sbp opened a new issue, #335: URL: https://github.com/apache/tooling-trusted-releases/issues/335
[ASVS v5.0.0](https://raw.githubusercontent.com/OWASP/ASVS/v5.0.0/5.0/OWASP_Application_Security_Verification_Standard_5.0.0_en.pdf) criterion 10.4.5 recommends that DPoP or mTLS be used for refresh tokens, but allows rotation at L1 or L2. The L3 criterion 10.3.5 requires all access tokens to use DPoP or mTLS. We currently allow the use of JWTs for the API, but this is an optimisation that, with our small number of users, we don't need to make. This would mean that the V9 criteria would not apply to ATR. DPoP keys are not forward secure, but it appears that the main focus is on avoiding exfiltration of credentials from attacks on the network or application. Rotating refresh tokens is "forward secure", if that property can be said to apply to tokens rather than keys, but exfiltration can only be detected and mitigated upon audit failure or token reuse. Because changing the API token format would require a complete change for all API users, we should decide on the format before widespread use of ATR. Using DPoP would change the way that tokens are generated. It would require the user to generate an Ed25519 keypair and then register the public key with ATR. There is a [Python reference implementation of Ed25519](https://ed25519.cr.yp.to/python/ed25519.py) which we could use in a helper script. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
