Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-architecture-06.txt

Mike Jones <Michael.Jones@microsoft.com> Wed, 25 November 2015 18:35 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 860681A8BB7 for <oauth@ietfa.amsl.com>; Wed, 25 Nov 2015 10:35:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.991
X-Spam-Level:
X-Spam-Status: No, score=-1.991 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qk-zIgRT41_u for <oauth@ietfa.amsl.com>; Wed, 25 Nov 2015 10:35:35 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0786.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:786]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 936D51A8AFB for <oauth@ietf.org>; Wed, 25 Nov 2015 10:35:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=0FWItjBWOYPaZ7cHyxEHJkHT1m7puaf0xY9tbL30s0A=; b=QJx3gDn66QGU+bVVvhHpdePyJs0ehDYZra0rsOW6ODO1KXca52vFF6ut45/WdqZoE3DvPRSW0IVX7azwO89KHX36A2EFe7hH4v2suW2EImxe0uKDWy/fsZTYvYkFae7RAsy0CGL2VES2UUFTgZ0vIUwUSz/dJNBJ7gmZQzYsJTc=
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB443.namprd03.prod.outlook.com (10.141.141.152) with Microsoft SMTP Server (TLS) id 15.1.331.20; Wed, 25 Nov 2015 18:35:11 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0331.023; Wed, 25 Nov 2015 18:35:11 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Justin Richer <jricher@mit.edu>, Phil Hunt <phil.hunt@oracle.com>
Thread-Topic: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-architecture-06.txt
Thread-Index: AQHRJvN1C1MPuLAu4029awXghHgj7p6rmXeAgAFE84CAAAP7AIAAGU2AgAAFLgCAAAkNgIAABgUAgAACL/w=
Date: Wed, 25 Nov 2015 18:35:10 +0000
Message-ID: <BY2PR03MB442E907EBD01BD6007233D4F5050@BY2PR03MB442.namprd03.prod.outlook.com>
References: <20151124200512.20833.28463.idtracker@ietfa.amsl.com> <F787FB76-5C8D-45F5-8A81-E430E75A0455@oracle.com> <CA+k3eCSeOyc2HMY+sK9rSjxkSAvNPWqwKyJNjDZAaCu2Stqk=w@mail.gmail.com> <16FAD3AC-CFB8-46D5-A12E-436E902EA439@oracle.com> <CA+k3eCT1+=2zysgbaKEmWCkQmsKyjr9KbghgmOVYUSC1qLfjbg@mail.gmail.com> <D8D36156-8BA6-43C5-8016-94A4CAE5FB45@mit.edu> <6015EE15-1FEE-43DC-930C-68ACAEDC083E@oracle.com>, <38555799-721C-4A2F-AAAA-24D9B69EB72E@mit.edu>
In-Reply-To: <38555799-721C-4A2F-AAAA-24D9B69EB72E@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [167.220.63.225]
x-microsoft-exchange-diagnostics: 1; BY2PR03MB443; 5:5s2zB4MhiUlBQWDYRNEmFwiKmo0H9qw5przYpYsGRD3tjmjnW4UNyl/18z9RPRYYk7KDILZ2qL104BUmeXB2SeivgCg5lCSeYXiSdah9zyyTsoyVfw0c+UJWv2avSIchfuIylo+8sQxK5rJQvB/4ew==; 24:/VfLJvpxwzyYBoc9JUw171sKwvqu85bRgD62dA3jpK1P9IaHYkEPyfJntcrOJuC6YvWACNTAxMnKkNG4k2+ay3vKm23mHZ16hIzdUefaI9c=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB443;
x-microsoft-antispam-prvs: <BY2PR03MB4436F5BCFEE444E83DCE2F4F5050@BY2PR03MB443.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(211936372134217)(146099531331640);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425024)(601004)(2401047)(8121501046)(5005006)(520078)(10201501046)(3002001)(61426024)(61427024); SRVR:BY2PR03MB443; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB443;
x-forefront-prvs: 0771670921
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(24454002)(189002)(377454003)(377424004)(199003)(106356001)(5004730100002)(106116001)(33656002)(86612001)(105586002)(2171001)(19618635001)(230783001)(10090500001)(99286002)(18206015028)(93886004)(122556002)(87936001)(8990500004)(5005710100001)(10290500002)(10400500002)(74316001)(86362001)(5007970100001)(5002640100001)(2900100001)(1220700001)(19273905006)(5003600100002)(15975445007)(2950100001)(19617315012)(77096005)(40100003)(19622755009)(101416001)(50986999)(16236675004)(66066001)(19580395003)(3846002)(102836003)(6116002)(54356999)(586003)(19580405001)(76176999)(97736004)(5001770100001)(11100500001)(15198665003)(5001960100002)(5001920100001)(189998001)(76576001)(5008740100001)(4001150100001)(81156007)(15395725005)(92566002)(7099028)(9984715007)(19622745005)(19625245003); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB443; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BY2PR03MB442E907EBD01BD6007233D4F5050BY2PR03MB442namprd_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Nov 2015 18:35:10.8830 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB443
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/-S7sN8dicI7Hh1LVDx3jemJUiYA>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-architecture-06.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2015 18:35:47 -0000

Agreed.  We need to clarify that the token need not be signed, as that's a choice that's orthogonal to PoP.

-- Mike
________________________________
From: Justin Richer<mailto:jricher@mit.edu>
Sent: ‎11/‎25/‎2015 10:27 AM
To: Phil Hunt<mailto:phil.hunt@oracle.com>
Cc: <oauth@ietf.org><mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-architecture-06.txt

Right, I read that as text for describing the examples and not for describing requirements.

