Internet-Draft IPSIE Common Requirements June 2025
Saxe Expires 1 January 2026 [Page]
Workgroup:
Network Working Group
Internet-Draft:
draft-saxe-ipsie-common-requirements-profile-latest
Published:
Intended Status:
Informational
Expires:
Author:
D. H. Saxe
Full Frontal Nerdity Industries

IPSIE Common Requirements Profile

Abstract

The IPSIE Common Requirements Profile is a profile of multiple common security requirements that are applicable to all IPSIE levels (SL* and IL*) and protocols. These common requirements are intended to meet the security and interoperability requirements of enterprise using one or more IPSIE profiles.

About This Document

This note is to be removed before publishing as an RFC.

The latest revision of this draft can be found at https://deansaxe.github.io/ipsie-common/draft-saxe-ipsie-common-requirements-profile.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-saxe-ipsie-common-requirements-profile/.

Source for this draft and an issue tracker can be found at https://github.com/deansaxe/draft-saxe-ipsie-common-requirements-profile.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 1 January 2026.

Table of Contents

1. Introduction

TODO Introduction to the common requirements

2. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 RFC2119 [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. Profile

3.1. Security Controls

(to be removed later: note the following bullets are related to https://github.com/openid/ipsie/issues/72) All IPSIE compliant identity providers and applications SHOULD implement a security controls program, such as NIST SP800-53, FEDRAMP, or other relevant program. The program SHOULD identify how personal attributes of users are stored at rest by the provider, whether an identity provider or application. This program and its controls SHOULD be documented and made available to relevant parties in an IPSIE compliant federation.

3.2. Network Layer Requirements

3.2.1. Requirements for all endpoints

To protect against network attacks, clients, authorization servers, and resource servers

  • MUST only offer TLS protected endpoints and MUST establish connections to other servers using TLS;

  • MUST set up TLS connections using TLS version 1.2 or later;

  • MUST follow the recommendations for Secure Use of Transport Layer Security in [BCP195];

  • SHOULD use DNSSEC to protect against DNS spoofing attacks that can lead to the issuance of rogue domain-validated TLS certificates; and

  • MUST perform a TLS server certificate check, as per [RFC9525].

3.2.2. Requirements for endpoints not used by web browsers

For server-to-server communication endpoints that are not used by web browsers, the following requirements apply:

  • When using TLS 1.2, servers MUST only permit the cipher suites recommended in [BCP195];

  • When using TLS 1.2, clients SHOULD only permit the cipher suites recommended in [BCP195].

3.2.3. Requirements for endpoints used by web browsers

For endpoints that are used by web browsers, the following additional requirements apply:

  • Servers MUST use methods to ensure that connections cannot be downgraded using TLS stripping attacks. A preloaded [preload] HTTP Strict Transport Security policy [RFC6797] can be used for this purpose. Some top-level domains, like .bank and .insurance, have set such a policy and therefore protect all second-level domains below them.

  • When using TLS 1.2, servers MUST only use cipher suites allowed in [BCP195].

  • Servers MUST NOT support [CORS] for the authorization endpoint, as clients must perform an HTTP redirect rather than access this endpoint directly.

3.3. Cryptography and Secrets

The following requirements apply to cryptographic operations and secrets:

  • Authorization servers, clients, and resource servers when creating or processing JWTs:

    • MUST adhere to [RFC8725];

    • MUST use PS256, ES256, or EdDSA (using the Ed25519 variant) algorithms; and

    • MUST NOT use or accept the none algorithm.

  • RSA keys MUST have a minimum length of 2048 bits.

  • Elliptic curve keys MUST have a minimum length of 224 bits.

  • Credentials not intended for handling by end-users (e.g., access tokens, refresh tokens, authorization codes, etc.) MUST be created with at least 128 bits of entropy such that an attacker correctly guessing the value is computationally infeasible (Section 10.10 of [RFC6749]).

