IETF Logo Mail Archive

Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

Warren Parad <wparad@rhosys.ch> Wed, 13 October 2021 19:11 UTC

Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 700373A0977 for <oauth@ietfa.amsl.com>; Wed, 13 Oct 2021 12:11:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j2cF8Ngw3C_D for <oauth@ietfa.amsl.com>; Wed, 13 Oct 2021 12:11:42 -0700 (PDT)
Received: from mail-yb1-xb2d.google.com (mail-yb1-xb2d.google.com [IPv6:2607:f8b0:4864:20::b2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F402A3A09E1 for <oauth@ietf.org>; Wed, 13 Oct 2021 12:11:38 -0700 (PDT)
Received: by mail-yb1-xb2d.google.com with SMTP id h2so8799203ybi.13 for <oauth@ietf.org>; Wed, 13 Oct 2021 12:11:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3YQQWm3W4sKx07FYmN6d+hAkizOKbv9Vxtc8tmWS5cw=; b=Bc0uUxlxHT8Tgpdqets5hEkqL99yXasAholgrwjW7eAxOjFk4HLZFwzQzI4ty5Po+u CMHaYCCF+cRyBVs+CdWE/QOJq70evy1cWo/uuAEfWEbe07Qz3oOwJxVxpbYv4tZn00Zb 09gns6wHPAsd6IkYiCy4Ymp96icrNMp/WsASf96ifc5KzfsNJ4QK0xqN6+h87xd0BZV1 jiE6rNmO8WrGWnQbzGasHPKX+fTYv0SBtlvpVJAImG6zw9clWbvPxAI2lns+0SSfKlRg 1m7Nae4ih74OvNMmwdYOgfpYroVz2jCLjzkg+6kAVUyWQvvVnq52Od1vkLU9Di3AsANW h1cQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3YQQWm3W4sKx07FYmN6d+hAkizOKbv9Vxtc8tmWS5cw=; b=sL649HEOK4ZrYKKd48sqZSu771jCtIVqF3OhGbigoxO9bLmPR5RV85NCmfRUE/Q518 MXfVm3KFcYwfSA+VIorG8N8utqZsjv09kbHMkos64C8H2JlFZkul8OsrVdcJD9E6Vopb dmSdKagPeP4u9XLzNQ1Y3boK8296dyTBETmSc4g3BkYtOtIvZJMU3J5J5BHXR+P3hxuB xuyjL2VAnqbT/HaFjC8oqWWbBi4rv976l46zER8aVVkoPpOUx8PUU84p/mx/Qzhtsz6o bv5hhMoxGKiANOP5soEyM/5Rw5+iiiUsb39pTGJFUpPIvSoIaL+I5jAgfZZ2y6vZeTei xbFg==
X-Gm-Message-State: AOAM532bpAKEYTqko+82xypvgoBZE+9oOeVD24aE1qL5swbB0CRquc1E wUw8QGwAGdNoR5tTBW+25OdVoI8R72+ybRYKgoym
X-Google-Smtp-Source: ABdhPJxNI3pvWi9R2gK4ul6hlw2FS/Sh6CX0ACJYi1pXW6GKWcsxKJWN3f2o+fMDyTq426tr5JyxWHrslOchdi0DiIM=
X-Received: by 2002:a25:dc82:: with SMTP id y124mr1262660ybe.521.1634152297846; Wed, 13 Oct 2021 12:11:37 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9QXCEjJmkhBvTHn68kDcJ2Mfg-tSQx1-hvfPoOTXCKzA@mail.gmail.com> <CAGBSGjqasD=eYnsMm7gZB2g+=C4abZoVi7FH4e7EFfgwKdjS8w@mail.gmail.com> <CAD9ie-uH9xGL9orTFxEd=tfhO6Q-S3sDHrQDtU7h0_dr6YeLOg@mail.gmail.com> <EE56CE99-5592-40AF-9BA5-7F3886ED315A@mit.edu> <CAD9ie-t9i1sVLhVhJp-mWSchV_x0b3no7i4qNXvcaQS+8OqCVA@mail.gmail.com> <CAGBSGjrgVbGWwFq6LDX_2Vhv7yQkwtEEjy36GpLj-bN+MtcX-w@mail.gmail.com> <CAD9ie-vJiwBSV71z4_2TJJO7A52mV763XvXmEPsEFgOMFVOwyQ@mail.gmail.com> <D445073E-D495-4250-9773-9AEEB09C01E0@amazon.com> <CAD9ie-t5EBZLtHmmbDQu9iq-d87gf07X5Fes_ZqFts5hDCOOuw@mail.gmail.com> <A312C403-3341-4B29-AEB3-B547E9A802E7@amazon.com> <CAD9ie-sW537PEzavzv1v6JSOFSfLa7iRVPAXD-miuEY8GMmDeQ@mail.gmail.com> <CAJot-L1fio+-1sSn6Z88ianq04RoHJ3M5yxe0Bzu2Cs-CWCPkg@mail.gmail.com> <54A59064-B40B-4F6C-9E7C-A5618C2C4D3E@alkaline-solutions.com> <3CAB48B9-B517-4693-8CBB-3377122A6077@amazon.com> <CAJot-L3CiPf0XbTRHPgs71cxfhr2626+vt4XELDSf5nhkj8wdg@mail.gmail.com> <D3374E65-39EC-4032-947D-18DFCEAE0B78@alkaline-solutions.com>
In-Reply-To: <D3374E65-39EC-4032-947D-18DFCEAE0B78@alkaline-solutions.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Wed, 13 Oct 2021 21:11:27 +0200
Message-ID: <CAJot-L3hqk28EgxER+gFpZMQpCupadKAv+YMeiK7AhLsJT-XwA@mail.gmail.com>
To: David Waite <david@alkaline-solutions.com>
Cc: "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000038ee7705ce40bb86"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7ALHk2NBZDgooDoDbBWK7j44PTg>
Subject: Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2021 19:11:50 -0000

