IETF Logo Mail Archive

Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint

Brian Campbell <bcampbell@pingidentity.com> Tue, 08 January 2019 13:00 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AC22131118 for <oauth@ietfa.amsl.com>; Tue, 8 Jan 2019 05:00:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J4jOxks5wdWI for <oauth@ietfa.amsl.com>; Tue, 8 Jan 2019 05:00:22 -0800 (PST)
Received: from mail-io1-xd2d.google.com (mail-io1-xd2d.google.com [IPv6:2607:f8b0:4864:20::d2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63907131114 for <oauth@ietf.org>; Tue, 8 Jan 2019 05:00:22 -0800 (PST)
Received: by mail-io1-xd2d.google.com with SMTP id g8so3042058iok.4 for <oauth@ietf.org>; Tue, 08 Jan 2019 05:00:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Mssah9YD4GbRiBTXHvXLX1LfTAvlUvSXrK+RndczLHU=; b=a9wdcRwA/Fci/ZtNVOSZgkkFXWPJp3Llwdo7f5IlBgGwMvo0GCMKC0DpQF5fuT+6Io SzwvFrIP3GxYXS1yAr+JjnamCOGi1lNGvy76xGt7H3ataijR9NeLqboNwQvbsGhaNgu6 /4SPrwfrjqGMtClpfHG62CLzkZd/L1ASvGFDM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Mssah9YD4GbRiBTXHvXLX1LfTAvlUvSXrK+RndczLHU=; b=JMRAFmeGha6iwMBhGfdvPlA+7uq1VEGLpjofAFVBHylY0F1OlmXJL/AB1+bGR4T2fB mm21oybUQltfrHpJldkZ+Q+1LmCpgh9ltl3Vl+i8TqTSU2jPFoj+bbBlJiIb/z0F1X3U YpF9pVtsnLPcXtjIstLAwBD7EXwoMac/slfwEpZnUQuaAupQvnAmtnG8e3rsRKkGqwlV hRkuxv/EXsjtKPVG8JxssyhCdnL0Tg1lJ3A8aQ77+3yzkSg72yi9T3SusURETix2ZXkK Usbjby9mFoW1QC6+kCxwUd/37PrWjApY4fDd4hVHSNtVILdJtkE0JHIoe0neR/YTQvtc RcUA==
X-Gm-Message-State: AJcUukcmJxjx4qbjjxCHA9lorzYaj72y0F4d+55LimzG/+bFwCXoIBtE yC9vyF3RhJ2szGBpCNpIh8k/JpYfASHvunfhl1X790i9xnefMnxWAx4HIeS9VfxZ4L4WvVR3ZMn PA7CteD0BfkfCTQ==
X-Google-Smtp-Source: ALg8bN6EJppXC2trloV2oDf5Tmi5ZM0EiwEd8UnFn3z37yhrW4AwG+33RtNV6I9MZz1093K5WIndZ4KOVgucbrq40/w=
X-Received: by 2002:a6b:b345:: with SMTP id c66mr943034iof.59.1546952421537; Tue, 08 Jan 2019 05:00:21 -0800 (PST)
MIME-Version: 1.0
References: <CA+k3eCTKSFiiTw8--qBS0R2YVQ0MY0eKrMBvBNE4pauSr1rHcA@mail.gmail.com> <6A614742-290D-47E2-B3E9-A4D49DB32DD7@forgerock.com> <CA+k3eCSoNRGrsxeLYd6DEqU+U6TB_aXV2aPUa07Um2X0ZH_ZEw@mail.gmail.com> <20190104215540.GL86936@kduck.kaduk.org> <CA+k3eCR9JVmeUcuGaDgDvcFz4L=uXph+CZ_=cJVSc4NJP2DG+Q@mail.gmail.com> <CALAqi_8+cY8mvW1cf+ue2Rh1UKT0ZvwwuYU4UOrOvMRm6PYFhg@mail.gmail.com>
In-Reply-To: <CALAqi_8+cY8mvW1cf+ue2Rh1UKT0ZvwwuYU4UOrOvMRm6PYFhg@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 08 Jan 2019 05:59:55 -0700
Message-ID: <CA+k3eCTUx9MjavKCCwdAbbUV6i14rQ2-1YNkq-KyGsj9rpQEyA@mail.gmail.com>
To: Filip Skokan <panva.ip@gmail.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000921e8e057ef1ed5b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/4MHChYmcCfzMKMyrn0kBtXs9HGc>
Subject: Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jan 2019 13:00:25 -0000

inline below...