3.4. Federation

IPSIE federation protocols are designed to be compliant with many of the technical controls defined in [NIST.FAL] at FAL2. The following federation requirements are derived from the FAL2 requirements and apply to all federation protocol profiles developed by the IPSIE WG.

(to be removed later: note the following bullets are related to https://github.com/openid/ipsie/issues/77 and https://github.com/openid/ipsie/issues/81) * Identity providers and applications SHALL minimize account attribute disclosures to those required for business operations. * Personally identifiable information SHOULD be minimized, except where required to support necessary business functions, e.g. human resources, hiring. * Additional restrictions on attribute disclosure MAY be implemented through business agreements. These business agreements are out of scope for IPSIE.

(to be removed later: note the following bullets are related to https://github.com/openid/ipsie/issues/78) * Account linking as defined in Section 3.7.1 of [NIST.FAL] MAY be supported by RPs. * RPs MUST disable account linking by default. * RPs that allow account linking MUST follow the requirements of [NIST.FAL].

(to be removed later: note the following bullets are related to https://github.com/openid/ipsie/issues/80) * Alternative authentication mechanisms that bypass federated authentication MAY be supported by IPSIE compliant applications at all SL levels. These mechanisms are commonly known as "break-glass" accounts. * These mechanisms MUST be disabled by default and MAY be enabled on an individual user basis. The mechanism of enablement is not specified by IPSIE. * Alternative authentication mechanisms MUST meet the minimum requirements of IPSIE authentication, including the use of multifactor authentication. Phishing resistant authentication is RECOMMENDED. * Alterntive authentication mechanisms MUST be disabled through an identity provisioning protocol when the user's account is disabled or deleted from the application to prevent access to the account.

(to be removed later: note the following bullets are related to https://github.com/openid/ipsie/issues/81 and https://github.com/openid/ipsie/issues/75) * Encryption of assertions passed through the front or back channel MUST be offered by identity providers and MAY be used by applications. * Pairwise identifiers to prevent correlation of the user's activities across multiple RPs MUST be offered by identity providers and MAY be used by applications.

  • (to be removed later: note the following bullets are related to https://github.com/openid/ipsie/issues/93)

  • Subject identifiers may not be globally unique in the absence of additional information. To ensure subject identifier uniqueness RP's MUST use both the subject identifier and a tenant identifier to create globally unique subjects that are bound to the tenant.

  • (to be removed later: note the following bullet is related to https://github.com/openid/ipsie/issues/94)

  • All federation transactions MUST originate from the RP. Federation requests SHALL NOT originate from the IdP.

4. Security Considerations

TODO Security * Alternative authN mechanisms security risks

5. IANA Considerations

This document has no IANA actions.

