[OAUTH-WG] Mail regarding draft-ietf-oauth-mtls
Evan Gilman <evan2645@gmail.com> Mon, 05 November 2018 22:52 UTC
Return-Path: <evan2645@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8499A130EE5 for <oauth@ietfa.amsl.com>; Mon, 5 Nov 2018 14:52:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xCU8FyCPGy4z for <oauth@ietfa.amsl.com>; Mon, 5 Nov 2018 14:52:41 -0800 (PST)
Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE927130DC0 for <oauth@ietf.org>; Mon, 5 Nov 2018 14:52:40 -0800 (PST)
Received: by mail-qk1-x72d.google.com with SMTP id o89so17414387qko.0 for <oauth@ietf.org>; Mon, 05 Nov 2018 14:52:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=6Fel55uaP+MyNcg9JtitajxQYqg69IqbTVXc1WOFZUg=; b=X89btyPcroi5LYHQzTJvfrIdLx8AHvnUk0yjPtbqwNWZceoIWFH/x7flTaqCznmBBT /8ab6duGubQ23IAdxDq3Zn47+nRDwR24nYFz7DXn2kR/soP38rsedBd3rzususgQjFbK DoCNToET6uadM7KHuWAabUTYGh4DHNUAQwWi3fy/Xr9lNSacLs/k/F4CgTUfVE9LkeY5 r3GIREXtineIwM6OI7qGV6P9nMiXvKc3oUk60NiKkdtLYzJMCQglhcdr7xblsryxeWQa V1Uf3eXBUvWp8ZzmigPmNJZ3xVN0R8QOkr+Sz0vdtc0nNg0gW87ksnvtHUaGqzOjmrRi CCPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=6Fel55uaP+MyNcg9JtitajxQYqg69IqbTVXc1WOFZUg=; b=MZabk0Rm+b+vzSHQ+coN7k6fIjxRIQWaqdBibi4MGIy+/BLn7pOrj0Jpj4x4YomDMM heUfmr2DrV1TlJZmSGNbBu5lnssPY4fA3hdYIk7oUgTy/SijSJdZn23n4BcdwsDe35on rqrdTk077YjGXhXRVj3o+zx3qjlC7yA4Aq4Tl//9s6zD6WQTpbA5+sy2jZFzn6g+JxNC dcoeqA1WrbTxLkpwH1FxAJlqaKHb2s0rlTnp42qgI/zBi+ZSbUuGgLrpNZ0NlBfFpB37 Vxky3EqpzE7jcYeTQQet6s0VW+0xRXWtdm+64XurB1Wgkr0wlwKDiGQRDf41DFya+ht+ 5w/A==
X-Gm-Message-State: AGRZ1gJQXtSCmLaZjabxqG8/LpD+XuJWHTQnIvm+jQU95aH4akTMsj5d /KxfBsECUHBRlc7LrEd7SI/uDrPxhsHh1q7+Fx00I3D8
X-Google-Smtp-Source: AJdET5fqiF/qEu2mLG0bdfdfq+tYDF/n8JYWvtIEVWqlKaWhDDlf1n6ujM2ISfvecZjIhgHGC7ezgi/c69GDdUfMQlI=
X-Received: by 2002:a37:c12:: with SMTP id 18mr21898306qkm.317.1541458359440; Mon, 05 Nov 2018 14:52:39 -0800 (PST)
MIME-Version: 1.0
From: Evan Gilman <evan2645@gmail.com>
Date: Mon, 05 Nov 2018 14:52:28 -0800
Message-ID: <CAL841A_29YGLC-LtQcj1Mw15skys59V0DvDmyOpDS6V+x1LxWw@mail.gmail.com>
To: oauth@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/0TwOC2AC5QXFB6RBMXCUHK_tXJw>
Subject: [OAUTH-WG] Mail regarding draft-ietf-oauth-mtls
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2018 22:52:49 -0000
Hello everyone. Very excited to see this draft. It helps tremendously in addressing use cases around oauth client management in machine-to-machine scenarios. Particularly, the PKI authentication method. In reviewing the document, I noticed that the only supported method for identifying a client using the PKI authentication method is by referencing its distinguished name. This caught me a bit by surprise - many newer projects aimed at automating X.509 issuance in the datacenter utilize SAN extensions rather than distinguished name in order to encode identity. I am further under the impression that the community is, in general, moving away from the subject extension altogether in favor of SAN-based identification. Full disclosure: I am one of the maintainers on a project called SPIFFE, which provides identity specifications for datacenter workload applications. For X.509, SPIFFE encodes identity into a URI SAN extension. A number of projects using SPIFFE do not configure the subject with identifying information (SPIRE and Google Istio being just a couple). I am also hearing of other X.509 automation projects which are moving away from subject/distinguished name (even if they are not using SPIFFE). While I think support for distinguished name is absolutely necessary, I worry that supporting it solely will render it incompatible with some of the more modern PKIX systems and not stand the test of time. I know that I am a little late to this, and for that I apologize... but I feel this is a significant point. I would like to open a discussion on supporting the most commonly used SAN extension types in addition to distinguished name. To accomplish this, amending section 2.1.2 `Client Registration Metadata` with additional parameters seems appropriate. In my experience, the most commonly used SAN extensions are: DNS name, IP address, URI, and email address. Are there significant drawbacks to extending the number of client registration metadata parameters? I would very much like to see this - without it, many existing projects will be unable to use the spec. I am happy to contribute time and text to this, assuming people feel that this is a beneficial addition. Sorry again for the timing -- evan
- [OAUTH-WG] Mail regarding draft-ietf-oauth-mtls Evan Gilman
- Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mt… Brian Campbell
- Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mt… Neil Madden
- Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mt… Evan Gilman
- Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mt… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mt… Justin P Richer
- Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mt… Torsten Lodderstedt
- Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mt… Brian Campbell
- Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mt… Brian Campbell
- Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mt… Evan Gilman
- Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mt… Torsten Lodderstedt
- Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mt… Evan Gilman
- Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mt… Brian Campbell