Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt

Samuel Erdtman <samuel@erdtman.se> Sun, 30 October 2016 15:28 UTC

Return-Path: <samuel@erdtman.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44B1D129448 for <oauth@ietfa.amsl.com>; Sun, 30 Oct 2016 08:28:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0GaaiTAERCMZ for <oauth@ietfa.amsl.com>; Sun, 30 Oct 2016 08:27:59 -0700 (PDT)
Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EED01127077 for <oauth@ietf.org>; Sun, 30 Oct 2016 08:27:58 -0700 (PDT)
Received: by mail-wm0-x22b.google.com with SMTP id n67so189310647wme.1 for <oauth@ietf.org>; Sun, 30 Oct 2016 08:27:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=CwaOPuQLkYuHDWCGKNI7FLzaHVYA0iCx5PtnYM4IZus=; b=E4wJ0u9wkZWugUaFUbKGsAFZB0lnmLi9/qDEtBvfEe09SoRPfpy8dQPXlNYfxB6L49 DBIgDpKecdRBTuoR1CKsbD2D5UwSWbubiPze4rouTChQr3sbdWhf+xxU12MFtd1LdF+4 5l6ZMChcTWuuSX3qYA05DcaeEezuF8AkCAD6f4SSxVWyczMmw+1TqqeFlguntLI/dLof KSD0V9c7J6o7yK+Ba5cok/MWkrZ8eJCKoH/MRN82r67VtNARp/91NUn/wRYqdfUwZ+eO Dwzz9eH1bg0aap6p6Y+K87wLNym30Ki/bnzTtumdb0KjY9TpkHlWKw3rsTWfpnJ31ZNk PAtw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=CwaOPuQLkYuHDWCGKNI7FLzaHVYA0iCx5PtnYM4IZus=; b=Zg7gP0BppHOcdllWZbi9v++w6nbZ6+GYnfkPatqY8joP+YM4FCFTdNHimEwnZA3a6I xOqg+UAyXif5JV5oPr6YUNBr0hA7gcQCtbu7bnjaBKAB3Op6m986ju48DZoYEWLrN27o 9WJIqov41UJsZ7LKnM0SlU9zS05NFUbUHledWNzKFMGXWK+FYjl34VpVHNAgF+/18qh5 yh3rZDvWrl6X5kTf1mAlueHlabatDnrY2C3lpTNdGcOlRk7NADQWyzUwRqAMa7s0ioau hxLDm7StYXNjr/8X1BO924j/aARjrGX5q1k2Pet72VP1fs+z7qkkHy3GEWKeGuNdJ66o gIvQ==
X-Gm-Message-State: ABUngvel+YgtR863vIZXr3CZjoZAioRXf7OAm3vjnVx1qbLuAPvB2XZPgXWUYgdIUl61WP7MgTOGp2QIoVtm1g==
X-Received: by 10.28.163.196 with SMTP id m187mr6503131wme.73.1477841277100; Sun, 30 Oct 2016 08:27:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.194.172.232 with HTTP; Sun, 30 Oct 2016 08:27:56 -0700 (PDT)
In-Reply-To: <CA+k3eCRXss-4_Cxmi41YAcXHh0VKeHogGT=xNkAo1mU6e5WG1w@mail.gmail.com>
References: <147613227959.31428.2920748721017165266.idtracker@ietfa.amsl.com> <9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com> <26838e0e-1aee-04ca-4f7e-f6cff8dcfacf@connect2id.com> <CA+k3eCQaWm+O8VMNGGJG41j=dW2vqa4n6QZgKmVM9=d0HxgnCA@mail.gmail.com> <853d5445-72e4-a1fb-b89c-919864f051f6@connect2id.com> <CAF2hCbYn5_qBTmYkeJVCtJ-0=zWdRcFfu+0cHHb4ygo6as_V6w@mail.gmail.com> <CA+k3eCRXss-4_Cxmi41YAcXHh0VKeHogGT=xNkAo1mU6e5WG1w@mail.gmail.com>
From: Samuel Erdtman <samuel@erdtman.se>
Date: Sun, 30 Oct 2016 16:27:56 +0100
Message-ID: <CAF2hCbaEi4ntDwbWpTJ4-7_uwunK5WhpsoVLKds87r_s4K7n1w@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Content-Type: multipart/alternative; boundary="001a114cd9a25b40f9054016bc33"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-O6ZFgvI60VjuOTMoxohFJH1cS4>
Cc: Nat Sakimura via Openid-specs-fapi <openid-specs-fapi@lists.openid.net>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Oct 2016 15:28:02 -0000