(Honestly I'm struggling to fathom a circumstance where symmetric keys not
only could be used effectively, but should be used, especially in the
context of PoP where there is more than one entity involved)

If the breaking point is symmetric keys, then I would recommend two drafts
with as close to the same semantics as possible, except name them:
* Symmetric DPoP for OAuth
* Asymmetric DPoP for OAuth

Handling key exchange is so fundamentally different as well as signature
verification steps, token and source trusting, that I agree having both in
the same document is problematic. Which is the reason I wanted to suggest
what are the non-negotiables for the authors of the new draft.

Warren Parad

Founder, CTO
Secure your user data with IAM authorization as a service. Implement
Authress <https://authress.io/>.


On Wed, Oct 13, 2021 at 9:05 PM David Waite <david@alkaline-solutions.com>
wrote:

> Specifically to the discussion of symmetric keys:
>
> Adding symmetric keys implies one of a set of rather different
> architectures. For example, one may look (even more) close to Kerberos,
> with access tokens resembling service tickets, while another might
> negotiate a symmetric key/token local to a RS based on an RS challenge. In
> either case, a symmetric key basis requires resource-constrained keys and
> possibly tokens.
>
> It also makes preventing exfiltration of keys (and the associated tokens)
> harder to prevent - you would likely want to include key derivation in
> grant processes. The HTTP Signature key identifier might actually be from
> the AS or server, and even represent a wrapped key.
>
> I suspect adding this use case to DPoP would be more than a doubling of
> complexity.
>
> IMHO past discussions around symmetric keys were more arguments over
> whether DPoP could be considered complete without that additional
> complexity, due to the computational efficiencies of symmetric keys over
> asymmetric ones. This comes into play when the network/computational and
> complexity costs of a per-RS key/token negotiation is dwarfed by the
> ongoing use of that token to talk to a particular RS.
>
> This also means that it is primarily a concern when MTLS is not possible,
> as MTLS will negotiate a symmetric key at a lower level anyway.
>
> -DW
>
> On Oct 13, 2021, at 3:51 AM, Warren Parad <wparad@rhosys.ch> wrote:
>
> Are there things about the OAuth DPoP that are possibly problematic,
> definitely, but it is still in draft. Wouldn't this be the best opportunity
> to expose these problems to the authors and work through possible
> solutions? This conversation has already brought some things to mind which
> I'd be interested in improving, for instance *cnf *being an array, and
> attempting to utilize the Authorization header more effectively, but this
> isn't the thread to discuss those. Is there a reason we can't just improve
> the existing DPoP draft to remove the limitations you listed above?
>
> Warren Parad
> Founder, CTO
> Secure your user data with IAM authorization as a service. Implement
> Authress <https://authress.io/>.
>
>
> On Wed, Oct 13, 2021 at 2:54 AM Richard Backman, Annabelle <richanna=
> 40amazon.com@dmarc.ietf.org> wrote:
>
>> David, Warren, Hannes and others:
>>
>> The limitations of DPoP and mTLS have been discussed numerous times
>> within the Working Group. Here is a summary of those that I am aware of;
>> others may have additional concerns.
>>
>> (Though please note first that none of this is to say that DPoP and mTLS
>> are bad or useless – they each are targeted at certain use cases, and they
>> serve those well. They just don't serve *every* use case well.)
