[OAUTH-WG] Re: Call for adoption - PIKA

Pieter Kasselman <pieter.kasselman@microsoft.com> Tue, 02 July 2024 13:40 UTC

Return-Path: <pieter.kasselman@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FCC9C14F71B for <oauth@ietfa.amsl.com>; Tue, 2 Jul 2024 06:40:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.254
X-Spam-Level:
X-Spam-Status: No, score=-2.254 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o9Y_1dB0eHRO for <oauth@ietfa.amsl.com>; Tue, 2 Jul 2024 06:40:22 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2092.outbound.protection.outlook.com [40.107.21.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC880C14F6EA for <oauth@ietf.org>; Tue, 2 Jul 2024 06:40:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gak1puYyKaKsl7WgfLNnAOhhd5G3R8b2gW6NwuAoJdm3N4vh0rwFtrHod5I1cvkxfqepLVSMPPsL/1X38i/P7GA01ATreZGOcGupTFSk2RynDDfUMGM0etOa9GiBoLmqVO6VEIK1XGaKFut6SZhGiE+bfgU+aCBoW6lkVmKZ9KsewcojeDoNvuz3l8m8zdxzsdaGR1QO7OSKqjiRgWNwCua3id2kdMomPjNpZQrSQsIL3BycXodqEzksOFTlt7xcVtd1VcxNbWA6D5el/O/gIo+zpFxizDVNzl0pQUbsJGfAsJha0O7LD38QuwOesvLvCvnxZK/pQoMDuFUiReNJrQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7aU3XBdkDINURKHxBW4wHOg4Gn4oqaqsac+0fIospZc=; b=ZdOsdVywv6Ld8RPOhQN2yYGM8017bXsM8qhRoBg5egy6mz7KG9vaztdNGQbPQjcI57w38uR/4fE3sHl1aTrGSmZYXv2r+kUj6e2vhR6w1+kRStMEkoilK3mS4xlJIdN8X/O4hDx6flkwAh8VJazQdFDLI5rShj3oMVZ7BmI74pyjY+KYKhpp30H+CCSWYNtGvroX9uTnOeDCTfB+4YelqHTWz+dccXA6gP09wK0fVyn+rMSs2Ajku0ke2lYUxiVLWFVmAoFn8Y7+0XfuY4jy5EgwR9oAbwlloM1BZkdPP9sUJpI1foy/R1BQSf9/M6yTnyBzjxW8psUshtqKEShr7g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7aU3XBdkDINURKHxBW4wHOg4Gn4oqaqsac+0fIospZc=; b=RqYkEyvyjOil9dCtQhC3MjZyQ+GLWcb16BwFv8LxSZ3UA1kq8k/jPyiYTEo5pYqAocO62AHsSBEW01QqXn2yb9cbNM4TeLLmqBHLRUv2ZkT/4fkpbGdpgGsewoQPyGHUfm7K0lBP1L1E6eH5mfrtdnhi4FoOXn6TvctMuCs1oyg=
Received: from DBAPR83MB0437.EURPRD83.prod.outlook.com (2603:10a6:10:19e::6) by VI0PR83MB0786.EURPRD83.prod.outlook.com (2603:10a6:800:26a::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7762.0; Tue, 2 Jul 2024 13:40:18 +0000
Received: from DBAPR83MB0437.EURPRD83.prod.outlook.com ([fe80::9ee1:305:cfd7:dded]) by DBAPR83MB0437.EURPRD83.prod.outlook.com ([fe80::9ee1:305:cfd7:dded%5]) with mapi id 15.20.7762.000; Tue, 2 Jul 2024 13:40:18 +0000
From: Pieter Kasselman <pieter.kasselman@microsoft.com>
To: Richard Barnes <rlb@ipv.sx>, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Thread-Topic: [OAUTH-WG] Re: Call for adoption - PIKA
Thread-Index: AQHax0JLhLBgC8xxKkWSW4TqM6cpILHjcc6Q
Date: Tue, 02 Jul 2024 13:40:17 +0000
Message-ID: <DBAPR83MB04379A8BF37E7914EBA5586F91DC2@DBAPR83MB0437.EURPRD83.prod.outlook.com>
References: <CADNypP9GmF4vp1uzLXK0YYZAHUDjK7RHbhEb4MCXkB7N3Oq4+w@mail.gmail.com> <CAL02cgQYom9P+yGMODkHNE125mZnQxRdUTNQbP4ck4y48cgGTA@mail.gmail.com>
In-Reply-To: <CAL02cgQYom9P+yGMODkHNE125mZnQxRdUTNQbP4ck4y48cgGTA@mail.gmail.com>
Accept-Language: en-IE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=7ba84c7c-c8a9-4cbb-a36d-074e08e902d0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2024-07-02T13:02:58Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DBAPR83MB0437:EE_|VI0PR83MB0786:EE_
x-ms-office365-filtering-correlation-id: a7f0c8cb-c16d-4299-e683-08dc9a9c82c8
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|4022899009|366016|1800799024|38070700018;
