Re: [OAUTH-WG] MTLS vs. DPOP
Hannes Tschofenig <Hannes.Tschofenig@arm.com> Tue, 07 May 2019 16:00 UTC
Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36FD7120181 for <oauth@ietfa.amsl.com>; Tue, 7 May 2019 09:00:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eVAy3sxfFapG for <oauth@ietfa.amsl.com>; Tue, 7 May 2019 09:00:33 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80053.outbound.protection.outlook.com [40.107.8.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41E7A120189 for <oauth@ietf.org>; Tue, 7 May 2019 09:00:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YysbVOTqfxzAlA5XWETQJGMJpOLqghvs6id11NPlC0Q=; b=YhdnEnsDcZzCttoD5LHcHkQlg9gwRiFqWiueGLvrOVhU2xSj5HPCik5dspP3wD4fYvS4I35QgxvQIUu5aCuJBzp1D3cCvWdN96fBAlKKQm6mQmKHWuljkkF23hcAFfJ4VivWAmOM3emoRl2BkClYK0NvSkwhu4SgnEmDmeU5lf8=
Received: from DBBPR08MB4539.eurprd08.prod.outlook.com (20.179.44.144) by DBBPR08MB4837.eurprd08.prod.outlook.com (20.179.46.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1856.10; Tue, 7 May 2019 16:00:27 +0000
Received: from DBBPR08MB4539.eurprd08.prod.outlook.com ([fe80::3803:e042:abea:cd93]) by DBBPR08MB4539.eurprd08.prod.outlook.com ([fe80::3803:e042:abea:cd93%5]) with mapi id 15.20.1856.012; Tue, 7 May 2019 16:00:26 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Vittorio Bertocci <Vittorio@auth0.com>, George Fletcher <gffletch=40aol.com@dmarc.ietf.org>
CC: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] MTLS vs. DPOP
Thread-Index: AdUErRQrEyJTkDUdQjmHcwr6XcEhZQAMeI0AAAMz3AAAAHu2AA==
Date: Tue, 07 May 2019 16:00:26 +0000
Message-ID: <DBBPR08MB453922BB1CC9FDA868275DEDFA310@DBBPR08MB4539.eurprd08.prod.outlook.com>
References: <DBBPR08MB4539BA4621AC8029AEF4F8C8FA310@DBBPR08MB4539.eurprd08.prod.outlook.com> <31bec10c-e245-12b4-c092-2928b8e286d7@aol.com> <CAO_FVe4f3eTJKa1tZjrwkLxnrejX9n+5mU8PJBU5KaRw_TMDzg@mail.gmail.com>
In-Reply-To: <CAO_FVe4f3eTJKa1tZjrwkLxnrejX9n+5mU8PJBU5KaRw_TMDzg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.123.90]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8f5b3ee0-2756-4371-a516-08d6d3051f18
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(4618075)(2017052603328)(7193020); SRVR:DBBPR08MB4837;
x-ms-traffictypediagnostic: DBBPR08MB4837:
x-microsoft-antispam-prvs: <DBBPR08MB483736BBE208A7DA78BB9489FA310@DBBPR08MB4837.eurprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6430;
x-forefront-prvs: 0030839EEE
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(376002)(136003)(39860400002)(396003)(346002)(199004)(189003)(40434004)(7736002)(99286004)(8936002)(81166006)(6436002)(8676002)(81156014)(66066001)(6116002)(102836004)(86362001)(256004)(64756008)(186003)(26005)(3846002)(305945005)(25786009)(76176011)(476003)(68736007)(7696005)(6506007)(2906002)(74316002)(4326008)(14444005)(55016002)(9686003)(71190400001)(71200400001)(66556008)(76116006)(11346002)(229853002)(66446008)(73956011)(66476007)(66946007)(5024004)(486006)(52536014)(33656002)(5660300002)(4744005)(446003)(478600001)(316002)(6246003)(14454004)(53936002)(72206003)(110136005); DIR:OUT; SFP:1101; SCL:1; SRVR:DBBPR08MB4837; H:DBBPR08MB4539.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: GPwmCPjwPQfxbfH7i8Gy2gKO0BI75iGHe/Xz2KeYaQZlsPf89Dnz4PjJWiSCAfLAzb8YbWiEAO+7W9CuhbSJ5djFJ9ySMJfUfO8PjRPisXwRYSWucLzj/7f3gDnIrNe/tTRWjleL5l4ZuTM8vgcF5/d0szAldXAjqx+evpeJg5UWZqkHGBQIqiw7ih5d9IE4X+iqQbgMeHBQmEH2xsuVkJBA2yGV0lh5lRQQlv7xrydPFDedONQiOIaUCj1FPuZ7ZJi+yE4bm3Fht3ybsaotGSsN5NQWlhhQ75XcDDdgUWhdSsNEsi7UUetTQL7XKdkRlopfq/Kc9UgHRmGOwG7yrnmhRsSMCyni/TbB01UfM/7bLdI506mtDIPduKCIuzDhEN5gzbQRg11C+X/JYOYxQ0DVYrU8qzmF02gW3MZ5eZ0=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8f5b3ee0-2756-4371-a516-08d6d3051f18
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 May 2019 16:00:26.8829 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBPR08MB4837
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/fW8R4cUiiwVSG_3uMClGBh0-fYQ>
Subject: Re: [OAUTH-WG] MTLS vs. DPOP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 May 2019 16:00:38 -0000
George, > I don't see them the same at all. With MTLS, the token is bound to the transport layer (and the key used to establish that encrypted connection). With DPOP, the token is bound to the private key known to the client. Strictly speaking both solutions tie the token to the public key and the client needs to demonstrate possession of the private key through some security protocol. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [OAUTH-WG] MTLS vs. DPOP Hannes Tschofenig
- Re: [OAUTH-WG] MTLS vs. DPOP George Fletcher
- Re: [OAUTH-WG] MTLS vs. DPOP Daniel Fett
- Re: [OAUTH-WG] MTLS vs. DPOP Vittorio Bertocci
- Re: [OAUTH-WG] MTLS vs. DPOP Hannes Tschofenig
- Re: [OAUTH-WG] MTLS vs. DPOP Brian Campbell
- Re: [OAUTH-WG] MTLS vs. DPOP Torsten Lodderstedt
- Re: [OAUTH-WG] MTLS vs. DPOP Benjamin Kaduk
- Re: [OAUTH-WG] MTLS vs. DPOP Karl McGuinness
- Re: [OAUTH-WG] MTLS vs. DPOP Torsten Lodderstedt
- Re: [OAUTH-WG] MTLS vs. DPOP Karl McGuinness
- Re: [OAUTH-WG] MTLS vs. DPOP David Waite
- Re: [OAUTH-WG] MTLS vs. DPOP Torsten Lodderstedt
- Re: [OAUTH-WG] MTLS vs. DPOP Hannes Tschofenig
- Re: [OAUTH-WG] MTLS vs. DPOP Justin Richer