IETF Logo Mail Archive

Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint

David Waite <david@alkaline-solutions.com> Wed, 09 January 2019 05:30 UTC

Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE78F12D4E7 for <oauth@ietfa.amsl.com>; Tue, 8 Jan 2019 21:30:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f592BAkF60jI for <oauth@ietfa.amsl.com>; Tue, 8 Jan 2019 21:30:01 -0800 (PST)
Received: from alkaline-solutions.com (lithium5.alkaline-solutions.com [IPv6:2600:3c00::f03c:91ff:fe93:6974]) by ietfa.amsl.com (Postfix) with ESMTP id A028F129AB8 for <oauth@ietf.org>; Tue, 8 Jan 2019 21:30:01 -0800 (PST)
Received: from [IPv6:2601:282:202:b210:7d0b:3f09:d5ce:3d17] (unknown [IPv6:2601:282:202:b210:7d0b:3f09:d5ce:3d17]) by alkaline-solutions.com (Postfix) with ESMTPSA id EB8B031571; Wed, 9 Jan 2019 05:29:59 +0000 (UTC)
From: David Waite <david@alkaline-solutions.com>
Message-Id: <73B00324-DE55-48FD-A21D-B22438A707A7@alkaline-solutions.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_72402306-15C5-468B-A7D7-6C49A2130EA5"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Tue, 08 Jan 2019 22:29:58 -0700
In-Reply-To: <CA+k3eCSoNRGrsxeLYd6DEqU+U6TB_aXV2aPUa07Um2X0ZH_ZEw@mail.gmail.com>
Cc: Neil Madden <neil.madden@forgerock.com>, oauth <oauth@ietf.org>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
References: <CA+k3eCTKSFiiTw8--qBS0R2YVQ0MY0eKrMBvBNE4pauSr1rHcA@mail.gmail.com> <6A614742-290D-47E2-B3E9-A4D49DB32DD7@forgerock.com> <CA+k3eCSoNRGrsxeLYd6DEqU+U6TB_aXV2aPUa07Um2X0ZH_ZEw@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3OTXnrbfpiC74V8Xcmx0QgiZwzA>
Subject: Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jan 2019 05:30:05 -0000


> On Dec 28, 2018, at 3:55 PM, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> wrote:
> 
> I spent some time this holiday season futzing around with a few different browsers to see what kind of UI, if any, they present to the user when seeing different variations of the server requesting a client certificate during the handshake. 
> 
> In a non-exhaustive and unscientific look at the browsers I had easily at my disposal (FF, Chrome, and Safari on Mac OS), it seems they all behave basically the same. If the browser is configured with, or has access to, one or more client certificates that match the criteria of the CertificateRequest message from the server (basically if issued by one of the CAs in the certificate_authorities of the CertificateRequest), a certificate selection UI prompt will be presented to the user. Otherwise, a certificate selection UI prompt is not presented all. When the CertificateRequest message has an empty certificate_authorities list (likely the case with a optional_no_ca type config), the browsers look for client certificates with any issuer rather than narrowing it down. 

Was your testing via XHR/fetch?

FWIW,

Firefox behavior is determined by a global pick automatically / prompt every time flag. Details at https://wiki.mozilla.org/PSM:CertPrompt <https://wiki.mozilla.org/PSM:CertPrompt>

Safari on macOS relies on the keychain, where a record is created called an Identity Preference. This is a URL (https or email) to preferred certificate mapping. Previously, it would create this record the first time a user selected a certificate, then never prompt again.

Chrome seems to delegate to the underlying OS for certificate management, so on the Mac it has this behavior as well. This means however that other platforms may have different behaviors.

Safari on iOS used to automatically select a single certificate match, if the query was for a single client CA. I didn’t try with other small numbers (2, 3, etc) but when exposing the list of all available CAs as valid client CAs, it would prompt. This may not be the heuristic anymore, as knowing the name of a client CA (such one issued as part of a cloud EMM deployment) would allow certificates to be used for tracking.

IE (pre-edge) would allow the behavior to use an automatic cert or prompt to be configured per-zone, which would allow policy to send a device/user identification certificate to a particular set of sites by default. I have no experience with configuring Edge, unfortunately.

-DW

v2.23.0 | Report a Bug | By Email