On Mon, Jan 7, 2019 at 11:15 AM Filip Skokan <panva.ip@gmail.com> wrote:

> I think we shouldn't make a sweeping assumption that may potentially harm
> UX for end-users. Even if for a small percentage. Tho i can say for sure
> this percentage may also be rather significant depending on the types of
> services end-users have encountered in the past and made them install certs.
>
> For example, in Czech Republic there's an online system for communicating
> with government agencies, essentially an email-like inbox that you only get
> when verifying your identity in person on a post office, every company is
> required to have one for communication e.g. with the tax office and
> individuals and freelancers are encouraged to have one as well. To finish
> signing up for this inbox online after you've verified your identity in
> person, you must install custom certificates on your system otherwise the
> browser won't let you through the online signup part due to HSTS. I can say
> with 100% confidence that most folk do not remove these certs from their
> system, this means they'd fall in the category that gets prompted and are
> in majority nowhere near the kind of users that are able to deal with the
> UI prompt when encountered in the wild.
>

In this example, the custom certificates one has to install on their system
are additional root CAs, right?  From my observations that has no bearing
on the prompting behavior of the browsers (and shouldn't). What dictates
the behavior is whether the browser is configured with, or has access to,
one or more certificate with the associated private key that could be used
as client TLS certificates.


>
> I'd like to see a solution that
>
>    - works for every endpoint that needs mtls client cert for either
>    client auth or certificate bound token validation. This isn't only a case
>    for token endpoint, introspection, revocation, userinfo (RS-like endpoint
>    that might be checking a cert bound access token) to list a few
>    - can ensure clients without access to client certificates won't hit
>    an endpoint configured to request one to avoid the change of having the UX
>    flow broken, potentially selecting the wrong certificate which the browser
>    then remembers to use thus failing auth until website data is cleared.
>
> Working under the assumption a client software always knows whether it is
> configured with client certificates or not it would be nice if there was
> either a defined prefix, suffix or a specific object in the discovery
> response (with the same endpoint names in it) that a client can rely on to
> detect if there is an mtls specific url for any discovered endpoint it
> needs to use when providing client certificates.
>

Yeah, you are right about other endpoints (I'd been kind of willfully
ignoring them to be honest) and I think the specific object in the
discovery response that itself could have any of the same endpoint names in
it would be the most straight forward way to approach that.


Best,
> *Filip*
>
>
> On Mon, Jan 7, 2019 at 6:22 PM Brian Campbell <bcampbell=
> 40pingidentity.com@dmarc.ietf.org> wrote:
>
>> I don't honestly know for sure but I suspect that employees of big
>> corporations will likely have keys/certs on their devices/machines that are
>> issued by some internal CA and provisioned to them automatically (and in
>> many cases without the user knowing and/or understanding that they are
>> there and why). Those users would likely be prompted when TLS handshaking
>> with a server that presents an empty list of CAs in the
>> certificate_authorities of the CertificateRequest.
>>
>> I dunno. Maybe I was too quick to retract the proposal for the MTLS
>> supporting secondary token endpoint?
>>
>> What do folks (including Ben & Neil) think?
>>
>> On Fri, Jan 4, 2019 at 2:55 PM Benjamin Kaduk <kaduk@mit.edu> wrote:
>>
>>> On Fri, Dec 28, 2018 at 03:55:15PM -0700, Brian Campbell wrote:
>>> > I
>>> > suspect that not having client certs set up is the situation for the
>>> vast
>>> > majority of users and their browsers. And for those that do have client
>>>
>>> Is this still true when we limit to the set of users/browsers that are
>>> employees of big corporations?
>>>
>>> -Ben
>>>
>>> > certs set up, I think they are more likely to be the kind of user that
>>> is
>>> > able to deal with the UI prompt okay.
>>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly
>> prohibited...  If you have received this communication in error, please
>> notify the sender immediately by e-mail and delete the message and any file
>> attachments from your computer. Thank you.*
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email