x-microsoft-antispam-message-info: 0mcXDxxTPmE/tkbon7zQZ8e9b24JdYGiiGwJ1+OGZmlWwN+lYROkfNudg1JNy3cm73FCZGV6Uvb8/34P8dDTrwCltn/Yf+0CPsE5RjZeWAivcSp9dlXhkV90tQaPy9oQWxIrIXtEACai09E2dresr2ob4yaW2Ggfi7P8hbxj/FQhyMGiRKy6tmze9Ja9v1R8aqMJ33kxESpSv//dun1bVjN6iLxamynQMhuBehgrDjIi2XDB9DmBmezMZbEnLWtN+GcUSO2PW8PCny+QnMP9Nr8i9sM72i4yZ0VdUSEBFIUR7kkm932+u8AngxLBnURSCsUkH5BFyKkI6NRSIoVbDkU44vs08DgQT67syoGpvNfnNYH6EJkotnUqSnTa+Pcox4dPOzBxwoO2Es5C6nVItDqAuPTuX4y6mu4qaSXCWk/Q6x6Isz5Jh0uO3kjbOemKlNt62/1xXb380POEDxeMwJOrZDhIsgUBcgq2XC4/YuMaH4WnNPgZNYwlOcu5iFX9hvkvKDng7ztR0TuNg4jMqJBEy25fl0VnXnHZQhZRPNiPpgXAYjNc2vBOvmJr7X02xw5JrWIVsYzL/hzalUJnv65S1aRGAA3L65/4qFwIuU98pfMDDLR2XBjG6lFEV2bGYttBmQtajWowaa10oDxLswuBkEZSt/GPvHT/Gxn/itJE6K+EJW/Es7Irde/XLm4JAK+0kVrjiKq2NDaEBCDKiJOyjl9wh8TcqKGEsVT2bWXJv67hG3emmaQmh9X+wQboagzgtjJFZpCRf4hzHRY3Z9KhD9yiilBsfbsPEQoYHdLYED8TWImgvSA3oS7mYfp+KE33SIpTxtDiTh2DASPueS8F1rr0JICqrQkt82ezYE9SpT9ULkE5hHnmd8uUZqoBew0dpA1yP54d9OCKT7QhNiJFlTaeuFX5KUcPEWZUBOlGTEd8MgcY5y4ASZv5k+gJrQUO/Og5HVvhqSrT3/LxLQ4XViDAISKiX7WkT4nRfkUZGfyviT+12yO1cG1JPsEbhCgy59ogM2hkGmWO91K5o/sZF270DRyrYkrCBO5ljBilQT1o1hxNjGRImGQ8bckOd8XioRhiRBZvynMMZCHiPhKnixgv4EwI1Fm2qtemyxLbxXDweII/ify7T45tndFuGV8b7wNZMK0lZDLapSTT6kyZeGpiHMO9FSuJEyJBuHapmprT2ImEVUIZOvZwfGVeR4BOU7wR0+z0mAWm+Mtm/0CDwL33r2WeFLa+t/ASGj4u9iyp5ilOqk7rt3njA5BwzzqnLYi9AEZpY2jK/a570NpSb74KVfJT3Eksg1BXpqpkPh88W6dLIjS2dplx470gvkpxZJ0me2ozIUJRkebBvBEoO4lAxUOTJtv+FiAs92w=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DBAPR83MB0437.EURPRD83.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(4022899009)(366016)(1800799024)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: e371SVEi9qgbtjTCcxY1ExD/w41i689wPQN/nd0Xvzuiuk/AXqSHZtnX7RAmcniGZIWZBrFuLJ6P12QjZ1j1TIqe7rEroFM+q7PXg+k26iTelLxKM3Y5Xxn1BkOwCOeRyy0e6atZH00wCssdZIcu4+0SJZYXIYnjyfkSaEmrENE9RumQXLOupMAa8c6bUH5DGsOHA/b2OD4LwDsT7NHXvBhVe3QsqLSfhcuPgMUI19hk1E1B5BbWXmXRnez/4yU5M2R2iTg190Al79b++zxVRTzOtz/0xE+SfU1Grr9oriDBvy2i5qZX2vruuRMII+638GSFs12TJnbS0JHxGjT3fTRP/0QSWLxBDT00SGOp6f8csy0f4YvJYcbxDIK4fLJ63xWzcWJ+McvfPGdf5WiY1vGl+9t5tRn1WNdgXtGSV65uahyOgTrN/kDEQz1pqZFwv6+UGi0oB5myx279L1IbdJQF9skacMmTNCpSZogSlsDEpw3wubQ1Bvz0Nq4sX6JcsragSjOAN9z8gBFyr3jXun8NqY6feZM0piCnKxTW1OA9fDVAE77Y5lhEj8JepZNqmliqDom4ECAYTK2Um4VAoIsc9k89yz3r3IsLtQOLE9hAN+5lPP4Ul3+YpWXJoslHggyeoOpP7NxvzYRdajnpkSZ6r/biJcZAK9+chugV0QhdtR4QbQbLwZjgz0uBiSem617So1oDfSZDK8ReOgQrOnaWj/v7a5rmVPSKEzSzo+OXFGdAN75lXXrpTqGJetp6BLLv9PLccAdAOKm3wA8bfHdXCuCMLgesubrchIsB9DzaCq+7uOr/cuaO56ME6Ux4Yp3ZwBfFazRNu0Cj6DMYa59BsWVbbHRJxTvuCW+g2P3U0JfZE7ib8RPHRApwILUD8Qb8UEk6wktMiwiqfn/OG10a3/GvF14YMf9B2WqfyIc9Ao9vy0+hGuonUi4ASwBjFaqgj3U4yKL6zH49IikjUTqp3MC/f/p0dO3PS9lqOsLK4oZaCVyFE0BHhIw0GdAoNoJp0vNTGmtkWsR/ePJSwtznem8QMnEGFZh/sG26p4ds/7/kTLdebmWAzyS1tpo4jWopU8bMAJnmM/rqPRfx1T9X1wTtmhIkh9qa1VPzZoKpdPyf6kWnuva9t0GBcd7ePyxP6iBj8bxMMBiDA0y1WZ7iL5L7kA57jNNnk5taNUw+OkE+g8AocNX0aidjNrQExmVhq2Zo4jA5bFr3kJ5GFcLDgh4kNjatMuwZGUQVbXLBZAjS38Kp6rp5MzSeceWOtuuGsf+RhrCH/mIXOaCiOBOXp5JKeUx60OjewFbks7fqc/MH6d6Dq5AX0KYOkVp/4I4l0Et3Baj82YyaXsmxJOdkTFvTT0KkBJI+aAsmzMW7cinVrkcOIMEM5j/d0fuvx/12Gv9ABq/fnxIwdQYV4lnFQFDqL8rw8rB0giYk7XMtDsLtfaNkySyN7+NE2w9FPMsEdOO/nIHDxVy3kKRdyOBn2oamsfCIXvURkKzkexODzCE/zvWQ7gFEIGRLF0BS
Content-Type: multipart/alternative; boundary="_000_DBAPR83MB04379A8BF37E7914EBA5586F91DC2DBAPR83MB0437EURP_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DBAPR83MB0437.EURPRD83.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a7f0c8cb-c16d-4299-e683-08dc9a9c82c8
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jul 2024 13:40:17.9363 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: +S2TIB2KX+FtL416dnPszelY5iT2YRtqVPnTYcu2Frbx+f8WDIpyA2AkaETbIMBwzYF+zYN0orqNu4OYleXENEVMrV+kANk5yMLrOXukeoE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI0PR83MB0786
Message-ID-Hash: LZGHTE3WIGSIJB63KRPLMCTEOR33VMTI
X-Message-ID-Hash: LZGHTE3WIGSIJB63KRPLMCTEOR33VMTI
X-MailFrom: pieter.kasselman@microsoft.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - PIKA
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/6oE8-lE5WCRHohGWD4ZWobKVL_0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