The token itself doesn’t have to be signed at all.

 — Justin

On Nov 25, 2015, at 1:05 PM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>> wrote:

Ok. Well this was requested by Kathleen because of this paragraph in Sec 6.…


   To simplify the subsequent description we assume in the PoP architecture

   that the token itself is digitally signed by the authorization server


   and therefore cannot be modified.


Please
Phil

@independentid
www.independentid.com<http://www.independentid.com/>
phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>

On Nov 25, 2015, at 9:33 AM, Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>> wrote:

The token doesn’t have to be signed and the client doesn’t have to verify the signature on the token. That’s not PoP. The request has to be signed in a way that includes the token. The token itself can still be opaque. The *key* material can’t be opaque to the client, but the *token* material still is.

I agree with Brian that this statement is misleading.

The examples use a signed token but that is absolutely not a requirement. Maybe the examples shouldn’t all use one style.

What’s most difficult about this particular spec is that it’s very hand-wavy, saying “this is kinda a thing that kinda works like this” without saying how to actually do it. I’m honestly not sure it’s worth publishing as an RFC in its own right but I’m not going to stand in its way.

 — Justin

On Nov 25, 2015, at 12:14 PM, Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>> wrote:

Where does it say that?



On Wed, Nov 25, 2015 at 8:44 AM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>> wrote:
Except that later on we require the token be signed and the client verify that signed token. IOW mutual pop.

Phil

On Nov 25, 2015, at 07:30, Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>> wrote:

Looking at the diff I noticed the following new text, which seems to conflate bearer/PoP and opaqueness to the client. A client demonstrating proof-of-possession of some key is orthogonal to the client being able to parse and understand the access token itself.

"In contrast to bearer tokens [RFC6750] which call for tokens that are opaque to OAuth 2.0 clients, this specification defines the requirements for proof-of-possession ("PoP") tokens that may be parsed and verified by OAuth 2.0 clients and relying parties."

On Tue, Nov 24, 2015 at 1:07 PM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>> wrote:
This draft addresses review comments from Kathleen and Erik raised since the last draft.

It may not include some of the discussion from yesterday/today.  I will add that as the group decides.

Cheers,

Phil

@independentid
www.independentid.com<http://www.independentid.com/>
phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>

> On Nov 24, 2015, at 12:05 PM, internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> wrote:
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Web Authorization Protocol Working Group of the IETF.
>
>        Title           : OAuth 2.0 Proof-of-Possession (PoP) Security Architecture
>        Authors         : Phil Hunt
>                          Justin Richer
>                          William Mills
>                          Prateek Mishra
>                          Hannes Tschofenig
>       Filename        : draft-ietf-oauth-pop-architecture-06.txt
>       Pages           : 23
>       Date            : 2015-11-24
>
> Abstract:
>   The OAuth 2.0 bearer token specification, as defined in RFC 6750,
>   allows any party in possession of a bearer token (a "bearer") to get
>   access to the associated resources (without demonstrating possession
>   of a cryptographic key).  To prevent misuse, bearer tokens must be
>   protected from disclosure in transit and at rest.
>
>   Some scenarios demand additional security protection whereby a client
>   needs to demonstrate possession of cryptographic keying material when
>   accessing a protected resource.  This document motivates the
>   development of the OAuth 2.0 proof-of-possession security mechanism.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-pop-architecture/
>
> There's also a htmlized version available at:
> https://tools.ietf.org/html/draft-ietf-oauth-pop-architecture-06
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-pop-architecture-06
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org/>g/>.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org<mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



--
[Ping     Identity logo]<https://www.pingidentity.com/>
Brian Campbell
Distinguished Engineer
Ping Identity
@       bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>
[phone] +1 720.317.2061<tel:%2B1%20720.317.2061>
[twitter]       @pingidentity
Connect with us!
<https://www.pingidentity.com/>[pingidentity.com]<https://www.pingidentity.com/>
<https://ping.force.com/Support/PingIdentityCommunityHome>[pingidentity.com]<https://ping.force.com/Support/PingIdentityCommunityHome>
[twitter logo]<http://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm> [twitter logo] <https://twitter.com/pingidentity>  [youtube logo] <https://www.youtube.com/user/PingIdentityTV>  [LinkedIn logo] <https://www.linkedin.com/company/21870>  [Facebook logo] <https://www.facebook.com/pingidentitypage>  [Google+ logo] <https://plus.google.com/u/0/114266977739397708540>  [slideshare logo] <http://www.slideshare.net/PingIdentity>  [flipboard logo] <http://flip.it/vjBF7>  [rss feed icon] <https://www.pingidentity.com/blogs/>




--
[Ping     Identity logo]<https://www.pingidentity.com/>
Brian Campbell
Distinguished Engineer
Ping Identity
@       bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>
[phone] +1 720.317.2061
[twitter]       @pingidentity
Connect with us!
<https://www.pingidentity.com/>[pingidentity.com]<https://www.pingidentity.com/>
<https://ping.force.com/Support/PingIdentityCommunityHome>[pingidentity.com]<https://ping.force.com/Support/PingIdentityCommunityHome>
[twitter logo]<http://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm> [twitter logo] <https://twitter.com/pingidentity>  [youtube logo] <https://www.youtube.com/user/PingIdentityTV>  [LinkedIn logo] <https://www.linkedin.com/company/21870>  [Facebook logo] <https://www.facebook.com/pingidentitypage>  [Google+ logo] <https://plus.google.com/u/0/114266977739397708540>  [slideshare logo] <http://www.slideshare.net/PingIdentity>  [flipboard logo] <http://flip.it/vjBF7>  [rss feed icon] <https://www.pingidentity.com/blogs/>

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth