Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-key-distribution-03.txt

John Bradley <ve7jtb@ve7jtb.com> Fri, 24 February 2017 23:51 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19D6F129567 for <oauth@ietfa.amsl.com>; Fri, 24 Feb 2017 15:51:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VWyWkkLRAptv for <oauth@ietfa.amsl.com>; Fri, 24 Feb 2017 15:51:14 -0800 (PST)
Received: from mail-qk0-x229.google.com (mail-qk0-x229.google.com [IPv6:2607:f8b0:400d:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CD26129561 for <oauth@ietf.org>; Fri, 24 Feb 2017 15:51:14 -0800 (PST)
Received: by mail-qk0-x229.google.com with SMTP id u188so31765934qkc.2 for <oauth@ietf.org>; Fri, 24 Feb 2017 15:51:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=qBcKQwEUfjpxCmviGVYj18s3dnlHgxOJPIhFottfjWI=; b=NgMhzxXohD4gpZeS8n1C6zOUxC7L/36uQzZM4sinew2WihuiR0IJZLjDsoOHoOtQwF 0w8N2rboIm2ofD8alCP9SgfMCTmvAyoOANWQPT/MB644FVUHPeofzGkZNYFOfi/LbVak nXG5dgpE6IpRfS1WRMLGDW6+qzq/CjYWCAF/TqQFqsIi9b+qMG8O/GTn9pA6YiLAJRz0 sZEjKGzeN0H9gnXaqV8NpEqQ4VdZIIo7T9LOqEDx/N7lS+s+bTfBKfbIA7EmPqcJmtUh thjN7M8FiJV7YJ6Go57qsvL4h0PuG6QdoT8MQkoxBsUSD1yHdA51I7LcFhra21zYGOMM 45VQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=qBcKQwEUfjpxCmviGVYj18s3dnlHgxOJPIhFottfjWI=; b=VsIcdoLx36xWgkKP79p5IVlXsVujN06SAzPXJnn+8U2ZsOjBIdGk4Cf/Sw7cGzyxmt ZZyRQrEso0lzVixgxOmsk5VehRu9czpCBc+1LWcls70sMCKNYCYd5G0PfwMuqwAeW37e sPfbMJRhYdXlbLYNH/3Ndq0EaYOxGT02EPnQnM3im0R63OpCYRoaQNEbd9KCUkO4/Q+B IXY9QKDIJGWLwp1Dkyjf/xa+Tc5t7WhufR/tGCc1r+b1OmdzI93izoRgpFAvhDS8/I15 N+cnclroaPQLGg5wbmJ+PpMNitkdmUGwlnkE79oD8YAdQkid9AnaDZdKBilUmr82S6Qx PXNw==
X-Gm-Message-State: AMke39mfd5opcOdu4mfMw32vLb4DAltQ1cAsnYaHwNI9dUEgZlONGZK3he1yrcjVPD3AxjiP
X-Received: by 10.55.181.6 with SMTP id e6mr5083668qkf.298.1487980273291; Fri, 24 Feb 2017 15:51:13 -0800 (PST)
Received: from [192.168.86.130] ([191.115.25.29]) by smtp.gmail.com with ESMTPSA id x7sm5765706qtc.18.2017.02.24.15.51.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 24 Feb 2017 15:51:12 -0800 (PST)
From: John Bradley <ve7jtb@ve7jtb.com>
Message-Id: <C08A4EBC-3935-4AF2-8C8C-926C57A2B02A@ve7jtb.com>
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Fri, 24 Feb 2017 20:51:09 -0300
In-Reply-To: <B021DB9E-1ECF-4278-833F-5A13EA5F3A77@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
References: <148797332573.3278.6515135380852468551.idtracker@ietfa.amsl.com> <D2329C0E-C3F8-4F69-88AE-584561E45B65@ve7jtb.com> <B021DB9E-1ECF-4278-833F-5A13EA5F3A77@oracle.com>
X-Mailer: Apple Mail (2.3259)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="94eb2c065a00a3121f05494f6788"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-bFU8SXdwUvuJXoPYJsefz_vhaY>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-key-distribution-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Feb 2017 23:51:17 -0000

The European banks are interested in mutual TLS for server to server connections as part of PSD2/Open Banking.

They have been thinking that they would have central CA and directly use CA certificates for all the legs.  

I sent them this to get them thinking that they could perhaps secure the token endpoint with cert based mutual TLS but allow clients to specify there own keys for access tokens to make key rotation and deployment easier.

I was also think ing that they could protect a jwks_uri with the CA certificate using OCSP stapling and then use mutual TLS to the token endpoint based on keyid and/or fingerprint. allowing for rotation of keys to token endpoint and better support clusters with multiple keys.

I don’t think this has much interest outside of some verticals like financials.

John B.
> On Feb 24, 2017, at 8:33 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
> 
> I have been wondering about that myself. Interest seems to wained with the TOKBIND work emerging. Maybe I am wrong about that?
> 
> Phil
> 
> Oracle Corporation, Identity Cloud Services & Identity Standards
> @independentid
> www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
> 
> 
> 
> 
> 
> 
> 
>> On Feb 24, 2017, at 1:58 PM, John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>> wrote:
>> 
>> I updated the references but haven't made any other changes.
>> 
>> I had some questions about it so though it was worth keeping alive at-least for discussion.
>> 
>> There have been some other questions and proposed changes.  
>> 
>> I will take a look through them and see if what may be worth updating.
>> 
>> John B.
>> 
>>> Begin forwarded message:
>>> 
>>> From: internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>
>>> Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-key-distribution-03.txt
>>> Date: February 24, 2017 at 6:55:25 PM GMT-3
>>> To: <i-d-announce@ietf.org <mailto:i-d-announce@ietf.org>>
>>> Cc: oauth@ietf.org <mailto:oauth@ietf.org>
>>> 
>>> 
>>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>>> This draft is a work item of the Web Authorization Protocol of the IETF.
>>> 
>>>        Title           : OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution
>>>        Authors         : John Bradley
>>>                          Phil Hunt
>>>                          Michael B. Jones
>>>                          Hannes Tschofenig
>>> 	Filename        : draft-ietf-oauth-pop-key-distribution-03.txt
>>> 	Pages           : 18
>>> 	Date            : 2017-02-24
>>> 
>>> Abstract:
>>>   RFC 6750 specified the bearer token concept for securing access to
>>>   protected resources.  Bearer tokens need to be protected in transit
>>>   as well as at rest.  When a client requests access to a protected
>>>   resource it hands-over the bearer token to the resource server.
>>> 
>>>   The OAuth 2.0 Proof-of-Possession security concept extends bearer
>>>   token security and requires the client to demonstrate possession of a
>>>   key when accessing a protected resource.
>>> 
>>>   This document describes how the client obtains this keying material
>>>   from the authorization server.
>>> 
>>> 
>>> The IETF datatracker status page for this draft is:
>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-pop-key-distribution/ <https://datatracker.ietf.org/doc/draft-ietf-oauth-pop-key-distribution/>
>>> 
>>> There's also a htmlized version available at:
>>> https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-03 <https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-03>
>>> 
>>> A diff from the previous version is available at:
>>> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-pop-key-distribution-03
>>> 
>>> 
>>> Please note that it may take a couple of minutes from the time of submission
>>> until the htmlized version and diff are available at tools.ietf.org.
>>> 
>>> Internet-Drafts are also available by anonymous FTP at:
>>> ftp://ftp.ietf.org/internet-drafts/
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>