IETF Logo Mail Archive

Re: [OAUTH-WG] draft-campbell-oauth-tls-client-auth-00 feedback

Brian Campbell <bcampbell@pingidentity.com> Wed, 16 November 2016 23:18 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1E5A1293DB for <oauth@ietfa.amsl.com>; Wed, 16 Nov 2016 15:18:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FNlPr08xrdhO for <oauth@ietfa.amsl.com>; Wed, 16 Nov 2016 15:18:31 -0800 (PST)
Received: from mail-it0-x22d.google.com (mail-it0-x22d.google.com [IPv6:2607:f8b0:4001:c0b::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C80A128E18 for <oauth@ietf.org>; Wed, 16 Nov 2016 15:18:31 -0800 (PST)
Received: by mail-it0-x22d.google.com with SMTP id l8so98115058iti.1 for <oauth@ietf.org>; Wed, 16 Nov 2016 15:18:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=K4ur0gDctW63CIWkODu7R9W+4X1Uz8U+wPgB6IQxMkI=; b=A0JuPGH8jm6VNci7MtMvKYBQJTZhxex5YrS5eyBPCbNNKXHFXT7OqFMPUD/+7FhckX IiJZ+Js9SFp69+/dGNWm3g82rXchg6hcFcutWbuRPOdqlYR/JbDmcaEZyVDTLyaEuuu8 DXmEmwg9SyYhYJ0/vTYTFz1ygA6ATnL/Y0qjs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=K4ur0gDctW63CIWkODu7R9W+4X1Uz8U+wPgB6IQxMkI=; b=lw3s7ZcIi0NmkwN69EDTT6vYhdEgHSjBOoZWaMrYuTeD8vi+A9fDZWmNdQU0o9SzF8 WZePPRi6l8TRjt4syvhi2ztNSmWR3L7jWYKD/sUlm00QWA7kKOWSICh3mykCydnp0IqP L7fQ1wfTW01mIC+JyP+IOZCVWR0quaeh7oFvvPvw5HrjgBkMaqkBJgAR7VxyJQqi7Usq AyNCtNH3+Sroeea67a7lRHUrCoHts4lbXZPMT2CzFHROd1yySYemceqwKKAxXdIs9Ltt TWfICMSvlSh31DqF/P6NxeVfh3xAtghDLOAidB4wVPpPsHw3Nvr9oZxr+KyG8miMj9ZX E2LA==
X-Gm-Message-State: AKaTC02cQt0sGs5cgo+93xjj4JC88REAo0fEiQxSNn4ZkP6dZPORs8EqhBtVZNe/p9sNAUq4AEZlv17bTGCslUsr
X-Received: by 10.107.141.211 with SMTP id p202mr539490iod.47.1479338310352; Wed, 16 Nov 2016 15:18:30 -0800 (PST)
MIME-Version: 1.0
Received: by 10.79.165.24 with HTTP; Wed, 16 Nov 2016 15:17:59 -0800 (PST)
In-Reply-To: <6021A3BB-356B-4A02-AF0A-C6E8A0166609@seantek.com>
References: <6021A3BB-356B-4A02-AF0A-C6E8A0166609@seantek.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 16 Nov 2016 16:17:59 -0700
Message-ID: <CA+k3eCS6H1OL2B+gRbAhHNwk5f+QQk5R2my49mpTVJZ+9BSMUQ@mail.gmail.com>
To: Sean Leonard <dev+ietf@seantek.com>
Content-Type: multipart/alternative; boundary="94eb2c062c9e7df08e0541734a21"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/4Mc9JHlmwouIEzIDOb3bG1t3jh4>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-campbell-oauth-tls-client-auth-00 feedback
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Nov 2016 23:18:34 -0000

inline...

On Wed, Nov 16, 2016 at 1:47 AM, Sean Leonard <dev+ietf@seantek.com> wrote:

> Hello OAuth folks:
>
> I have some feedback about draft-campbell-oauth-tls-client-auth-00.
> Overall I think it is a good, concise effort, and should be adopted as a WG
> item. Sorry that it didn’t get addressed in the WG meeting.
>

Thanks Sean. Some things at the WG meeting ran long and it fell off the
back of the list. The slides that would have been presented are in the
meeting materials https://www.ietf.org/proceedings/97/slides/slides-
97-oauth-sessb-tls-client-auth-00.pdf if anyone wants to take a look
(there's not a whole lot to them though).


>
> Section 1 mentions “shared secret” as the default in OAuth 2.0, but this
> draft provides an alternative that (implicitly) does not require a shared
> secret between the client and server components. However, this draft does
> not elaborate on the advantages of avoiding shared secrets: the advantages
> should be addressed in Section 1 or in the Security Considerations. In
> particular, a lot of enterprise scenarios seem to do intentional
> man-in-the-middle attacks (aka endpoint termination) for “logging” and
> “auditing” purposes: see the IETF 97 TLS WG meeting materials
> <slides-97-tls-tls-visibility-inside-the-data-center>. These same
> enterprise use cases are significant motivators for eliminating shared
> secrets on the wire.
>

I agree that Section 1 could say more about the motivation/advantages over
the shared client secret. I'll look to expand on that in future revisions.
Specific proposed text is always welcome too.


> Section 5.2 discusses some ideas about associating/binding a certificate
> to a client identifier (client_id). I understand that in many use cases,
> the certificate and public key will be long-lived and issued by an
> authority prior to the client’s contact with the AS; in a minority of use
> cases (such as IoT devices), the AS will also issue certificates to clients.
>
> The best and most flexible way to do this is to define an attribute, let’s
> say “oauthClientID”, of type VisibleString, which can be multi-valued. By
> defining it as an attribute, it can be put in at least four useful protocol
> slots:
> 1. Subject Directory Attributes (RFC 5280 Section 4.2.1.8): this is where
> metadata about the subject goes that is not part of the distinguished name.
> 2. Subject attributes: this is when you want the client_id to be bound
> more authoritatively to the certificate, i.e., the utility and lifetime of
> the certificate == the lifetime of the client/AS association.
> 3. LDAP attributes: this is where metadata about the subject is associated
> together with the certificate, but not part of the certificate (which is
> usually in the userCertificate attribute for the LDAP entry).
> 4. “other places” where metadata gets associated with certificates, such
> as crypto tokens and databases (LDAP, of course, is just a type of
> database).
>
> By making the attribute multi-valued, one can associate multiple
> client_ids with one certificate, which means that the same
> certificate/keypair can be used with multiple services.
>
> Creating a new attribute is strongly preferable to reusing a field such as
> “commonName”, since commonName is overused and can lead to conflicts
> (compare with SSL’s legacy use of commonName). subjectAltName is also not
> preferable because the client_id itself is not really a globally unique
> name; it’s closer to a serial number or random (but not secret) string. To
> make it globally unique it needs to be combined with an identifier for the
> AS, and that makes such a structure more complicated. Furthermore,
> subjectAltName is specific to being inside a certificate; it does not have
> semantics outside of a certificate, whereas a generic directory attribute
> has equal semantics inside and outside of certificates.
>

I believe that the specifics of if and how a client id is represented in a
certificate is well beyond the scope of this document.  But maybe some
considerations or guidance about using an attribute would be appropriate in
describing one possible way to do the binding between client and
certificate, if you wanted to propose some specific text.



> Editorial: there is a typo: Section 5.2: “specifc” should be “specific”.
>

Will fix. Thanks.



>
> Regards,
>
> Sean
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email