6. Normative References

[BCP195]
Best Current Practice 195, <https://www.rfc-editor.org/info/bcp195>.
At the time of writing, this BCP comprises the following:
Moriarty, K. and S. Farrell, "Deprecating TLS 1.0 and TLS 1.1", BCP 195, RFC 8996, DOI 10.17487/RFC8996, , <https://www.rfc-editor.org/info/rfc8996>.
Sheffer, Y., Saint-Andre, P., and T. Fossati, "Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)", BCP 195, RFC 9325, DOI 10.17487/RFC9325, , <https://www.rfc-editor.org/info/rfc9325>.
[NIST.FAL]
"NIST SP 800-63 Digital Identity Guidelines Federation Assurance Level (FAL)", , <https://pages.nist.gov/800-63-4/sp800-63c/fal/>.
[OpenID]
Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and C. Mortimore, "OpenID Connect Core 1.0 incorporating errata set 2", , <https://openid.net/specs/openid-connect-core-1_0.html>.
[OpenID.Discovery]
Sakimura, N., Bradley, J., Jones, M., and E. Jay, "OpenID Connect Discovery 1.0 incorporating errata set 2", , <https://openid.net/specs/openid-connect-discovery-1_0.html>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC6749]
Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, , <https://www.rfc-editor.org/rfc/rfc6749>.
[RFC6750]
Jones, M. and D. Hardt, "The OAuth 2.0 Authorization Framework: Bearer Token Usage", RFC 6750, DOI 10.17487/RFC6750, , <https://www.rfc-editor.org/rfc/rfc6750>.
[RFC6797]
Hodges, J., Jackson, C., and A. Barth, "HTTP Strict Transport Security (HSTS)", RFC 6797, DOI 10.17487/RFC6797, , <https://www.rfc-editor.org/rfc/rfc6797>.
[RFC7636]
Sakimura, N., Ed., Bradley, J., and N. Agarwal, "Proof Key for Code Exchange by OAuth Public Clients", RFC 7636, DOI 10.17487/RFC7636, , <https://www.rfc-editor.org/rfc/rfc7636>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8252]
Denniss, W. and J. Bradley, "OAuth 2.0 for Native Apps", BCP 212, RFC 8252, DOI 10.17487/RFC8252, , <https://www.rfc-editor.org/rfc/rfc8252>.
[RFC8414]
Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0 Authorization Server Metadata", RFC 8414, DOI 10.17487/RFC8414, , <https://www.rfc-editor.org/rfc/rfc8414>.
[RFC8725]
Sheffer, Y., Hardt, D., and M. Jones, "JSON Web Token Best Current Practices", BCP 225, RFC 8725, DOI 10.17487/RFC8725, , <https://www.rfc-editor.org/rfc/rfc8725>.
[RFC9126]
Lodderstedt, T., Campbell, B., Sakimura, N., Tonge, D., and F. Skokan, "OAuth 2.0 Pushed Authorization Requests", RFC 9126, DOI 10.17487/RFC9126, , <https://www.rfc-editor.org/rfc/rfc9126>.
[RFC9207]
Meyer zu Selhausen, K. and D. Fett, "OAuth 2.0 Authorization Server Issuer Identification", RFC 9207, DOI 10.17487/RFC9207, , <https://www.rfc-editor.org/rfc/rfc9207>.
[RFC9449]
Fett, D., Campbell, B., Bradley, J., Lodderstedt, T., Jones, M., and D. Waite, "OAuth 2.0 Demonstrating Proof of Possession (DPoP)", RFC 9449, DOI 10.17487/RFC9449, , <https://www.rfc-editor.org/rfc/rfc9449>.
[RFC9525]
Saint-Andre, P. and R. Salz, "Service Identity in TLS", RFC 9525, DOI 10.17487/RFC9525, , <https://www.rfc-editor.org/rfc/rfc9525>.
[RFC9700]
Lodderstedt, T., Bradley, J., Labunets, A., and D. Fett, "Best Current Practice for OAuth 2.0 Security", BCP 240, RFC 9700, DOI 10.17487/RFC9700, , <https://www.rfc-editor.org/rfc/rfc9700>.

Appendix A. Notices

Copyright (c) 2025 The OpenID Foundation.

The OpenID Foundation (OIDF) grants to any Contributor, developer, implementer, or other interested party a non-exclusive, royalty free, worldwide copyright license to reproduce, prepare derivative works from, distribute, perform and display, this Implementers Draft, Final Specification, or Final Specification Incorporating Errata Corrections solely for the purposes of (i) developing specifications, and (ii) implementing Implementers Drafts, Final Specifications, and Final Specification Incorporating Errata Corrections based on such documents, provided that attribution be made to the OIDF as the source of the material, but that such attribution does not indicate an endorsement by the OIDF.

The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation and others. Although the OpenID Foundation has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The OpenID Foundation and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The OpenID Intellectual Property Rights policy (found at openid.net) requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. OpenID invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that may cover technology that may be required to practice this specification.

Appendix B. Document History

[[ To be removed from the final specification ]]

-00

Acknowledgments

TODO acknowledge Aaron Parecki for his initial documentation of the Network Layer Requirements and Cryptography and Secrets from the IPSIE SL1 OIDC profile draft.

Author's Address

Dean H. Saxe
Full Frontal Nerdity Industries