structuring Text (openid/mobile)

A CIBA spec mandating sector_identifier_uri if the OP uses Pairwise Identifiers is here:
https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#rfc.section.3.5.1.1

WDYT?

//Axel

From: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] On Behalf Of Nennker, Axel
Sent: Mittwoch, 24. Mai 2017 10:06
To: openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>
Subject: Re: [Openid-specs-mobile-profile] Issue #52: CIBA Pairwise Identifiers Structuring Text (openid/mobile)


Hi all,



I created https://bitbucket.org/openid/mobile/issues/52/ciba-pairwise-identifiers-structuring-text to keep track of this.



In pseudo code the calculation of sub could look like this:

// Client is authenticated at this point

If (client.sector_identifier) then

  // if we have a registered client identifier then use it

  sub = SHA-256 ( client.sector_identifier || local_account_id || salt );

else

  //need to determine sector_identifier to use as non is registered for this Client

  If (request_object && client.jwks_uri) then

    // request object signature is valid and key from client.jwks_uri was used to sign it

    sub = SHA-256 ( client.jwks_uri || local_account_id || salt );

  else

    // no registered sector_identifier, no request_object

    if (client.notification_uri) then

      // not polling but notification mode

      sub = SHA-256 ( client.notification_uri || local_account_id || salt );

    else

      // polling mode but not sector_identifier registered

      response.setError("invalid_request");

      logError("invalid_request", "no sector identifier for %s", client.id);

      return;

    endif

  endif

endif

// have sub that is a pairwise identifier here



Having said all that I currently tend to change the spec to say:

"In CIBA the Client MUST specify the sector_identifier_uri at registration time if the OP uses Pairwise Identifiers which is strongly recommended".



Should we make sector_identifier_uri mandatory for CIBA and cull all other Pairwise Identifier text?



Cheers

Axel


Pairwise Identifier Algorithm

https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg



"sector_identifier_uri" Validation

https://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation



-----Original Message-----
From: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] On Behalf Of Axel Nennker
Sent: Dienstag, 23. Mai 2017 15:33
To: openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>
Subject: [Openid-specs-mobile-profile] Issue #52: CIBA Pairwise Identifiers Structuring Text (openid/mobile)



New issue 52: CIBA Pairwise Identifiers Structuring Text https://bitbucket.org/openid/mobile/issues/52/ciba-pairwise-identifiers-structuring-text



Axel Nennker:



Should the text regarding Pairwise Identifiers be in its own section or should it stay in the sections on polling and notification?



Polling: https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#rfc.section.3.5.1.1

Notification: https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#rfc.section.3.5.3.3



References to other specs:

Core: https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg

Validation of sector_identifier: https://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation





Axel



Responsible: ignisvulpis

_______________________________________________

Openid-specs-mobile-profile mailing list Openid-specs-mobile-profile at lists.openid.net<mailto:Openid-specs-mobile-profile at lists.openid.net>

http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile

_________________________________________________________________________________________________________________________



Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.



This message and its attachments may contain confidential or privileged information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170525/b3db999b/attachment-0001.html>

More information about the Openid-specs-mobile-profile mailing list