Re: [OAUTH-WG] MTLS vs. DPOP
George Fletcher <gffletch@aol.com> Tue, 07 May 2019 14:13 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 871CC12013C for <oauth@ietfa.amsl.com>; Tue, 7 May 2019 07:13:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id giMrc9G0WZ8M for <oauth@ietfa.amsl.com>; Tue, 7 May 2019 07:13:00 -0700 (PDT)
Received: from sonic309-13.consmr.mail.bf2.yahoo.com (sonic309-13.consmr.mail.bf2.yahoo.com [74.6.129.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 054AC12006B for <oauth@ietf.org>; Tue, 7 May 2019 07:12:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1557238379; bh=GW943BDWVs9GdntlGR8dSGh+u8ir/RL67nD1yRazESA=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=OmE/jgJmKCHeck/n3Pz3UVKD2BUuUzMrkRE7/sEb5S7oMaaE9Nun4x+ylB4r8D2ZojFrrb83jm10XDufJ/j6P1JnSBO3Z9la/pPs8XsMZKi7Y3rFjR04VyUw2vP+b2ILepZiZu7q4ScjJrvIyC/C4r1FriOhAQGBagr/wrYLODC4IvJt0G3aYIoZ8E61dsO7L4Aa/DtyF/IkIFFubSkzgOsjDmyVtBkN2oNm8ESJeXwnoQykRxj1RcKqLjMWJsEQOuLAe5ZDaaeBvMyWV6baxvEWoTA6GXqSQLU8w3p1+F+luPGjRPGhwHQEt48NIHKvxQLZ3XM/tbydAoSC6pFqQA==
X-YMail-OSG: Lkir5X8VM1m22FsBV3sF5QU3gDs1YpjLKY.KSTOJsxcCJwNkysLY8JTeTU.ZHOy PlQlgqr4oZuGYFH4u.JiLuJp5sykppEg3LvG79_GI8XYTkklqwj2TWJtKeb8Amp8AVb2OW3ZijgS wN6khW1EiE9Hkho_RXblLm0onLyTjDKhV8s5srpfT3fCrwppZGjtMwgxaJPTQvIa9qACR14qnF.4 U1o2jDHOeofM0j_a1.q00U6H3VhrpFTTxDQoGUShnI0mi5BVNad3YhThl4FFG01KLg46M8vELCNa fiurq72BXKV1eED9g4B45G3HOz2XkwqGMw_7ov0oBfCoqinhDdsLwbqBx0Q_rVCEehQ76M8jf27t h95zklcpgaSdYp26Z4SRq9dzOPETxB9VhkZKPECuk5dG0NSbHdq59ZIe8WaVti0CkXkSwblJj38J TG57cy4JeifwF1NGUyNR4OT5givcQImSJ6ZjY44Vd42lJC_xNPiW4UKLscVw8ZY0Eopmj_SZM6af gPB59CtiNnQzRHgv9IA3BpW_5ViR5708ya361grAbb_Yc6Yo8mGOzftuR3p8UENgnrl2HN02_BQ9 E08iXePevDIQsfPNI_XpJiBdQ42__0UQGOJsunVSroyTBWFkb2BBrvtE2aPv143lJX56ayCOe3xH uuB5J_a4djMyeto3RfmQhHj6LG8KUCu1znxezs_AxaxSpEFMBUtSl0YlSE4helQ_3BRYxZx2gUiO 0nUUtp6vYJIGonTJ6sI8OYbkQoM54B4Eeo3B19yjcCpLvy7mXGLsHcWGLtH0wAc8Qe5hY6_Df0Sp X_M7LKepZxvuLi2u4OLtfnOqmUIqycX_H1C3s3qF6eLt0oSB4c0KwLflLHdfgXJmb04_yPNxbFpO A0wfyc4fIWim2hZ5UrU9JOD8gJYujgESe5uIJkGoHpNQZ6pDMyKqUfqBSEcYxkmgHKmgE6strbAZ 79ib.M_.OxYNP3fii_7rqQb1ZsbqHtVAx7SCPJBSPp7uRTGQqVPCu7WmQo1SQ8L8E.DHNy4xVQ5h TZA2vb8yLdIplSjv9ucr.NRk4fHjJM2fn_ZWrpZ.3ImYftyCxLEU8wX8hAmKbu5rvhyglLvj4Hst L5QyeyCpe5MgPbLex.YtkbB4L48ZFwLVmS.DMe1gtwYDuxxutcgkcdIay_QpLEfgq3H.x
Received: from sonic.gate.mail.ne1.yahoo.com by sonic309.consmr.mail.bf2.yahoo.com with HTTP; Tue, 7 May 2019 14:12:59 +0000
Received: from nat-wireless-users3.cfw-a-gci.net.dulles.office.oath (EHLO [172.130.136.180]) ([184.165.3.238]) by smtp429.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID e4f7d0beb6657acd613188b99856fa31; Tue, 07 May 2019 14:12:55 +0000 (UTC)
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "oauth@ietf.org" <oauth@ietf.org>
