IETF Logo Mail Archive

Re: [OAUTH-WG] DPoP followup III: client auth

toshio9.ito@toshiba.co.jp Fri, 04 December 2020 01:26 UTC

Return-Path: <toshio9.ito@toshiba.co.jp>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87EA33A11EB; Thu, 3 Dec 2020 17:26:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.918
X-Spam-Level:
X-Spam-Status: No, score=-1.918 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_IMAGE_RATIO_04=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hAvVG65Pbj-w; Thu, 3 Dec 2020 17:26:24 -0800 (PST)
Received: from mo-csw.securemx.jp (mo-csw1514.securemx.jp [210.130.202.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B4BF3A11E7; Thu, 3 Dec 2020 17:26:22 -0800 (PST)
Received: by mo-csw.securemx.jp (mx-mo-csw1514) id 0B41QIFb008269; Fri, 4 Dec 2020 10:26:18 +0900
X-Iguazu-Qid: 34tr8pqEJcNCq8UYzc
X-Iguazu-QSIG: v=2; s=0; t=1607045178; q=34tr8pqEJcNCq8UYzc; m=hsWRQtvlQYnTrc7UiaZOyG80sp5qPDMusHcqhnQ2YJk=
Received: from imx2.toshiba.co.jp (imx2.toshiba.co.jp [106.186.93.51]) by relay.securemx.jp (mx-mr1511) id 0B41QGR3000779; Fri, 4 Dec 2020 10:26:17 +0900
Received: from enc01.toshiba.co.jp ([106.186.93.100]) by imx2.toshiba.co.jp with ESMTP id 0B41QF8j015732; Fri, 4 Dec 2020 10:26:15 +0900 (JST)
Received: from hop001.toshiba.co.jp ([133.199.164.63]) by enc01.toshiba.co.jp with ESMTP id 0B41QFfe013261; Fri, 4 Dec 2020 10:26:15 +0900
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MwHDrqizJEOABfOUFKKmSDD4ZflB0Nyt3XpWMKKmdt+W/v5YGTFLACLhOCk1cPrptQb0ehZBTEiVCYnZV/6oz2+6ly+JVzUD/j7OLKjhrJgvodPA6inuL+xph3nJbAzMdAbd8euNZgPne8l4EfyFrCEMYnLxnBndKC8ub5cvFCi7U4a+7uImtyAKHkjvi95MSzh5r9KYkfRqf1ld/WIAUS6mNZ8/1u6sJtMa1PqsziX7sX94F9CUnnzN3ntQLNxfTIbtOjOsADrEw5YXaY5uoPEngS8BH/I5/bEkHHn4Oy5CABNuOjQ/9Sjf7aICbNa6lGibInG0Y34H/KuFHU3uKQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TA4nnl4aVnQHstZLbcxSRJ1UW6sBFNq9e7RV9zB9pJg=; b=AgbqUFsgpa1jtp1gnHLgnW7euyh63lPRAT6bZZoGQNnS3QWoaTq1EiOxC9nO8ILJ4h7jcd8COesI0c0kBe0rZIMazoX4AkWVaUIBVbUhHNOqdrjZ8/WlB2lHir8jLDWjbcQ9NnAR/iN0YfE7qE1kUpufRed6IBAUI3uhLUxUL2p/mAUF3NdpjMQ4dY+1TLfZAKWrg3Vv5w5o2N7cje8UQA1Y6/x21t/n2CNF9mNcfaarXD/7df6bdrshe10SC1P0SPWhkwWMVeTBpE2Tnv0n1ELnISk7RWqjcRfW33h15niMJoIQBdJ+s5cPrJ/5UNwledOVhnsY0zwSNZXrCwk99A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=toshiba.co.jp; dmarc=pass action=none header.from=toshiba.co.jp; dkim=pass header.d=toshiba.co.jp; arc=none
From: toshio9.ito@toshiba.co.jp
To: bcampbell=40pingidentity.com@dmarc.ietf.org, oauth@ietf.org
Thread-Topic: [OAUTH-WG] DPoP followup III: client auth
Thread-Index: AQHWyPrEOGWRAyI//ECYKFnkC8YmFqnmJquQ
Date: Fri, 04 Dec 2020 01:26:10 +0000
X-TSB-HOP: ON
Message-ID: <TY1PR01MB1466B7B9186A75EFA9315FFCE5F10@TY1PR01MB1466.jpnprd01.prod.outlook.com>
References: <CA+k3eCQjCjbcHxmTFn_Ce1aQ-gn31mAXNp9PGp7d6mXkfyDWPA@mail.gmail.com>
In-Reply-To: <CA+k3eCQjCjbcHxmTFn_Ce1aQ-gn31mAXNp9PGp7d6mXkfyDWPA@mail.gmail.com>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
X-MS-Has-Attach: yes
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=toshiba.co.jp;
x-originating-ip: [124.211.28.2]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 04492adb-e5a1-4660-443a-08d897f394d6
x-ms-traffictypediagnostic: TY2PR01MB3977:
x-microsoft-antispam-prvs: <TY2PR01MB39779E99BC80254DCAB71FC4E5F10@TY2PR01MB3977.jpnprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 8CqS5/gHe1NB5mS4NW34D/qimwg2svJNAQLHJ3EdCSFLzl3Ni4Exu9XzOXqhqDdzqAjU9M8zCEuSmDo1hwMAXESzl1G/GeZPpk6F4XjTirX5QGMNiDltWp88TUL5Azo2OiVF6OrIa9E8WOqvjZnkAEFPjSutrrQcSLWUe/tvSiyivtllUu7rPPipGyTpni863tBL+/5TeSOnoqVgg5wi6ciCka13zFfF1b76re2TXGo91sfIMpyiWUIfRxKH2Tx59FONojZoEbfL+4Mkr3u3ct6kky7W6tIVATJ5Akp2suus4PUNwBG4O2t47rMFOlhdCO+Cv58DO0ET2uiuRJxrTrFtniYKhUE+aG/z9aCyO/F7j6GfJhpITareSoU/t1Oi5trslQG1LWRHM6sVDSanSQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:TY1PR01MB1466.jpnprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(376002)(346002)(136003)(396003)(39860400002)(5660300002)(53546011)(52536014)(66446008)(6506007)(55236004)(166002)(83380400001)(8936002)(316002)(99936003)(8676002)(110136005)(7696005)(186003)(26005)(64756008)(76116006)(66476007)(66556008)(86362001)(66946007)(478600001)(66616009)(71200400001)(33656002)(9686003)(55016002)(2906002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: EWZl5eVpYIQKr/WuQpQdUSN1DZh23GuQi5xOS+9I7n+07qPdp9ihjQGv8S9/4KP+8rW3u9thdowUmoHCSUgN7HNkPk8ZYElK8Ig3sORpv5H4N31Z3TVqg5n2XCHfNthRFoW1VpUHI9Mwr3yss5xqEOicrpJgGJME/+fb43XmnS5ErLflSTlIWIY/pZzzqe/oayfqcY9swtUXr3cRarV4CFPHwLXiISJhck2RYK/9uaWt0cT8gJyz43BCiZ5RXoEH/0PWsgIBAuyKIYOGWZTS/5HPZSq+7wauksRUUNW+2tUfE6NqHaqwLyBGFZGyrEBgX4CsfiO2Mh/5grLq3swREtQo3Iz1VPpnob28Exz15BfNfoKdbtIWOFAV1+tiENzfChWW6D12d0gwrtL9be1ARa9Z7vTbS8CPQqfMHQT45W4uHloaehZwpO9HyApPBRIG8smgZAQV4kd4fcQlva79UYAtSTFxl3zxDp2QMVeajN5kmunNJQXGKGGrU2wy04BRostbYeEuBU0ziaJKMNhlwCDGBvSh0hclWnYIvI3FcbkbYucj3h9F1H3nLoJRVqzzHGacPjDKWtG7RFv2BQd/scf5NM8+6Na4PIOduJ7g87Qd2+hnV20rmbKA1Bkd27gDQgKHeuPQuMdUzGtBTvXRSVTFTAajR+gzoWBPRJsVeMidAZUrXFSSIieggGxinecqcwDxk6A6GKhuYJChXLS8rNi8/7IeQTpHoL8KCErlHGhRcYsGj0K3gzEqZPgiNyuhZpsI9nc96YGXnOO26Ubl32pbAMFp3RlDPfhN7X4Ax34NjTBs3iysBrhB+5O8wQlQryPlZMvMhJ1LDIF46Qn2gM5AZNome8smUVywoeS+WlLEWHGCkrmvyv46wkyURckTp7SKtTjunG+hIC6Rb6EVmHFCXLqwqyzQF5FYz6jqxOBwWL48MfaoOin6ReiftXzBCFDCvbs+57aLJo/3l+PQCkPxjAR1F5ZopdzWpquN5l0=
x-ms-exchange-transport-forked: True
Content-Type: multipart/related; boundary="_004_TY1PR01MB1466B7B9186A75EFA9315FFCE5F10TY1PR01MB1466jpnp_"; type="multipart/alternative"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: TY1PR01MB1466.jpnprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 04492adb-e5a1-4660-443a-08d897f394d6
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Dec 2020 01:26:10.1932 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f109924e-fb71-4ba0-b2cc-65dcdf6fbe4f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: LDXUFKHs10k89vWGW/aOaO5/GhMP49QCI8uDTaR6OTtwVZHZ8L8wVuD6uft/w79TJorm90QaOp89mt+6XBeSjgOOb7Kt98vTHfPKfYU1L50=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TY2PR01MB3977
X-OriginatorOrg: toshiba.co.jp
MSSCP.TransferMailToMossAgent: 103
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/6-X2VT96e5JwU7YNMFEfy9847N8>
Subject: Re: [OAUTH-WG] DPoP followup III: client auth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 01:26:27 -0000

