IETF Logo Mail Archive

Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mtls

Justin P Richer <jricher@mit.edu> Wed, 07 November 2018 01:11 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C9FA12870E for <oauth@ietfa.amsl.com>; Tue, 6 Nov 2018 17:11:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pXy_Cq2UrULn for <oauth@ietfa.amsl.com>; Tue, 6 Nov 2018 17:11:17 -0800 (PST)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAA561277BB for <oauth@ietf.org>; Tue, 6 Nov 2018 17:11:16 -0800 (PST)
X-AuditID: 12074422-326849e00000220e-53-5be23bb2f787
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 38.A6.08718.2BB32EB5; Tue, 6 Nov 2018 20:11:14 -0500 (EST)
Received: from outgoing-exchange-1.mit.edu (OUTGOING-EXCHANGE-1.MIT.EDU [18.9.28.15]) by mailhub-auth-1.mit.edu (8.14.7/8.9.2) with ESMTP id wA71B6Cs030845; Tue, 6 Nov 2018 20:11:12 -0500
Received: from w92exedge4.exchange.mit.edu (W92EXEDGE4.EXCHANGE.MIT.EDU [18.7.73.16]) by outgoing-exchange-1.mit.edu (8.14.7/8.12.4) with ESMTP id wA71BEBZ018402; Tue, 6 Nov 2018 20:11:23 -0500
Received: from W92EXHUB16.exchange.mit.edu (18.7.73.27) by w92exedge4.exchange.mit.edu (18.7.73.16) with Microsoft SMTP Server (TLS) id 15.0.1293.2; Tue, 6 Nov 2018 20:10:35 -0500
Received: from OC11EXPO25.exchange.mit.edu ([169.254.1.63]) by W92EXHUB16.exchange.mit.edu ([18.7.73.27]) with mapi id 14.03.0352.000; Tue, 6 Nov 2018 20:10:59 -0500
From: Justin P Richer <jricher@mit.edu>
To: Evan Gilman <evan2645@gmail.com>
CC: "neil.madden@forgerock.com" <neil.madden@forgerock.com>, "bcampbell=40pingidentity.com@dmarc.ietf.org" <bcampbell=40pingidentity.com@dmarc.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Mail regarding draft-ietf-oauth-mtls
Thread-Index: AQHUdVpVz+ichRFcu0C4sSKaIlwlp6VCULkAgABj6oCAANnPgIAASCeA
Date: Wed, 07 Nov 2018 01:10:59 +0000
Message-ID: <129B91F9-E471-4AE4-98D3-F534D6BF09C1@mit.edu>
References: <CAL841A_29YGLC-LtQcj1Mw15skys59V0DvDmyOpDS6V+x1LxWw@mail.gmail.com> <CA+k3eCSuU=3ENrYk75e5waGD7erKsf5mX1vT+wfjkqL76QomwQ@mail.gmail.com> <369D0056-3FC0-417A-ADF0-7550EBB9794E@forgerock.com> <CAL841A90GbZ7c47Lpv=c5mmVRQUwZFVSZ_4CCu10xAsUsk11mg@mail.gmail.com>
In-Reply-To: <CAL841A90GbZ7c47Lpv=c5mmVRQUwZFVSZ_4CCu10xAsUsk11mg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [18.9.1.81]
Content-Type: multipart/alternative; boundary="_000_129B91F9E4714AE498D3F534D6BF09C1mitedu_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA01TWUwTURTNmxmmU8KYoVD6rO2HI4mCYBU1qbhg3FL5UT+VRB3t2Da2hcwU pSQmUHc0LnErlU2ouGEIRNlcMBUSqUYwkggUURCjFiWiJu7UmU4Rfl7Ovefcc3Lz3iNQRROu Jix2B8vZGSuNR2MKuXJWav3Soaz5bX3J+rpAOa7v9BXJ9CVlv3B9x6cgvhIzPKrujjL0HKoA hmbPS5nB6/2JbMS2RC8zslbLHpbTrdgeba7oHMRyXGVonut5EC0AF8+gRUBOQGoRHBnz40Ug mlBQNQi81V+HSEUrgC2/PwGpaAfwa6AwImsEsCt4FZOKawD63/fiohlOzYYN5/sREcdTibD5 XSg8jlLPACz5+BQTiThqGRz4djUiWg6bL97BJbwO3vgRCPcxYdg1XCgTMUmlw4aHQ5Hocwjc X1cJREJObYINL9rCpoBKgN/9NeFhlFLBvuFyRFqPgt67nZFVlfDDm/EoCWthxV9RTwj6rfDy 8SQpKxZ2FA9jp4DKM8XJM6nyTFFJ7SRY26KT1DPh2WODMgnPgQdLSiM4A7beD6JTNRWAuA60 Rlt+qo2xWHl2Zyq/k7HbWS518TybxTGPNebWA/HyZWvoJnB6PNMHKALQMWTX7cEsRRSzh3fa fGA6gdBK0lQttKbtyDY6zQxv3sblWlneByCB0vHk4xsCRxoZZz7LZU9QMwiMVpGnD1RlKSgT 42B3s2wOy02wGoKgIZmRPpSliOVYE5u3y2J1TNIIIRfNYwRzlagh+RzGxltMEu8Ha4kjl0IX UGLIfcSNEqPhs/vJUeH8WPrDjSowe7adVatIWhymxGFzrv2/f/jBy9ZTQaAS1o0jG0RVjPAd /icEhXBECB/QvhbDHcwkpS4AmlFtX2tMgml15Zmgz3gz1BRqTFk9mng94eu6tC+1tOkeq/Qb 3B/SrriSVurUYGx+e5Ny3/RV6NslZsWr/A7ZHVvQcq+35/DCXYnx1Ser5MXVGvt4mW7vU/NI njZh0Z8LB+syXQHjXK+m9255coo3Iz39VPMcX8+GB5WfT5Q6N9MYb2YWJKMcz/wDOPS/gMsD AAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/5iRpUnJZz0TDAvDeJ_m1CSXS6aE>
Subject: Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mtls
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Nov 2018 01:11:20 -0000

Would it make sense for these to be a different client_auth_method entirely? Much the same way that we have private_key_jwt and client_secret_jwt today, both of which use the JWT assertion framework but have very different keying and security assumptions. In the same way, here you’re still validating the cert but the means by which it’s validated is different, so the auth method is arguably not going to benefit from being overloaded. Caveat, I’ve not built out a system using SANs in any meaningful way.