I want to thank the authors for preparing this draft. It addressees an important set of scenarios and I am supportive of the goal of this draft to add additional protection to JWK Key sets beyond being hosted on a web server protected by a TLS connection.
I have some questions around the trust framework/trust model and would like to see some clarification or clear guidance on where the X.509 certificates would come from and how they would be used. In general I am concerned by practices of using the same keys and certs for multiple purposes. It causes confusion and may result in security issues.
From reading the draft and some comments referring to Web PKI, I get the impression that one option is to use TLS certs for signing artefacts that would be long lived, or would need to be archived/managed for a long time. Generally, using a key/cert to authenticate a web server for an ephemeral connection is different from generating long lived signatures that may be archived for decades as part of security audit data. Even if a separate TLS cert is used, it raises concerns about confusion that may result from using TLS certs in this way (it would be indistinguishable from a regular TLS cert for anyone verifying the key set). If the same certs/keys are used for both the TLS connection and generating PIKA proofs, it raises questions about application layer access to signing keys on the web server where the TLS session gets terminated. TLS keys are by nature closer to the edge where they are more accessible/vulnerbale, compared to keys that are used to sign artefacts that may persist over time and should be kept further away from the edge.
It would be good to provide clear guidance on the trust framework for PIKA certs. where they would come from and the need of keeping them separate from certificates and keys used for ephemeral purposes (securing TLS connections). Perhaps this is something that can be done as part of security considerations, or may even be subject to its own in the draft.
Cheers
Pieter