Thanks for the reply Brian,

See inline

On Fri, Oct 28, 2016 at 10:56 PM, Brian Campbell <bcampbell@pingidentity.com
> wrote:

>
> On Thu, Oct 27, 2016 at 12:00 AM, Samuel Erdtman <samuel@erdtman.se>
> wrote:
>
>> I think it is awesome that this document has been written since this is
>> one of the solutions that exists in the wild.
>>
>>
> Thanks. To some extent I was working to codify those existing solutions,
> which is one of the reasons why the specific binding between client and
> certificate is left open ended.
>
>
>
>> However I think that the connection to client (client_id) and certificate
>> could be more clearly specified, at the moment it is exemplified under
>> security considerations. I think there should be text saying that there
>> MUST be a binding and provide the default solution e.g. client_id as
>> subject common name.
>>
>
> I sort of thought the need for connection between client and certificate
> was implicit in the text that is in section 2. But I can work to make the
> language more explicit. As I mentioned in my recent reply to Vladimir, I
> expect client_id as subject common name to be more the exception rather
> than the common case so don't feel it'd be appropriate as a default.
>

I agree it is written so that the connection to the certificate is
implicitly required but I think it would be better if it was explicit
written since the lack of a connection would result in a potential security
hole.

When it comes to the client_id I think subject common name or maybe subject
serial numbers will be the common location, and I think an example would be
valuable.


>
>
>>
>> Further I would prefer if it was not a MUST to include the client_id in
>> the HTTP request since I think there MUST exist a client binding in the
>> certificate. I think there is no need to have it explicitly in the HTTP
>> request. This might not be a problem for Classic OAuth but when adopted for
>> ACE framework (https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-03)
>> we would like to lessen the duplicated information as much as possible.
>>
>
> There needs to be a binding between the client and certificate but that
> doesn't mean the client id will be in the certificate. Having the client id
> explicitly available in the HTTP request allows the AS to easily identify
> the client independently and consistently from the content of the
> certificate or key and allows the AS to not have to index its client
> storage by some other value. It may lead to a small amount of duplicate
> info in some cases but I believe the consistency is worth it.
>

I´m not saying it is a bad Idea just that I would prefer if it was not a
MUST.
With very limited addition of code it is just as easy to get the
certificate attribute for client id as it is to get it from the HTTP
request data (at least in java). I also think that with the requirement to
match the incoming certificate in some way one has to read out the
certificate that was used to establish the connection to do some kind of
matching.


