Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) in DPoP Proof?
toshio9.ito@toshiba.co.jp Wed, 09 September 2020 07:19 UTC
Return-Path: <toshio9.ito@toshiba.co.jp>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 794F53A0C17 for <oauth@ietfa.amsl.com>; Wed, 9 Sep 2020 00:19:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zpz6lBjK2zI4 for <oauth@ietfa.amsl.com>; Wed, 9 Sep 2020 00:19:48 -0700 (PDT)
Received: from mo-csw.securemx.jp (mo-csw1514.securemx.jp [210.130.202.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF2843A0FD5 for <oauth@ietf.org>; Wed, 9 Sep 2020 00:19:47 -0700 (PDT)
Received: by mo-csw.securemx.jp (mx-mo-csw1514) id 0897Jhj4028223; Wed, 9 Sep 2020 16:19:43 +0900
X-Iguazu-Qid: 34tKBCMUDnwS8oMnFs
X-Iguazu-QSIG: v=2; s=0; t=1599635982; q=34tKBCMUDnwS8oMnFs; m=DlyHjsqSW4amoQH1VuJfBULNRHl8S6vh5ANnLialttE=
Received: from imx2.toshiba.co.jp (imx2.toshiba.co.jp [106.186.93.51]) by relay.securemx.jp (mx-mr1512) id 0897JfFp009279; Wed, 9 Sep 2020 16:19:41 +0900
Received: from enc03.toshiba.co.jp ([106.186.93.13]) by imx2.toshiba.co.jp with ESMTP id 0897Jf43025338; Wed, 9 Sep 2020 16:19:41 +0900 (JST)
Received: from hop001.toshiba.co.jp ([133.199.164.63]) by enc03.toshiba.co.jp with ESMTP id 0897JeeG031318; Wed, 9 Sep 2020 16:19:41 +0900
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DtOA7WmokxqE6/9Fr88Sy2BZOnoeUQoeZ75BY5w66Cj3uedLPOFvsLFGMN3LbrNP2HNYyuX3ULCiOUW1yi4QwYMub+Tpk0ooO++cF7oXnNhiLwDGlQ8YubZlfulI4AQgPFdA/NTxpXGcyRZZ3hX76gTKcvYiXQo+QLFcaAsO8Sa+zcegkPXOi7EMrMoF7dhdRyC/ZHFCqJzi3q00vuY6NkYzRZzryxpHxGA++bhACZyqfqIQ17kncTXwBh2kJbjfYr7QuH7hrF5usX4MMA0go0txwoX2uOwsX6tbmoQD3GBe9BSUEK+jj+fGcWcBFr7QNHsF5ziG6HjN7G5NbKMsEg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Yu1UBFmwtY+x4v8Iip64bjIhHKcMhvbkE16QemitGSk=; b=Px/RC8eJCQx/cAvmiwDZmqTO5EQPsxwvKcju5u1De0uFz4f+rtH2r8Zq3ZK7e6CiqYA3A+QE4n7rBUWdno8ydicRl6z5g9SmX7IMuaBn3N9SrsIaPC35uqhLRoRhCeRaYLV1A1vsw8xQDFYUveDYVpwjxcjUGQvS/1Jn76w/0lRWMtK9SyUNk5x3ml25hem3hx5D9Yu4JQddvD3hlsAr1em+NV8TcEeZNC0BcxPu2A2aSew5nnHv9O6/kCho8A89pqZ71vtoJfJYXelXmHjOdg8EXxxmG9dZyFqfaEN4x1/1cXCMo11BsA8L/KDFwS58MVUitt8yzRe05WaS+nkrHw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=toshiba.co.jp; dmarc=pass action=none header.from=toshiba.co.jp; dkim=pass header.d=toshiba.co.jp; arc=none
From: toshio9.ito@toshiba.co.jp
To: taka@authlete.com
CC: oauth@ietf.org
Thread-Topic: [OAUTH-WG] Omit "jwk" (or use "kid" instead) in DPoP Proof?
