IETF Logo Mail Archive

Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint

Filip Skokan <panva.ip@gmail.com> Mon, 07 January 2019 18:15 UTC

Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA1F2130FE8 for <oauth@ietfa.amsl.com>; Mon, 7 Jan 2019 10:15:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ow6KMA2lN0dM for <oauth@ietfa.amsl.com>; Mon, 7 Jan 2019 10:15:49 -0800 (PST)
Received: from mail-oi1-x230.google.com (mail-oi1-x230.google.com [IPv6:2607:f8b0:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FBA61200B3 for <oauth@ietf.org>; Mon, 7 Jan 2019 10:15:49 -0800 (PST)
Received: by mail-oi1-x230.google.com with SMTP id j21so1099351oii.8 for <oauth@ietf.org>; Mon, 07 Jan 2019 10:15:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=DZCq06Fk/dCDIg+MEL41Md4owAPd6pnPipA1N9jmEMY=; b=ZdaMjPoEygW3ZlNNZXr+nsNuShJuvZDetKDEI/2u1jCTvgX/x2IFL4w9oUSBOYFmeL LWpawDLM80PfjWL/P39HpyAc3dUuP2ZXBnmNuW+JCoompf2k5yvfsiiFUMqQlgRo/Byd euBLudZpRkcYZxLEe8IM+sPEc0zPrq9Bx09JA8WlH/kNII1jwKRJtbtNZtROjY2l6UJs lRUNYzw+WdcXILyJmb/hCTbXsaOcLr8aPMFc3ZVUYB4Rg7I+rR0cOlPE9IobZMBskdBJ gH2SIpd+Uitl3O/NclmYZVixljcrNgjBM7qFR8Vw/qGOjQn3ApRY946Y//gSBJblBqFA 6Q+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=DZCq06Fk/dCDIg+MEL41Md4owAPd6pnPipA1N9jmEMY=; b=kG9fHG0MijIMQWHMICzra+51DT2EzR44bzBSqzkGPJMmcuI1h3O3JV1mALzs3xZNpi Nz1QVIk+FLekqXi9rBgzTWDZ2iWuuMSDGk9rXfw4ogPIQ5kcvetWcRZ5XG4bG1peegCS B5TU7fnKc0pKhdav73Wc6o3WxIUa5/Qht5n5eV9PzJUWI1rStcsQ2TzoKrQSUunRJwv+ 9sF1laEbu/EEvaFIarY9cS5EyDZ0s2zuOKBymOds+/yBpVzZr/mOEDcGBAVj3TX1aI0x ofQH39XNAvBPeObd7NLOQtHCkGXqpbmwNtjZslFggG7gUxe1txsbHWmHWoNhk88mtC7b GArg==
X-Gm-Message-State: AJcUukd4xAb2OJ5pU1FalkosvwpDq4BtMdqSJFfX/ex7KDH+8jRgyfm5 c31+/w1gEd5drLXANkTV4iWaypNaZMmYA/m1uWCp
X-Google-Smtp-Source: ALg8bN6w6pynSQqDhTW1w7EZTggVYl7MBY35AzGzdQIh3IaGm2gRhaP1Nsvv6O6MuWxS4sCpksTG7RXmfiAGZ88h8K4=
X-Received: by 2002:aca:401:: with SMTP id 1mr8452017oie.335.1546884948843; Mon, 07 Jan 2019 10:15:48 -0800 (PST)
MIME-Version: 1.0
References: <CA+k3eCTKSFiiTw8--qBS0R2YVQ0MY0eKrMBvBNE4pauSr1rHcA@mail.gmail.com> <6A614742-290D-47E2-B3E9-A4D49DB32DD7@forgerock.com> <CA+k3eCSoNRGrsxeLYd6DEqU+U6TB_aXV2aPUa07Um2X0ZH_ZEw@mail.gmail.com> <20190104215540.GL86936@kduck.kaduk.org> <CA+k3eCR9JVmeUcuGaDgDvcFz4L=uXph+CZ_=cJVSc4NJP2DG+Q@mail.gmail.com>
In-Reply-To: <CA+k3eCR9JVmeUcuGaDgDvcFz4L=uXph+CZ_=cJVSc4NJP2DG+Q@mail.gmail.com>
From: Filip Skokan <panva.ip@gmail.com>
Date: Mon, 07 Jan 2019 19:15:37 +0100
Message-ID: <CALAqi_8+cY8mvW1cf+ue2Rh1UKT0ZvwwuYU4UOrOvMRm6PYFhg@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e26323057ee237fa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3Tt-3SbjA3bNegytX7iXgIjirwM>
Subject: Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jan 2019 18:15:52 -0000

I think we shouldn't make a sweeping assumption that may potentially harm
UX for end-users. Even if for a small percentage. Tho i can say for sure
this percentage may also be rather significant depending on the types of
services end-users have encountered in the past and made them install certs.

For example, in Czech Republic there's an online system for communicating
with government agencies, essentially an email-like inbox that you only get
when verifying your identity in person on a post office, every company is
required to have one for communication e.g. with the tax office and
individuals and freelancers are encouraged to have one as well. To finish
signing up for this inbox online after you've verified your identity in
person, you must install custom certificates on your system otherwise the
browser won't let you through the online signup part due to HSTS. I can say
with 100% confidence that most folk do not remove these certs from their
system, this means they'd fall in the category that gets prompted and are
in majority nowhere near the kind of users that are able to deal with the
UI prompt when encountered in the wild.

I'd like to see a solution that

   - works for every endpoint that needs mtls client cert for either client
   auth or certificate bound token validation. This isn't only a case for
   token endpoint, introspection, revocation, userinfo (RS-like endpoint that
   might be checking a cert bound access token) to list a few
   - can ensure clients without access to client certificates won't hit an
   endpoint configured to request one to avoid the change of having the UX
   flow broken, potentially selecting the wrong certificate which the browser
   then remembers to use thus failing auth until website data is cleared.

Working under the assumption a client software always knows whether it is
configured with client certificates or not it would be nice if there was
either a defined prefix, suffix or a specific object in the discovery
response (with the same endpoint names in it) that a client can rely on to
detect if there is an mtls specific url for any discovered endpoint it
needs to use when providing client certificates.

Best,
*Filip*


On Mon, Jan 7, 2019 at 6:22 PM Brian Campbell <bcampbell=
40pingidentity.com@dmarc.ietf.org> wrote:

> I don't honestly know for sure but I suspect that employees of big
> corporations will likely have keys/certs on their devices/machines that are
> issued by some internal CA and provisioned to them automatically (and in
> many cases without the user knowing and/or understanding that they are
> there and why). Those users would likely be prompted when TLS handshaking
> with a server that presents an empty list of CAs in the
> certificate_authorities of the CertificateRequest.
>
> I dunno. Maybe I was too quick to retract the proposal for the MTLS
> supporting secondary token endpoint?
>
> What do folks (including Ben & Neil) think?
>
> On Fri, Jan 4, 2019 at 2:55 PM Benjamin Kaduk <kaduk@mit.edu> wrote:
>
>> On Fri, Dec 28, 2018 at 03:55:15PM -0700, Brian Campbell wrote:
>> > I
>> > suspect that not having client certs set up is the situation for the
>> vast
>> > majority of users and their browsers. And for those that do have client
>>
>> Is this still true when we limit to the set of users/browsers that are
>> employees of big corporations?
>>
>> -Ben
>>
>> > certs set up, I think they are more likely to be the kind of user that
>> is
>> > able to deal with the UI prompt okay.
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited..
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*_______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email