IETF Logo Mail Archive

Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint

Brian Campbell <bcampbell@pingidentity.com> Mon, 14 January 2019 18:42 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10DB412867A for <oauth@ietfa.amsl.com>; Mon, 14 Jan 2019 10:42:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SOkDoY01IVxI for <oauth@ietfa.amsl.com>; Mon, 14 Jan 2019 10:42:09 -0800 (PST)
Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 320231274D0 for <oauth@ietf.org>; Mon, 14 Jan 2019 10:42:09 -0800 (PST)
Received: by mail-io1-xd29.google.com with SMTP id v10so18414013ios.13 for <oauth@ietf.org>; Mon, 14 Jan 2019 10:42:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QZODcBmf6OWUKEZ2S4n/X4FZGlm1D2/8TjN6XTh8pyE=; b=S+0KFCJNQKSSPl85FKkExthKLg8+0s2kGdlIuMPR1tMiSjuHSbgJPVUPagg0llnaYc 51qKvvztavsfvDw+TFrzi1AYhQ94LXz+Qj+v/XJ1oyhHFdhzTN2/+CFgaTGQobOQZJE4 l6uDfmW8Dh+5YrnvzSwZlCtlaunpas/6tYIBM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QZODcBmf6OWUKEZ2S4n/X4FZGlm1D2/8TjN6XTh8pyE=; b=sgMe7NisFTpY5oNjcagSaUM1zUy9OoHR+ETY+r8BvGBPKtAt0QBEypjvjgYRBbL/Bg ysarEXSzIB29gYDpiw9gtzBS1VdyaPbhgkD/rk/9VXYvFj7CyI/S41qdXvPhYFL+Qb5i PHEpQfR6SB4/jRh7meGZTul2EeS8OcdalCc+vK6jr4l8BZzfKaBA87MqyztaAYELPlJU AgahQgmnsV6ydLH5EOueba5mj4+RbOae/BkjFdnsSe6Zi/WoaVxR31zuJgu+K9POmQCR CK+uyeuXQZXPh6+dtGP4KlklGPra0XKLxkPCxqEf1Ss5oN06c5aJZhC7YewqdhlhwCKZ tedw==
X-Gm-Message-State: AJcUukeAnUTMwrxbX0PBYToMVRekpWw3SsbZ4aDuim4cq48YsZhQpvtB Su8Ycj6GAHpsVZRlUjk42vJ5uYrrVStQA17mWEHHr0gXHdMqMfny18kx3f6HJUQ4SOaySSNCeut 7aEx10YXeKDwLBQ==
X-Google-Smtp-Source: ALg8bN4yQsal3fkm/VTt0HdpkpLROQLTpKVjOXeXeu51GC5n1wW0m6x7sSBcKhSwwiMuxNySHf3fv5jkP8gsb/a8PhI=
X-Received: by 2002:a6b:b345:: with SMTP id c66mr17101158iof.59.1547491328425; Mon, 14 Jan 2019 10:42:08 -0800 (PST)
MIME-Version: 1.0
References: <CA+k3eCTKSFiiTw8--qBS0R2YVQ0MY0eKrMBvBNE4pauSr1rHcA@mail.gmail.com> <6A614742-290D-47E2-B3E9-A4D49DB32DD7@forgerock.com> <CA+k3eCSoNRGrsxeLYd6DEqU+U6TB_aXV2aPUa07Um2X0ZH_ZEw@mail.gmail.com> <73B00324-DE55-48FD-A21D-B22438A707A7@alkaline-solutions.com>
In-Reply-To: <73B00324-DE55-48FD-A21D-B22438A707A7@alkaline-solutions.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 14 Jan 2019 11:41:42 -0700
Message-ID: <CA+k3eCQNOZVa09MR6LwqfLPbDmjBiLssS803LgvVckwHnvjeuw@mail.gmail.com>
To: David Waite <david@alkaline-solutions.com>
Cc: Neil Madden <neil.madden@forgerock.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000eca0d6057f6f6620"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7RqFWt7xKUkaZLAfLIoqgmAyDO8>
Subject: Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jan 2019 18:42:12 -0000

No, my testing was not via XHR/fetch. Just direct request from the browser.
I was making the assumption (maybe foolishly) that it wouldn't impact
behavior because it's all at the network layer.

I saw that Firefox setting but left the default (at least for my install),
which was not to autopick.



On Tue, Jan 8, 2019 at 10:30 PM David Waite <david@alkaline-solutions.com>
wrote:

>
> Was your testing via XHR/fetch?
>
> FWIW,
>
> Firefox behavior is determined by a global pick automatically / prompt
> every time flag. Details at https://wiki.mozilla.org/PSM:CertPrompt
>
> Safari on macOS relies on the keychain, where a record is created called
> an Identity Preference. This is a URL (https or email) to preferred
> certificate mapping. Previously, it would create this record the first time
> a user selected a certificate, then never prompt again.
>
> Chrome seems to delegate to the underlying OS for certificate management,
> so on the Mac it has this behavior as well. This means however that other
> platforms may have different behaviors.
>
> Safari on iOS used to automatically select a single certificate match, if
> the query was for a single client CA. I didn’t try with other small numbers
> (2, 3, etc) but when exposing the list of all available CAs as valid client
> CAs, it would prompt. This may not be the heuristic anymore, as knowing the
> name of a client CA (such one issued as part of a cloud EMM deployment)
> would allow certificates to be used for tracking.
>
> IE (pre-edge) would allow the behavior to use an automatic cert or prompt
> to be configured per-zone, which would allow policy to send a device/user
> identification certificate to a particular set of sites by default. I have
> no experience with configuring Edge, unfortunately.
>
> -DW
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email