Re: [OAUTH-WG] Server cret verification in 10.9

Peter Saint-Andre <stpeter@stpeter.im> Tue, 24 January 2012 03:38 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECBA021F85C9 for <oauth@ietfa.amsl.com>; Mon, 23 Jan 2012 19:38:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.728
X-Spam-Level:
X-Spam-Status: No, score=-102.728 tagged_above=-999 required=5 tests=[AWL=-0.129, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9yaZu2h5Pywp for <oauth@ietfa.amsl.com>; Mon, 23 Jan 2012 19:38:28 -0800 (PST)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 527E921F85AA for <oauth@ietf.org>; Mon, 23 Jan 2012 19:38:28 -0800 (PST)
Received: from squire.local (unknown [216.17.251.49]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id A488040058; Mon, 23 Jan 2012 20:41:50 -0700 (MST)
Message-ID: <4F1E2639.10902@stpeter.im>
Date: Mon, 23 Jan 2012 20:32:09 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: Eran Hammer <eran@hueniverse.com>
References: <90C41DD21FB7C64BB94121FBBC2E723453AAB9653D@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723453AAB9653D@P3PW5EX1MB01.EX1.SECURESERVER.NET>
X-Enigmail-Version: 1.3.4
OpenPGP: url=https://stpeter.im/stpeter.asc
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Server cret verification in 10.9
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jan 2012 03:38:29 -0000

On 1/20/12 4:46 PM, Eran Hammer wrote:
> Stephen asked:
> 
>> (13) 10.9 says that the client MUST verify the server's cert which is
>> fine. However, does that need a reference to e.g. rfc 6125? Also, do 
>> you want to be explicit here about the TLS server cert and thereby 
>> possibly rule out using DANE with the non PKI options that that WG 
>> (may) produce?
> 
> Can someone help with this? I don’t know enough to address.

The OAuth core spec currently says:

   The client MUST validate the authorization server's
   TLS certificate in accordance with its requirements
   for server identity authentication.

RFC 2818 has guidance about endpoint identity, in Section 3.1:

http://tools.ietf.org/html/rfc2818#section-3.1

RFC 6125 attempts to generalize the guidance from RFC 2818 and many
similar specs for use by new application protocols. Given that OAuth as
defined by the core spec runs over HTTP, I think referencing RFC 2818
would make sense. So something like:

   The client MUST validate the authorization server's
   TLS certificate in accordance with the rules for
   server identity authentication provided in Section 3.1
   of [RFC2818].

Peter

-- 
Peter Saint-Andre
https://stpeter.im/