IETF Logo Mail Archive

[OAUTH-WG] Mail regarding draft-ietf-oauth-mtls

Evan Gilman <evan2645@gmail.com> Mon, 05 November 2018 22:52 UTC

Return-Path: <evan2645@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8499A130EE5 for <oauth@ietfa.amsl.com>; Mon, 5 Nov 2018 14:52:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xCU8FyCPGy4z for <oauth@ietfa.amsl.com>; Mon, 5 Nov 2018 14:52:41 -0800 (PST)
Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE927130DC0 for <oauth@ietf.org>; Mon, 5 Nov 2018 14:52:40 -0800 (PST)
Received: by mail-qk1-x72d.google.com with SMTP id o89so17414387qko.0 for <oauth@ietf.org>; Mon, 05 Nov 2018 14:52:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=6Fel55uaP+MyNcg9JtitajxQYqg69IqbTVXc1WOFZUg=; b=X89btyPcroi5LYHQzTJvfrIdLx8AHvnUk0yjPtbqwNWZceoIWFH/x7flTaqCznmBBT /8ab6duGubQ23IAdxDq3Zn47+nRDwR24nYFz7DXn2kR/soP38rsedBd3rzususgQjFbK DoCNToET6uadM7KHuWAabUTYGh4DHNUAQwWi3fy/Xr9lNSacLs/k/F4CgTUfVE9LkeY5 r3GIREXtineIwM6OI7qGV6P9nMiXvKc3oUk60NiKkdtLYzJMCQglhcdr7xblsryxeWQa V1Uf3eXBUvWp8ZzmigPmNJZ3xVN0R8QOkr+Sz0vdtc0nNg0gW87ksnvtHUaGqzOjmrRi CCPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=6Fel55uaP+MyNcg9JtitajxQYqg69IqbTVXc1WOFZUg=; b=MZabk0Rm+b+vzSHQ+coN7k6fIjxRIQWaqdBibi4MGIy+/BLn7pOrj0Jpj4x4YomDMM heUfmr2DrV1TlJZmSGNbBu5lnssPY4fA3hdYIk7oUgTy/SijSJdZn23n4BcdwsDe35on rqrdTk077YjGXhXRVj3o+zx3qjlC7yA4Aq4Tl//9s6zD6WQTpbA5+sy2jZFzn6g+JxNC dcoeqA1WrbTxLkpwH1FxAJlqaKHb2s0rlTnp42qgI/zBi+ZSbUuGgLrpNZ0NlBfFpB37 Vxky3EqpzE7jcYeTQQet6s0VW+0xRXWtdm+64XurB1Wgkr0wlwKDiGQRDf41DFya+ht+ 5w/A==
X-Gm-Message-State: AGRZ1gJQXtSCmLaZjabxqG8/LpD+XuJWHTQnIvm+jQU95aH4akTMsj5d /KxfBsECUHBRlc7LrEd7SI/uDrPxhsHh1q7+Fx00I3D8
X-Google-Smtp-Source: AJdET5fqiF/qEu2mLG0bdfdfq+tYDF/n8JYWvtIEVWqlKaWhDDlf1n6ujM2ISfvecZjIhgHGC7ezgi/c69GDdUfMQlI=
X-Received: by 2002:a37:c12:: with SMTP id 18mr21898306qkm.317.1541458359440; Mon, 05 Nov 2018 14:52:39 -0800 (PST)
MIME-Version: 1.0
From: Evan Gilman <evan2645@gmail.com>
Date: Mon, 05 Nov 2018 14:52:28 -0800
Message-ID: <CAL841A_29YGLC-LtQcj1Mw15skys59V0DvDmyOpDS6V+x1LxWw@mail.gmail.com>
To: oauth@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/0TwOC2AC5QXFB6RBMXCUHK_tXJw>
Subject: [OAUTH-WG] Mail regarding draft-ietf-oauth-mtls
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2018 22:52:49 -0000

Hello everyone.

Very excited to see this draft. It helps tremendously in addressing
use cases around oauth client management in machine-to-machine
scenarios. Particularly, the PKI authentication method.

In reviewing the document, I noticed that the only supported method
for identifying a client using the PKI authentication method is by
referencing its distinguished name. This caught me a bit by surprise -
many newer projects aimed at automating X.509 issuance in the
datacenter utilize SAN extensions rather than distinguished name in
order to encode identity. I am further under the impression that the
community is, in general, moving away from the subject extension
altogether in favor of SAN-based identification.

Full disclosure: I am one of the maintainers on a project called
SPIFFE, which provides identity specifications for datacenter workload
applications. For X.509, SPIFFE encodes identity into a URI SAN
extension. A number of projects using SPIFFE do not configure the
subject with identifying information (SPIRE and Google Istio being
just a couple). I am also hearing of other X.509 automation projects
which are moving away from subject/distinguished name (even if they
are not using SPIFFE).

While I think support for distinguished name is absolutely necessary,
I worry that supporting it solely will render it incompatible with
some of the more modern PKIX systems and not stand the test of time. I
know that I am a little late to this, and for that I apologize... but
I feel this is a significant point.

I would like to open a discussion on supporting the most commonly used
SAN extension types in addition to distinguished name. To accomplish
this, amending section 2.1.2 `Client Registration Metadata` with
additional parameters seems appropriate. In my experience, the most
commonly used SAN extensions are: DNS name, IP address, URI, and email
address.

Are there significant drawbacks to extending the number of client
registration metadata parameters? I would very much like to see this -
without it, many existing projects will be unable to use the spec. I
am happy to contribute time and text to this, assuming people feel
that this is a beneficial addition. Sorry again for the timing

-- 
evan

v2.23.0 | Report a Bug | By Email