Thread-Index: AdaFwiWCFexiV/DnR8eDAlJqPzgDigAKXM0AACN2GPA=
Date: Wed, 09 Sep 2020 07:19:29 +0000
X-TSB-HOP: ON
Message-ID: <TY1PR01MB14661A247A92B995E954C13BE5260@TY1PR01MB1466.jpnprd01.prod.outlook.com>
References: <TY1PR01MB1466E7D4AF21EA5C56467E6AE5290@TY1PR01MB1466.jpnprd01.prod.outlook.com> <CAHdPCmNg7AUE9tXoBWCUHg5wxUHwnvsdOMMS7owcjVP2hrUpMw@mail.gmail.com>
In-Reply-To: <CAHdPCmNg7AUE9tXoBWCUHg5wxUHwnvsdOMMS7owcjVP2hrUpMw@mail.gmail.com>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
authentication-results: authlete.com; dkim=none (message not signed) header.d=none; authlete.com; dmarc=none action=none header.from=toshiba.co.jp;
x-originating-ip: [103.91.184.4]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6e9b9e71-5349-4e58-ff50-08d85490b0cf
x-ms-traffictypediagnostic: TY2PR01MB2684:
x-microsoft-antispam-prvs: <TY2PR01MB26846F2417F323F8ACAFF488E5260@TY2PR01MB2684.jpnprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ZYrjoqyy5NBM1wt9XhmkSppDKms/p5d7JoT0vUPB1/NXgwVz+YlPcpo8vwh0m19UQK/oiFhKQr4vZLT20UbBDt31M8kKKtrt3hhyHTJ6kLRhu+gXsBg5UZ0lD4Rh19k5XEn132J8A6uC3OkD++A7vRnBGQsUbW1F4tvJs9Bv+H7pzvGV7GK+9mOEjvdykwA4TcYTjjxDFOFV9UoiCZgyQzV5WCRAii15oZVp1k2/yBTGFmUFgBPlnOxhvDEU++wmqmb+Y+1PRyOmlvoI+DyGXS2IPeWbRsA2/aayyZbDvYTYjf08bRNpVIDoJtnrKyE40SqCSN+ax4NU57UYesTiI8/tNY9+icm5QVPtrZvAaTe8r0P4JOFyc287JX5qm9zzJYZlz3tqckbs2agDHvoFtg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:TY1PR01MB1466.jpnprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(366004)(396003)(136003)(346002)(376002)(66446008)(186003)(52536014)(966005)(166002)(86362001)(478600001)(71200400001)(6916009)(55016002)(2906002)(64756008)(9686003)(66556008)(76116006)(66476007)(66946007)(5660300002)(33656002)(83380400001)(316002)(8936002)(8676002)(53546011)(26005)(4326008)(6506007)(7696005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: N8VtodZIv4OQGNiSgzNrBBG7wPzqAbLwQoTSnwK3pan6W52hh92KgZJhhsdY5muHDnT78+MqMsKz+hNQOqF6h1wPjoySeJWDuvp8EOrxkEEMAR2ntI5fIDcNL1+tqiiqaYPR1bL/Vu8/REX+ODY61ctE0mvrS5lKKxRgVvurN9PH6Bqn7AvhplfF72ztW7+NqOEU66sFTZhag156ZPY0TvDAuyDhXW/vINlU7Hz2xckq1HvOdk5UiIi8PPNcMtbul/VZuOcK6D1zwj4kn8+ZabZcWMjhY857azCDSuwv7P3jRQm/D9dWJlwI3norA2rhC+mH2ywDd8xAeFqlRwOfjH/2qTaCob3AGIeiDnDf/SjoHkn9brePVjRIdoTIsf6c9t/dVK846yYn2hXK+iYAVtygyOslMsOJpTrg3C769AE6YTcdO8umNRP3lG8DXneYNGz+z444IQSj+txtMJByffRsbjlr1kTAQ50AcWreY2cnOhVZUc9m1nPPAsY2quVB2az0+PVWyFWinjcH0uzTx0Xi8BfPvP6Z1bEvjl+rdunPZdtVhyTqs599ywhIw4YaEDvBSVH+KoefkOG6GH042GcpNRtAEMIqgVxwUE4+XhVs/jPHQjm+KXbvRqkz1HQcbPRisxxCLfhnfF/HVCfUxQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_TY1PR01MB14661A247A92B995E954C13BE5260TY1PR01MB1466jpnp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: TY1PR01MB1466.jpnprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6e9b9e71-5349-4e58-ff50-08d85490b0cf
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Sep 2020 07:19:29.0680 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f109924e-fb71-4ba0-b2cc-65dcdf6fbe4f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 3LSb8cpCFkHBmWUFLqkxS6NkJ4TUhkFjXRRjwFGb1BvcL9MQ8hccfBWVXxjfTO4Os/ru7iXpNk55KFfAFalt/Sfx7qnyAmWNrmiGS5G7QjU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TY2PR01MB2684
X-OriginatorOrg: toshiba.co.jp
MSSCP.TransferMailToMossAgent: 103
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1FHJeOeuATVf95fmQyMJUnKD3AI>
Subject: Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) in DPoP Proof?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Sep 2020 07:19:51 -0000
