[OAUTH-WG] Re: Call for adoption - PIKA

Giuseppe De Marco <demarcog83@gmail.com> Tue, 03 September 2024 13:04 UTC

Return-Path: <demarcog83@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD33DC14F5E3 for <oauth@ietfa.amsl.com>; Tue, 3 Sep 2024 06:04:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.854
X-Spam-Level:
X-Spam-Status: No, score=-1.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OrIoRLe2JtVl for <oauth@ietfa.amsl.com>; Tue, 3 Sep 2024 06:04:35 -0700 (PDT)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D08CCC14F616 for <oauth@ietf.org>; Tue, 3 Sep 2024 06:04:35 -0700 (PDT)
Received: by mail-ed1-x52a.google.com with SMTP id 4fb4d7f45d1cf-58ef19aa69dso4884137a12.3 for <oauth@ietf.org>; Tue, 03 Sep 2024 06:04:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725368674; x=1725973474; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=d5+6rWbhrtON7GPNPGYCBw+nZFJ3UthUByBHvvdnNQo=; b=lrA58dWItvLeBvaWQ0PQhkXd4U2neWWW1PiojjSmJ3M5OockMtQQ8HD7tCPKJo8Uyb Pu3Wc65bMzSr+WBhb8+E9WDdbnAfo90azXE/UXOj5BvYobKeroZousD7TlSW0KO1Jjng 5Xeut4Tej6HyyuW70bbjsk0D9Y4l9spmycZiPQtV0YV7t6eQa6EhRz+ktiI9jI4C1MRX 8u1eLx52oIp2ZoXMkQmySbrMvGnL366BHFug8zlpFTQpn+R4wOv3frUcczAMGEPBSQTb +45ofmv0fXvds3B6yEw0HiJUN8m7vxQqYrtr6UOg2vn8P1f6MtOhvuCiNO98dV2Kig07 DP2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725368674; x=1725973474; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=d5+6rWbhrtON7GPNPGYCBw+nZFJ3UthUByBHvvdnNQo=; b=DICiHbw5GOm4Q3vDG37y4GFq3U19+8iIKSw/0pjty5DBHIyJMdYKd4BQKSc0gwVX8b QiPuRlxTsAK2oFIVgmdOBftZfItwQV7dZUck3PpL7hI7GYRj4pOnnUjS47tyhii7w9lp UMT7Va2zFo0GIUjUu3Mv52S0hQn5/ali5yYYOAESmATNpg27DImAhhmQVibhijqOZNdR GP6wMWygKjWJYxlS7Eoh1C+7nFZNxcA/cl7PddsNCvJUFOmx5us4XUmd2mqb2udvEWny MTNRJPSFm93Zc27rNiZm5/fgDe9ApPqXSGNRx6IUkCw8GFz145vknaN9faJJnvWqArFW w0EA==
X-Gm-Message-State: AOJu0YxYo2HyuvDbtO1G3nK2L1QzDhQtN9z5PG4H8KvCblInATflr112 7IXQ5pKYqSHKjWWLNwPoYWp8IVjiH2ZeYKuRCmQZn9sIKJUSmqP8TD6RAwS1cpEoabQANCOvgTl OkcYMM5QI1QcohOMUDHurRTpqJA0FPVi/
X-Google-Smtp-Source: AGHT+IFjMUbX854lS5r9vFh4wfaNftxk52TVkI6jM30qrhse1iI+B/A9Mka8e4tNIBnrxsbe95+p4OZEbGlwJAmJ8X8=
X-Received: by 2002:a05:6402:3546:b0:5be:ee30:9948 with SMTP id 4fb4d7f45d1cf-5c242350e74mr7351188a12.8.1725368673286; Tue, 03 Sep 2024 06:04:33 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP80YnzxOc_NDbFqK0bv=i0Ys1s8hYHwo-PqhUPbAWs4sg@mail.gmail.com>
In-Reply-To: <CADNypP80YnzxOc_NDbFqK0bv=i0Ys1s8hYHwo-PqhUPbAWs4sg@mail.gmail.com>
From: Giuseppe De Marco <demarcog83@gmail.com>
Date: Tue, 03 Sep 2024 15:04:21 +0200
Message-ID: <CAP_qYy=abBj69+d-jxCytCE=x-NCNY2C6h6QYuUm-MYBZGrDZQ@mail.gmail.com>
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000e0c299062136b2c9"
Message-ID-Hash: HEAJB3RU5ODPA3D2BFXE6KFS57UKTWGI
X-Message-ID-Hash: HEAJB3RU5ODPA3D2BFXE6KFS57UKTWGI
X-MailFrom: demarcog83@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - PIKA
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/4ClTvbfFLwS9vHNcLUqOYvf-09Q>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hi,

I used to support work made by other authors willing to find solution to
common problems.
I appreciate the efforts, the creativity and the passion I read within
those specs lines under the current approval phase.

I am happy about the link between PIKA and OpenID Federation, and that one
of the openid federation endpoint was used in PIKA.

I ask a proper alignment to the federation historical keys endpoint, that,
as already mentioned during my previous comments, was slighlty updated for
reducing the complexity of the revocation reason definitions. Please keep
it aligned if possibile for sake of consistency (even if in different
specs). While for the stability of the contents I don't see any other
change in the future on this federation endoint within the openid
federation specs.

I would ask to say within the text that the difference with the endpoint
defined in openid federation is that PIKA includes also the active keys,
while federation only requires inactive keys to be published in the
endpoint response (unused, if expired or revoked or unknow reason). I ask
to say this in PIKA to avoid confusion about the endpoint specific purposes.

where implementations might require an additional level of assurance, I
suggest to include also the parameter signed_jwks_uri, as registered in
IANA for openid federation, providing a signed jwks, obviously signed using
the same private key used for the historical key endpoint response
(therefore verifiable with the public key contained in the x5c mentioned in
the text).

one of my comment, even if actually only a side comment between authors, is
about scalability: while openid federation supports multiple ways to build
a trust chain using one or more trust anchors, PIKA only uses a single
X.509 certificate chain and also requires re-using the same cryptographic
material already used for HTTP TLS if I got it well. In large scale
deployments we used to not re-use https certificates for specific
application protocols different from http but relying on top of it, such as
SAML2, OIDC and or OAuth 2.0. This was because of different purposes and
also for different cryptographic material issuance and expiration
constraints, allowing http frontends managed by the A team to be autonomous
in the lyfecycle of the key for TLS, while B team working on IAM
infrastructure on the backend with other cryptographic materials.

not at least, by not propagating the same cryptographic material upon
multiple layers within the same infrastructure we aim to reduce the surface
of attack againt any crypto material breach

it seems that this is only my first revision, I hope that author's will
continue doing their best to consolidate PIKA and with the contribution of
all this community

best

Il giorno mar 3 set 2024 alle ore 12:49 Rifaat Shekh-Yusef <
rifaat.s.ietf@gmail.com> ha scritto:

> All,
>
> As per the discussion in Vancouver, this is a call for adoption for the *Proof
> of Issuer Key Authority (PIKA) *draft:
> https://datatracker.ietf.org/doc/draft-barnes-oauth-pika/
>
> Please, reply on the mailing list and let us know if you are in favor or
> against adopting this draft as WG document, by *Sep 17th*.
>
> Regards,
>  Rifaat & Hannes
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>