The only thing that can identify the resource is the printer's URL, since
it is the only value locked down by the printer's (valid!) certificate.
When you take control over a host with a valid certificate, you can change
everything but its URL. To change the URL you would need a new certificate
and changes in DNS configuration.
So, if you allow the client to use any self-reported ID as a resource ID
(instead of the URL), this kind of host can impersonate any printer in the
network.
On Wed, Nov 30, 2022 at 7:57 AM Kennedy, Smith (Wireless & IPP Standards)
via ipp <ipp at pwg.org> wrote:
> Hi Mike,
>> On Nov 9, 2022, at 7:39 AM, Michael Sweet <msweet at msweet.org> wrote:
>> CAUTION: External Email
>> *From: *Michael Sweet <msweet at msweet.org>
> *Subject: **Re: [IPP] Add "oauth-authorization-resource" attribute?*
> *Date: *November 9, 2022 at 7:39:14 AM MST
> *To: *"Kennedy, Smith (Wireless & IPP Standards)" <smith.kennedy at hp.com>
> *Cc: *PWG IPP Workgroup <ipp at pwg.org>
>>> Smith,
>> On Nov 8, 2022, at 11:56 PM, Kennedy, Smith (Wireless & IPP Standards) <
>smith.kennedy at hp.com> wrote:
> ...
> If an Authentication Service supports a certificate or some other more
> trustable artifact as a resource identifier, perhaps one provisioned to the
> printer at the time the printer is registered, that could improve the
> situation, right? I thought we discussed that at the August F2F.
>>> Yes, for authenticating the System/Printer/Proxy to the auth server -
> that's one of the things MS does for their Universal Print Service.
>> The point of the Client passing the printer-uri/system-uri when doing
> token exchange is to limit the potential exposure of credentials. The
> Client will have already validated the Printer's X.509 certificate when it
> connects to do a Get-Printer-Attributes, and then the authorization server
> can validate that the System/Printer/Proxy has registered *that*
> printer-uri/system-uri. That combined with the Client validating the
> oauth-authorization-server-uri value will minimize the likelihood of a
> breach.
>> Regardless, I think that it would be better for the client to use the
> value provided by a purpose-defined but abstract attribute like
> "oauth-authorization-resource-id" instead of instructing or guiding clients
> to use "printer-uuid" or "printer-uri". The value held by
> "oauth-authorization-resource-id" could be a URI or a UUID (printer-uuid or
> some other UUID).
>>> There is no way to validate the value, so its use in securing the
> authorization token would be lost.
>> With the URI, the Client resolves the address, connects to the service,
> negotiates a secure connection via TLS, and is able to validate the
> server-side X.509 certificate against a trusted root CA (no self-signed
> certs if you are using OAuth!)
>>> Agree, but I don't think that eliminates the value that
> "oauth-authorization-resource-id" provides. The value held by
> "oauth-authorization-resource-id" could be whatever is needed to identify
> the resource to the Authentication Service. In some cases it may be
> "printer-uuid" or "printer-uri" or some unique value provisioned to the
> Printer by the Authentication Service during printer registration. Defining
> "oauth-authorization-resource-id" means we don't have to provide specific
> guidance as to what is provided in the OAuth 2.0 requests that require a
> resource ID to be specified as a parameter.
>> The Client is still free to compare the elements of "printer-uri" with the
> fields in the Printer's X.509 TLS certificate.
>> _______________________________________________
> ipp mailing list
>ipp at pwg.org>https://www.pwg.org/mailman/listinfo/ipp>-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ipp/attachments/20221130/3709bfd7/attachment.html>