Hi Takahiro, Thanks for pointing out. I forgot that OAuth2 client registration is basically for a client application, not for a client instance. As you said, if we omit "jwk" altogether and rely on client authentication to identify the signing key, all instances of the client have to use the same key. That would be bad. From: Takahiko Kawasaki <taka@authlete.com> Sent: Tuesday, September 8, 2020 11:23 PM To: ito toshio(伊藤 俊夫 ○RDC□IT研○CNL) <toshio9.ito@toshiba.co.jp> Cc: oauth <oauth@ietf.org> Subject: Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) in DPoP Proof? To enable each "instance" of a client application to use a key pair which is dedicated to the instance, the public key needs to be included in the DPoP proof. On the other hand, in the scenario you described, all instances of the client application have to share one key pair. If client application instances don't have to share one key pair, it's better. Illustrated DPoP (OAuth Access Token Security Enhancement) https://medium.com/@darutk/illustrated-dpop-oauth-access-token-security-enhancement-801680d761ff Best Regards, Takahiko Kawasaki On Tue, Sep 8, 2020 at 6:29 PM <toshio9.ito@toshiba.co.jp<mailto:toshio9.ito@toshiba.co.jp>> wrote: Hi all, In section 4.1 of draft-ietf-oauth-dpop-01, the "jwk" header parameter is REQUIRED. However, there are some cases where "jwk" is not necessary in theory. For example, consider a case where the client is registered with the Authorization Server, and its one and only public key is also registered with the AS. In that case, when the AS receives a request on Token endpoint, it can just use the public key registered for the client to verify the DPoP Proof. There is no need to send the public key in DPoP Proof. The same goes for requests to the Resource Server, if the AS and RS share the storage for clients' public keys. Things are a little difficult if the AS and RS are separate. Probably the Access Token or its introspection result have to include the public key (instead of its thumbprint as described in section 7). If the client registers multiple keys with the AS, it needs to specify which key it uses to sign the DPoP Proof. However, there is still no absolute need to send the whole key in DPoP Proof. Instead, the client could use "kid" header parameter to specify the key. Daniel Fett once mentioned the above case in the GitHub issue #26 [*1], but I'm not sure what happened to the discussion. There was also a comment on the latest draft about the "jwk" header parameter [*2]. I agree with using the same DPoP Proof structure for requests to AS and RS, but I think there are some cases where we can omit "jwk" in BOTH requests. Making "jwk" OPTIONAL would allow those cases to reduce some messaging overhead. I'd like to hear your opinions about it. [*1]: https://github.com/danielfett/draft-dpop/issues/26#issuecomment-480701746 [*2]: https://mailarchive.ietf.org/arch/msg/oauth/smwsONA6c4H2UICcZMzb8Yv2QRc/ Best regards, Toshio Ito ------------- Toshio Ito Research and Development Center Toshiba Corporation _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Omit "jwk" (or use "kid" instead) in D… toshio9.ito
- Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) … Takahiko Kawasaki
- Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) … Brian Campbell
- Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) … John Bradley
- Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) … Dick Hardt
- Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) … Neil Madden
- Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) … Filip Skokan
- Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) … toshio9.ito
- Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) … toshio9.ito
- Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) … Brian Campbell
- Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) … Dick Hardt
- Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) … Brian Campbell