From: Richard Barnes <rlb@ipv.sx>
Sent: Tuesday, June 25, 2024 9:56 PM
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Cc: oauth <oauth@ietf.org>
Subject: [OAUTH-WG] Re: Call for adoption - PIKA

Hi all,

Replying to the top of the thread again to recap the arguments so far.  (Hoping the chairs will give us a moment more to discuss before calling cloture.)

It seems like Sharon, Rohan, Watson, and I are all on the same page w.r.t. the X.509-based mechanisms in the current draft.  In particular, we're all developers of relying party software, and it seems like we're all OK with doing X.509 (contra Mike's point about application-level X.509).

If I understand Mike and Giuseppe correctly, they want to be less prescriptive about how the PIKA signer establishes their authority for an "iss" value, so that an OP could use some other mechanism (e.g., OpenID Federation).  It sounds like Mike at least is OK with the draft aside from this point.

I would be open to adding some optionality in the authority mechanism here, but I'm wary of losing the concrete interop that we get with the draft as it is.  So we would need at least a strong recommendation for X.509, even if something else can be used if the parties agree to it.  I would be more comfortable doing something along the lines of what Rohan suggests, namely defining a concrete, X.509-based thing here, and extending it to support other mechanisms via follow-on specs as needed.  If there were a single additional mechanism that people wanted, as opposed to a generic "[insert authority mechanism here]", that would also be more palatable to me.

Additional feedback would be useful on a couple of points:

1. From RPs: Is the X.509 requirement onerous to you?  Or is there enough library support out there that it's not a big deal?
2. From OPs: Is signing using a key bound to an X.509 certificate workable for you?  Or do you need some other authority framework?
3. From everyone: Is the general mechanism here useful, assuming we can align on some set of authority frameworks?

Thanks,
--Richard


On Mon, Jun 10, 2024 at 7:47 AM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com<mailto:rifaat.s.ietf@gmail.com>> wrote:
All,
This is an official call for adoption for the Proof of Issuer Key Authority (PIKA) draft:
https://datatracker.ietf.org/doc/draft-barnes-oauth-pika/

Please, reply on the mailing list and let us know if you are in favor or against adopting this draft as WG document, by June 24th.

Regards,
 Rifaat & Hannes

_______________________________________________
OAuth mailing list -- oauth@ietf.org<mailto:oauth@ietf.org>
To unsubscribe send an email to oauth-leave@ietf.org<mailto:oauth-leave@ietf.org>