[Openid-specs-risc] CSRB Recommedantion

Tom Sato toms at vericlouds.com
Thu Jul 4 22:58:16 UTC 2024 

Hi
Having spent some time reviewing the US Government's Cyber Safety Review Board's report on "Review of the Summer 2023 Microsoft Exchange Online Intrusion  March 20, 2024" I believe SSF WG should discuss adding OAuth 2.0 DPoP to the CAEP Interoperability Profile.

The Report is published at CISA
https://www.cisa.gov/resources-tools/resources/cyber-safety-review-board-releases-report-microsoft-online-exchange-incident-summer-2023

The report specifically recommends that Identity cloud service providers to adopt and implement SSF and OAuthDPoP, and because it also recommends FredRamp to review the current government procurement with respect to cybersecurity, it is likely that our industry will start the development process, now.
Here is the quote.

2.1.4 DIGITAL IDENTITY STANDARDS AND GUIDANCE The Board finds that the current ecosystem of Digital Identity standards does not provide the security necessary to counter modern threat actors, and that some CSPs have not sufficiently prioritized implementing emerging standards that improve the security of digital identity systems. This is both a current problem (the need to implement emerging standards) and a long-term need (upleveling the security bar of digital identity standards). The Board recommends the following.
RECOMMENDATION 11: CSPs should implement emerging standards such as Open Authorization (OAuth) 2 Demonstrating Proof-of-Possession (DPoP) (bound tokens) and OpenID Shared Signals and Events (SSE) (sharing session risk) that better secure cloud services against credential related attacks.
RECOMMENDATION 12: Relevant standards bodies should refine and update these standards to account for a threat model of advanced nation-state attackers targeting core CSP identity systems.
RECOMMENDATION 13: CSPs and relevant standards bodies, such as OpenID Foundation (OIDF), Organization for the Advancement of Structured Information Standards (OASIS), and The Internet Engineering Task Force (IETF), should develop or update profiles for core digital identity standards such as OIDC and Security Assertion Markup Language (SAML) to include requirements and/or security considerations around key rotation, stateful credentials, credential linking, and key scope.

OAuth2.0 DPop
https://datatracker.ietf.org/doc/html/rfc9449

Hope this helps.

Tom Sato
BoD
VeriClouds


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20240704/3cef5d19/attachment.html>

More information about the Openid-specs-risc mailing list