Yes, this completely upends the security assumptions of PoP as we know it. That's exactly why we should discuss this as a distinct pattern, because people are doing this in the wild and it needs to be handled differently. ________________________________ From: Watson Ladd <watsonbl...@gmail.com> Sent: Thursday, June 5, 2025 1:15 PM To: Justin Richer <jric...@mit.edu> Cc: oauth <oauth@ietf.org> Subject: Re: [OAUTH-WG] Deferred Key Binding / TMB
On Thu, Jun 5, 2025 at 9:45 AM Justin Richer <jric...@mit.edu> wrote: > > Hi Chairs and WG, > > Back in Bangkok, we presented the draft > https://datatracker.ietf.org/doc/draft-richer-oauth-tmb-claim/ that > introduces, in a concrete way, the notion of getting a token bound to a key > that you don’t possess. As we discussed, this is a topic that keeps coming up > in the OAuth space and is usually dutifully pushed aside for the sake of > simplicity (and some would argue sanity). > > The chairs mentioned pulling together an interim meeting for the OAuth WG for > us to discuss this topic ahead of Madrid, to see if there was anything more > we as a community want to do with it. As we’re now more than halfway between > the meetings, we wanted to bring that up again and see if that interim can > get scheduled soon. I’d also like to encourage people to read through the > draft and open the discussion here on the list more. This draft, plus the properties of many existing signature schemes like RSA and ECDSA, creates the possibility of an attacker getting a credential issued that will work with an already existing PoP exchange without actually having possession of the key. (They register the credential after seeing the PoP exchange, but before finishing). This is a very subtle change in the semantics that likely invalidates a lot of security assumptions. Why do we need to do this? > > — Justin > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org -- Astra mortemque praestare gradatim
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org