Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
David Waite <david@alkaline-solutions.com> Wed, 13 October 2021 18:41 UTC
Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6F933A0977 for <oauth@ietfa.amsl.com>; Wed, 13 Oct 2021 11:41:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alkaline-solutions.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p7ESIUOsBYoh for <oauth@ietfa.amsl.com>; Wed, 13 Oct 2021 11:41:23 -0700 (PDT)
Received: from caesium6.alkaline.solutions (caesium6.alkaline.solutions [157.230.133.164]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2836A3A0908 for <oauth@ietf.org>; Wed, 13 Oct 2021 11:41:23 -0700 (PDT)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by caesium6.alkaline.solutions (Postfix) with ESMTPA id 581DC206745; Wed, 13 Oct 2021 18:41:22 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alkaline-solutions.com; s=dkim; t=1634150482; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DOe/8mXezg/+eACKk/VYT+dcv9o7Fwn4BKYdWv4Qa5E=; b=Uhd8Qr9Rc8tt+ESAcqhotaZzXp1zOeb4wbxfPN2szOqrwWjVXo9OepThIBn/FoqwUv0afG fUYMX8a8X9vfWuzkMHAx/YnFZqp+jJfbD3sMYCpizfgXjXBWbT6hzapGGJTeL5Ar2hid1b o0fJUB4Tgb9VEb/F1qETDMCfoayWO4M=
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0
From: David Waite <david@alkaline-solutions.com>
In-Reply-To: <EB86A178-052C-48CD-9F99-63B9173DF7B0@amazon.com>
Date: Wed, 13 Oct 2021 12:41:21 -0600
Cc: Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <7618AC29-8221-4FC0-BCF3-199C6BA96FE5@alkaline-solutions.com>
References: <CADNypP9QXCEjJmkhBvTHn68kDcJ2Mfg-tSQx1-hvfPoOTXCKzA@mail.gmail.com> <CAGBSGjqasD=eYnsMm7gZB2g+=C4abZoVi7FH4e7EFfgwKdjS8w@mail.gmail.com> <CAD9ie-uH9xGL9orTFxEd=tfhO6Q-S3sDHrQDtU7h0_dr6YeLOg@mail.gmail.com> <EE56CE99-5592-40AF-9BA5-7F3886ED315A@mit.edu> <CAD9ie-t9i1sVLhVhJp-mWSchV_x0b3no7i4qNXvcaQS+8OqCVA@mail.gmail.com> <CAGBSGjrgVbGWwFq6LDX_2Vhv7yQkwtEEjy36GpLj-bN+MtcX-w@mail.gmail.com> <CAD9ie-vJiwBSV71z4_2TJJO7A52mV763XvXmEPsEFgOMFVOwyQ@mail.gmail.com> <D445073E-D495-4250-9773-9AEEB09C01E0@amazon.com> <CAD9ie-t5EBZLtHmmbDQu9iq-d87gf07X5Fes_ZqFts5hDCOOuw@mail.gmail.com> <A312C403-3341-4B29-AEB3-B547E9A802E7@amazon.com> <CAD9ie-sW537PEzavzv1v6JSOFSfLa7iRVPAXD-miuEY8GMmDeQ@mail.gmail.com> <CAJot-L1fio+-1sSn6Z88ianq04RoHJ3M5yxe0Bzu2Cs-CWCPkg@mail.gmail.com> <54A59064-B40B-4F6C-9E7C-A5618C2C4D3E@alkaline-solutions.com> <3CAB48B9-B517-4693-8CBB-3377122A6077@amazon.com> <CAJot-L3CiPf0XbTRHPgs71cxfhr2626+vt4XELDSf5nhkj8wdg@mail.gmail.com> <EB86A178-052C-48CD-9F99-63B9173DF7B0@amazon.com>
To: "Richard Backman, Annabelle" <richanna@amazon.com>
Authentication-Results: caesium6.alkaline.solutions; auth=pass smtp.mailfrom=david@alkaline-solutions.com
X-Spamd-Bar: /
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/20_NafKJAYUy-42dOoBLWrJiXVI>
Subject: Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2021 18:41:28 -0000
> On Oct 13, 2021, at 12:26 PM, Richard Backman, Annabelle <richanna@amazon.com> wrote: > > Those issues that could be addressed without completely redesigning DPoP have been discussed within the Working Group multiple times. (See quotes and meeting notes references in my previous message) The authors have pushed back on extending DPoP to cover additional use cases them due to a desire to keep DPoP simple and lightweight. I don't begrudge them that. I think it's reasonable to have a "dirt simple" solution, particularly for SPAs given the relative limitations of the browser environment. > > Other issues are inherent to fundamental design choices, such as the use of JWS to prove possession of the key. E.g., you cannot avoid the data duplication issue since a JWS signature only covers a specific serialization of the JWT header and body. Agreed with keeping DPoP simple, which was why I was asking if the proposal could indicate it was targeting some of these other use cases. The current draft being proposed for adoption I believe is fixed to the same HTTP properties that DPoP leverages, and thus appears to be targeting the same use cases with a different proof expression. The duplication within the token is also a trade-off: it allows an implementation to have a white list of acceptable internal values, if say the host and path are rewritten by reverse proxies. It also allows an implementation to give richer diagnostic information when receiving unacceptable DPoP tokens, which may very well come at runtime from an independently-operating portion of an organization reconfiguring intermediaries. -DW
- [OAUTH-WG] Call for Adoption - OAuth Proof of Pos… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Aaron Parecki
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Aaron Parecki
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Denis
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Neil Madden
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Ash Narayanan
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Aaron Parecki
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Mike Jones
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Domingos Creado
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Mike Jones
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… David Waite
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: Call for A… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… David Waite
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… David Waite
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: Call for A… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Warren Parad
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Dick Hardt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Justin Richer
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Dick Hardt