If we were to do that, this draft could go forward as-is (since it’s fairly done in my opinion) and a new document could better define the semantics for the various SAN types, but while building on the framework and concepts listed in here.

— Justin

On Nov 6, 2018, at 3:52 PM, Evan Gilman <evan2645@gmail.com<mailto:evan2645@gmail.com>> wrote:

Response(s) inline

On Mon, Nov 5, 2018 at 11:53 PM Neil Madden <neil.madden@forgerock.com<mailto:neil.madden@forgerock.com>> wrote:

Is there an intention that any semantics are attached to the SAN being a URI or DNS name or IP or ...? Or is it still intended to be an opaque identifier?

There are some extra things we could do if we attached type-specific
semantics to the matching (e.g. DNS wildcarding etc), however I think
that continuing to use the values as opaque identifiers would get us
most of what we need while keeping things simple.

On 6 Nov 2018, at 01:55, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org<mailto:bcampbell=40pingidentity.com@dmarc.ietf.org>> wrote:

Thanks Evan for bringing this to the WG's attention. More or less the same question/issue was raised yesterday in the area director's review of the document as well. I plan to bring this up as a discussion item in the meeting today. But my sense from some early discussions is that there is likely to be (rough) consensus to make some change in order to allow a SAN to be specified as the certificate subject identifier in the PKI client auth mode. We'll need to figure out the specifics of how that works. I don't think there are significant drawbacks to extending the number of client registration metadata parameters per se. I guess I've just been attracted to the idea of overloading the existing value because that felt like maybe a less invasive change. But perhaps that's shortsighted. And there's nothing inherently wrong with additional client metadata parameters.

I don't know if we could get away with a single new parameter that could carry the value for any SAN type. Something like, { ... "tls_client_auth_san": "spiffe://trust-domain/path" ...}. In practice I feel like that'd probably be okay but in theory there's the potential for confusion of the value across different types. So probably there's a need to indicate the SAN type too. Either with more client metadata parameters like tls_client_auth_san_uir, tls_client_auth_san_email, tls_client_auth_san_ip, etc. or maybe with a structured value of some sort like {... "tls_client_auth_san": {"type":"URI", "value":"spiffe://trust-domain/path"} ... }. And then deciding which types to support and if/how to allow for the extensible types.

I am far from an authority here, but it is my understanding that one
of the primary drivers in supporting SAN over Subject is that the
values are strongly typed. While some of the advantages gained from
this may be less useful in our own context, I feel that it make sense
to keep the values separate and not overload a single value. Whether
that means dedicated metadata parameters or a structured parameter
value, I am not sure what the tradeoffs would be, but both options
sound suitable to me.

Anyway, those are just some thoughts on it. And it'll be discussed more today. Suggested/proposed text is always helpful though (even if it's not used directly it can help move the conversation forward and/or help editor(s) to have prospective wording).

Great. I will work on some sample text since it sounds like that would
be generally helpful

On Tue, Nov 6, 2018 at 5:53 AM Evan Gilman <evan2645@gmail.com<mailto:evan2645@gmail.com>> wrote:

Hello everyone..

Very excited to see this draft. It helps tremendously in addressing
use cases around oauth client management in machine-to-machine
scenarios. Particularly, the PKI authentication method.

In reviewing the document, I noticed that the only supported method
for identifying a client using the PKI authentication method is by
referencing its distinguished name. This caught me a bit by surprise -
many newer projects aimed at automating X.509 issuance in the
datacenter utilize SAN extensions rather than distinguished name in
order to encode identity. I am further under the impression that the
community is, in general, moving away from the subject extension
altogether in favor of SAN-based identification.

Full disclosure: I am one of the maintainers on a project called
SPIFFE, which provides identity specifications for datacenter workload
applications. For X.509, SPIFFE encodes identity into a URI SAN
extension. A number of projects using SPIFFE do not configure the
subject with identifying information (SPIRE and Google Istio being
just a couple). I am also hearing of other X.509 automation projects
which are moving away from subject/distinguished name (even if they
are not using SPIFFE).

While I think support for distinguished name is absolutely necessary,
I worry that supporting it solely will render it incompatible with
some of the more modern PKIX systems and not stand the test of time. I
know that I am a little late to this, and for that I apologize... but
I feel this is a significant point.

I would like to open a discussion on supporting the most commonly used
SAN extension types in addition to distinguished name. To accomplish
this, amending section 2.1.2 `Client Registration Metadata` with
additional parameters seems appropriate. In my experience, the most
commonly used SAN extensions are: DNS name, IP address, URI, and email
address.

Are there significant drawbacks to extending the number of client
registration metadata parameters? I would very much like to see this -
without it, many existing projects will be unable to use the spec. I
am happy to contribute time and text to this, assuming people feel
that this is a beneficial addition. Sorry again for the timing

--
evan

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



--
evan

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email