>
>
>
>>
>>
>>
> //Samuel
>>
>>
>> On Thu, Oct 27, 2016 at 4:42 AM, Vladimir Dzhuvinov <
>> vladimir@connect2id.com> wrote:
>>
>>> I see. Do you reckon the AS could simply probe the likely cert places
>>> for containing the client_id? My reasoning is that there aren't that
>>> many places where you could stick the client_id (let me know if I'm
>>> wrong). If the AS is in doubt it will respond with invalid_client. I'm
>>> starting to think this can work quite well. No extra meta param will be
>>> needed (of which we have enough already).
>>>
>>> On 22/10/16 01:51, Brian Campbell wrote:
>>> > I did consider something like that but stopped short of putting it in
>>> the
>>> > -00 document. I'm not convinced that some metadata around it would
>>> really
>>> > contribute to interop one way or the other. I also wanted to get the
>>> basic
>>> > concept written down before going too far into the weeds. But I'd be
>>> open
>>> > to adding something along those lines in future revisions, if there's
>>> some
>>> > consensus that it'd be useful.
>>> >
>>> > On Mon, Oct 17, 2016 at 2:47 AM, Vladimir Dzhuvinov <
>>> vladimir@connect2id.com
>>> >> wrote:
>>> >> Superb, I welcome that!
>>> >>
>>> >> Regarding https://tools.ietf.org/html/draft-campbell-oauth-tls-
>>> >> client-auth-00#section-5.2 :
>>> >>
>>> >> My concern is that the choice of how to bind the client identity is
>>> left
>>> >> to implementers, and that may eventually become an interop problem.
>>> >> Have you considered some kind of an open ended enumeration of the
>>> possible
>>> >> binding methods, and giving them some identifiers or names, so that
>>> AS /
>>> >> OPs can advertise them in their metadata, and clients register
>>> accordingly?
>>> >>
>>> >> For example:
>>> >>
>>> >> "tls_client_auth_bind_methods_supported" : [
>>> "subject_alt_name_match",
>>> >> "subject_public_key_info_match" ]
>>> >>
>>> >>
>>> >> Cheers,
>>> >>
>>> >> Vladimir
>>> >>
>>> >> On 10/10/16 23:59, John Bradley wrote:
>>> >>
>>> >> At the request of the OpenID Foundation Financial Services API
>>> Working group, Brian Campbell and I have documented
>>> >> mutual TLS client authentication.   This is something that lots of
>>> people do in practice though we have never had a spec for it.
>>> >>
>>> >> The Banks want to use it for some server to server API use cases
>>> being driven by new open banking regulation.
>>> >>
>>> >> The largest thing in the draft is the IANA registration of
>>> “tls_client_auth” Token Endpoint authentication method for use in
>>> Registration and discovery.
>>> >>
>>> >> The trust model is intentionally left open so that you could use a
>>> “common name” and a restricted list of CA or a direct lookup of the subject
>>> public key against a reregistered value,  or something in between.
>>> >>
>>> >> I hope that this is non controversial and the WG can adopt it quickly.
>>> >>
>>> >> Regards
>>> >> John B.
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> Begin forwarded message:
>>> >>
>>> >> From: internet-drafts@ietf.org
>>> >> Subject: New Version Notification for draft-campbell-oauth-tls-clien
>>> t-auth-00.txt
>>> >> Date: October 10, 2016 at 5:44:39 PM GMT-3
>>> >> To: "Brian Campbell" <brian.d.campbell@gmail.com> <
>>> brian.d.campbell@gmail.com>, "John Bradley" <ve7jtb@ve7jtb.com> <
>>> ve7jtb@ve7jtb.com>
>>> >>
>>> >>
>>> >> A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
>>> >> has been successfully submitted by John Bradley and posted to the
>>> >> IETF repository.
>>> >>
>>> >> Name:                draft-campbell-oauth-tls-client-auth
>>> >> Revision:    00
>>> >> Title:               Mutual X.509 Transport Layer Security (TLS)
>>> Authentication for OAuth Clients
>>> >> Document date:       2016-10-10
>>> >> Group:               Individual Submission
>>> >> Pages:               5
>>> >> URL:            https://www.ietf.org/internet-
>>> drafts/draft-campbell-oauth-tls-client-auth-00.txt
>>> >> Status:         https://datatracker.ietf.org/
>>> doc/draft-campbell-oauth-tls-client-auth/
>>> >> Htmlized:       https://tools.ietf.org/html/d
>>> raft-campbell-oauth-tls-client-auth-00
>>> >>
>>> >>
>>> >> Abstract:
>>> >>   This document describes X.509 certificates as OAuth client
>>> >>   credentials using Transport Layer Security (TLS) mutual
>>> >>   authentication as a mechanism for client authentication to the
>>> >>   authorization server's token endpoint.
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> Please note that it may take a couple of minutes from the time of
>>> submission
>>> >> until the htmlized version and diff are available at tools.ietf.org.
>>> >>
>>> >> The IETF Secretariat
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> OAuth mailing listOAuth@ietf.orghttps://www.
>>> ietf.org/mailman/listinfo/oauth
>>> >>
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> OAuth mailing list
>>> >> OAuth@ietf.org
>>> >> https://www.ietf.org/mailman/listinfo/oauth
>>> >>
>>> >>
>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>
>