>>
>> DPoP Limitations:
>>
>>    1. Does not support symmetric keys.
>>    2. Requires the same key to be used with AS and RSes.
>>    3. Does not support multiple valid signing keys.
>>    4. Signed content is copied into the JWT and therefore duplicated
>>    within the message. This allows for bugs where the verifier fails to check
>>    that these values match, or performs that check incorrectly. (e.g.,
>>    assuming case insensitivity)
>>    5. Only covers the method, scheme, host, and path. Allows for
>>    additional arbitrary content to be signed, but does not provide any
>>    guidance or support for defining interoperable extensions.
>>    6. Depends on JWT, which may be a new dependency, particularly for
>>    clients that are doing OAuth 2.0 but not OIDC.
>>
>>
>> mTLS Limitations:
>>
>>    1. Requires a single end-to-end TLS connection between client and
>>    AS/RS. This often is not the case in modern distributed systems, e.g., TLS
>>    may be terminated at a load balancer, or by the hosting platform in the
>>    case of a "serverless" application. On the client side, enterprises may
>>    have TLS inspection appliances that break the TLS connection.
>>    2. Abysmal user experience in the browser. (though that is what DPoP
>>    was intended to address, at least initially)
>>
>>
>> In contrast, Justin's HTTP Message Signatures-based approach:
>>
>>    1. Allows for flexibility regarding key selection.
>>    2. Allows signing of as much or as little of the HTTP message as is
>>    appropriate for the request.
>>    3. Does not duplicate signed content.
>>    4. Does not depend on JWT, unless you want it to.
>>    5. Does not depend on an end-to-end TLS connection, or any other
>>    specifics below the HTTP layer.
>>    6. Allows servers to use the same signature mechanism for other HTTP
>>    signing use cases. (e.g., browser signing authorization cookies, LBs adding
>>    a signature over the `X-Forwarded-For` header field)
>>
>>
>> Note that these concerns regarding use cases not addressed by DPoP and
>> mTLS are not new. Below are excerpts taken from WG meeting notes going back
>> to 2019:
>>
>>
>>    - IETF 105
>>    <https://datatracker.ietf.org/doc/minutes-105-oauth-201907261000/>:
>>       - MTLS is good but not great for browser. TOKBIND has no current
>>       browser support. Need solution for browser apps.
>>
>>       - [Daniel Fett]: DPOP is hopefully a simple and concise mechanism.
>>
>>       - [Brian Campbell]: DPOP came out of a desire for a simplified
>>       concise public key mechanism at both the authz and resource server….there
>>       isn’t the overhead for symmetric keys.
>>
>>       - [Annabelle Backman]: We too find [DPoP] limiting without
>>       symmetric as asymmetric can be just too slow.
>>
>>       - [John Bradley]: The origin of [DPoP] came from the security
>>       workshop specifically focused on applications to do PoP should token
>>       binding not come to fruition. We could use web-crypto and create a
>>       non-exportable key in the browser. This is why there is no support for
>>       symmetric key.
>>
>>       - [Mike Jones]: Want to use different POP keys for AT and RT.
>>
>>       - [Justin Richer]: I really like this approach. But I agree with
>>       Hannes that having a server provided symmetric key is useful.
>>
>>       - Roman [Danyliw]: Strongly urge the equities of other groups and
>>       surface them.
>>
>>       - IETF 106
>>    <https://datatracker.ietf.org/meeting/106/materials/minutes-106-oauth-03.pdf>:
>>