References: <DBBPR08MB4539BA4621AC8029AEF4F8C8FA310@DBBPR08MB4539.eurprd08.prod.outlook.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <31bec10c-e245-12b4-c092-2928b8e286d7@aol.com>
Date: Tue, 07 May 2019 10:12:54 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <DBBPR08MB4539BA4621AC8029AEF4F8C8FA310@DBBPR08MB4539.eurprd08.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------9808E3953C04FEFB8E388298"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/0bMSVplQdu_3pmIBmZyiw99G0F8>
Subject: Re: [OAUTH-WG] MTLS vs. DPOP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 May 2019 14:13:05 -0000
I don't see them the same at all. With MTLS, the token is bound to the transport layer (and the key used to establish that encrypted connection). With DPOP, the token is bound to the private key known to the client. To compromise an MTLS bound token the attacker has to compromise the private key. To compromise a DPOP bound token, depending on what HTTP request elements are signed, and whether the DPOP is managed as one-time-use etc, there are additional attacks. (Ducks head and waits for all the real security experts to prove me wrong:) The deployment models are also different. With MTLS bound tokens the clients don't really have to know about the binding because it is established at the AS and the deployment of the service manages the cert used for the MTLS connection. This is simpler for client development (provided the environment is already set up for MTLS everywhere). I'd strong encourage us to continue supporting both methods. On 5/7/19 4:25 AM, Hannes Tschofenig wrote: > > Hi all, > > In the OAuth conference call today Vittorio mentioned that some folks > are wondering whether DPOP is essentially a superset of MTLS and > whether it makes sense to only proceed with one solution rather > potentially two. > > I was wondering whether others in the group have a few about this aspect? > > Ciao > > Hannes > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose > the contents to any other person, use it for any purpose, or store or > copy the information in any medium. Thank you. > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] MTLS vs. DPOP Hannes Tschofenig
- Re: [OAUTH-WG] MTLS vs. DPOP George Fletcher
- Re: [OAUTH-WG] MTLS vs. DPOP Daniel Fett
- Re: [OAUTH-WG] MTLS vs. DPOP Vittorio Bertocci
- Re: [OAUTH-WG] MTLS vs. DPOP Hannes Tschofenig
- Re: [OAUTH-WG] MTLS vs. DPOP Brian Campbell
- Re: [OAUTH-WG] MTLS vs. DPOP Torsten Lodderstedt
- Re: [OAUTH-WG] MTLS vs. DPOP Benjamin Kaduk
- Re: [OAUTH-WG] MTLS vs. DPOP Karl McGuinness
- Re: [OAUTH-WG] MTLS vs. DPOP Torsten Lodderstedt
- Re: [OAUTH-WG] MTLS vs. DPOP Karl McGuinness
- Re: [OAUTH-WG] MTLS vs. DPOP David Waite
- Re: [OAUTH-WG] MTLS vs. DPOP Torsten Lodderstedt
- Re: [OAUTH-WG] MTLS vs. DPOP Hannes Tschofenig
- Re: [OAUTH-WG] MTLS vs. DPOP Justin Richer