Hi Brian, everyone

I'm interested in a client authentication method based on DPoP. It'd be a good
option for application-layer client authentication with asymmetric keys.

However, I don't think the DPoP draft should include DPoP as a client
authentication method. It should be a different document. In addition, I'm not
sure we can (or should) use exactly the same DPoP Proof JWT structure for client
authentication.


Toshio Ito

From: OAuth <oauth-bounces@ietf.org> On Behalf Of Brian Campbell
Sent: Thursday, December 3, 2020 7:29 AM
To: oauth <oauth@ietf.org>
Subject: [OAUTH-WG] DPoP followup III: client auth

There were a few items discussed somewhat during the recent interim<https://datatracker.ietf.org/meeting/interim-2020-oauth-16/session/oauth> that I committed to bringing back to the list. The slide below (also available with a few extra spelling errors as slide #19 from the interim presentation<https://datatracker.ietf.org/meeting/interim-2020-oauth-16/materials/slides-interim-2020-oauth-16-sessa-dpop-01.pdf>) is the last of them.

To summarize, I'm wondering if there's WG interest in working to formalize a client-to-AS authentication mechanism based on DPoP. I think it potentially would be problematic to put into the current document (for a number of reasons) so am preemptively ruling out that option. Thus, basically, I'm asking the WG if there is some/much interest in the idea? In which case I'll find some time (at some point) to write up an I-D for it and bring that back to the group for consideration. Or if I should, as the slide says, "shut up and never speak of this again"?

[Slide19.jpeg]

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

v2.14.0 | Report a Bug | By Email