>>       - Annabelle [Backman]: Would you consider using a HTTP signing
>>       solution and not do this
>>       John [Bradley]: ...[DPoP] has limited aspirations than the http
>>       signing.
>>
>>       - Some discussions on symmetric vs asymmetric encryption and
>>       Annabelle is concerned about the scaling and crypto costs. So some folks
>>       want both types, this would increase the scope of the effort [for DPoP].
>>
>>       The scope [of DPoP] was to be able to use something with sender
>>       constraint for SPA, this is not for broader usage, so this is limited scope
>>       not doing what HTTP Signing would be used for. So this needs to be
>>       presented as a very focused effort.
>>
>>       - Mike [Jones]: The usage of TLS for sender constraint is not
>>       deployable
>>
>>       - OAuth WG Interim Meeting – 2021-03-15
>>    <https://datatracker.ietf.org/doc/minutes-interim-2021-oauth-01-202103151200/>:
>>
>>       - Francis [Pouatcha]: DPoP should be by no way a replacement for
>>       HTTP signing.
>>
>>
>> —
>> Annabelle Backman (she/her)
>> richanna@amazon.com
>>
>>
>>
>>
>> On Oct 8, 2021, at 5:38 PM, David Waite <
>> david=40alkaline-solutions.com@dmarc.ietf.org> wrote:
>>
>> CAUTION: This email originated from outside of the organization. Do not
>> click links or open attachments unless you can confirm the sender and know
>> the content is safe.
>>
>>
>>
>> I do not support adopting this work as proposed, with the caveat that I
>> am a co-editor of the DPoP work.
>>
>> We unfortunately do not have a single approach for PoP which works for
>> all scenarios and deployments, why we have had several proposals and
>> standards such as Token Binding, mutual TLS, and DPoP. There have been
>> other less generalized approaches as well, such as forming signed request
>> and response objects on the channel when one needs end-to-end message
>> integrity or confidentiality.
>>
>> Each of these has their own capabilities and trade-offs, and their
>> applicability to scenarios where the others falter is why multiple
>> approaches is justified.
>>
>> The preferred solution for HTTPS resource server access is to leverage
>> MTLS. However, browsers have both poor/nonexistent API to manage ephemeral
>> client keys and poor UX around mutual TLS in general.
>>
>> DPoP was proposed to attempt a “lightest lift” to provide cryptographic
>> evidence of the sender being involved, so that browsers could protect their
>> tokens from exfiltration by non-exportable, ephemeral keys. In that way, we
>> keep from having to define a completely separate security posture for
>> resource-constraining browser apps.
>>
>> The motivations for the HTTPSig specification don’t clearly state why it
>> is essential to have another promoted PoP approach. I would expect more
>> prescriptive text about the use case that this is proposed for. In
>> particular, I would love to see an additional use case, outside of DPoP,
>> not solved by MTLS but solved by this proposal.
>>
>> If it turns out the target between a HTTP Message Signatures and DPoP
>> overlap completely, I suspect we would have the issue of two competing
>> adopted drafts in the working group. I personally do not know the
>> ramifications of such an event. I do not believe there would be consensus
>> on eliminating one, nor would there be a significant reduction in
>> complexity by combining them.
>>
>> Deferring until HTTPSig is interoperably implemented in the industry
>> gives us concrete motivation in the future to support both.
>>
>> -DW
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>

v2.23.0 | Report a Bug | By Email