IETF Logo Mail Archive

Re: [OAUTH-WG] New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt

Brian Campbell <bcampbell@pingidentity.com> Wed, 16 November 2016 00:03 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84E911293D6 for <oauth@ietfa.amsl.com>; Tue, 15 Nov 2016 16:03:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zc0V_hWM6zzL for <oauth@ietfa.amsl.com>; Tue, 15 Nov 2016 16:03:51 -0800 (PST)
Received: from mail-it0-x234.google.com (mail-it0-x234.google.com [IPv6:2607:f8b0:4001:c0b::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 773831293E9 for <oauth@ietf.org>; Tue, 15 Nov 2016 16:03:51 -0800 (PST)
Received: by mail-it0-x234.google.com with SMTP id b123so28949342itb.0 for <oauth@ietf.org>; Tue, 15 Nov 2016 16:03:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=gXHh9fvB65HDL4rN18XcUhVsYheRGkVT1XD+9xlGj6g=; b=Wa9QOi6FAaa1exNoMrqMbzIBy8crx9M2o1jsQ5HMkjnrXeOJJ5ARl0xHAbm5QfsHuU 2GVnlco8Yx/irjmz16b426JK7xZ9N4V4gAIxZVjkrmrAUEbXxWHb9IvFKb+Mhc8ySgmc 46AbK8ikpSuyK1Ihkvy/Q+RoKmhwNSwi16Krw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=gXHh9fvB65HDL4rN18XcUhVsYheRGkVT1XD+9xlGj6g=; b=Y5rCgwnGd+Ta5OYIA/DIttdafU9u5z/NGQMK1Oj/xBzuWqS7kNAnLeseYORFGgecSw UPiez2HOUuydC20dDZsuX8Rf1GQ/NNsZrGgm8Clvrm2VhvZi++mpAfLKxibS999N7+aq lusovXzOCR6qGcwMlRM+VqXEN5pYH5oCKJ45KAtLgZflMDS4uCJjT1o5HoJeaNASHVC4 To6xu5duB686fJgH/6RsAqeVqQ3CnWY6CklwQeV6PDnDi6D+/kxX8bSU2z/suljHurXf N2zzvTqruHj+1U3SFruZchMHfi5Pn7rJypRlwhGdhp/lwkwZ2wuD34WV9RKN7ehYgNYk femA==
X-Gm-Message-State: ABUngvcYe3wTA9jpDp7ZXsPLoNA0DcxU/V6ZMu4XjhqRPBkaM6SabchC5PmA5ALOCmH1KqjoDzUoAXpC7+u7HPha
X-Received: by 10.36.31.82 with SMTP id d79mr5422678itd.79.1479254630638; Tue, 15 Nov 2016 16:03:50 -0800 (PST)
MIME-Version: 1.0
Received: by 10.79.156.74 with HTTP; Tue, 15 Nov 2016 16:03:49 -0800 (PST)
Received: by 10.79.156.74 with HTTP; Tue, 15 Nov 2016 16:03:49 -0800 (PST)
In-Reply-To: <CA+k3eCTuC7EfXm-aGKDEPFUDjAjB4nZyy9wHCBwYVfRX6-zdzw@mail.gmail.com>
References: <147613227959.31428.2920748721017165266.idtracker@ietfa.amsl.com> <9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com> <5827DE8A.4010807@lodderstedt.net> <4372F560-F98E-491B-BEDD-B02A2671D96C@mit.edu> <5827F848.3060803@lodderstedt.net> <2164E521-236F-46FC-AAF1-D2EE80F29BA9@mit.edu> <58280139.2040505@lodderstedt.net> <CA+k3eCS-S8G-jxRMnvczaysdNZSRWwiPnGTMnGVnh8dWgh0k-A@mail.gmail.com> <F31A1C87-C18F-4203-A1AE-DF32BCB005B4@mit.edu> <CAF2hCbYxcVzfPCQ5vLm9-Xnz3y_tMOepx1Gkwx9-2txKJo1zKg@mail.gmail.com> <CA+k3eCTuC7EfXm-aGKDEPFUDjAjB4nZyy9wHCBwYVfRX6-zdzw@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 15 Nov 2016 17:03:49 -0700
Message-ID: <CA+k3eCQb49hau3287nu6g1E6TXPFh2-Usojp_nQLU1wv5VFBPQ@mail.gmail.com>
To: Samuel Erdtman <samuel@erdtman.se>
Content-Type: multipart/alternative; boundary="001a1145e852cac63c05415fcef9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7m9MlDBMFelzBmcknhDoeIaHBIo>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Nov 2016 00:03:54 -0000

Whoops, "about" at the end of the 1st paragraph should be "abort".

On Nov 16, 2016 8:08 AM, "Brian Campbell" <bcampbell@pingidentity.com>
wrote:

> Yes, I believe you are correct. Client certificates are provided in the
> handshake (initial or renegotiated) at the request of the server. If the
> server asks and the client doesn't provide a cert, it's up to the server
> whether to continue or about the handshake.
>
> There seem to be a number of different ways of trying to deal with this
> (not strictly for this OAuth case but similar situations).
>
> The AS could always request client certs but allow connections to proceed
> regardless. Then check for certs for appropriate clients while processing
> token requests.  I guess there's a little overhead in the handshake with
> this for all the connections that won't present a cert. But not a ton. The
> main drawback is that some/many browsers have UI that will prompt users to
> choose a cert even when they don't have any. And the user experience can be
> very bad or confusing as a result.
>
> The token endpoint could be on a different host or port which always
> requests client certs. Still allow connections to proceed regardless and
> check the client credentials at the OAuth layer. Pretty similar to the
> above but avoids the usability issues with end users because it's only at
> the token endpoint.
>
> Trying renegotiation after the application sees that it's a token request
> or that it's a token request from a client id that's configured for mutual
> TLS is another approach. In my own limited experience with this kind of
> thing, however, this approach can be kind of flaky. And your point about
> the initial data not being trustworthy is legitimate. I'm not sure if it
> really matters in this case. I don't know. And signaling to resubmit is
> another issue all together.
>
> There are probably other approaches too but those are the things I've seen
> or can imagine. In all (or nearly all) the deployments of our stuff that I
> know about that deal with mutual TLS, some variation of the second option
> is used.
>
> All this seem like implementation/deployment details though and I'm
> hesitant to try and define how to do it in this doc. Maybe providing some
> guidance. I'm not exactly sure how to do that though.
>
>
>
> On Tue, Nov 15, 2016 at 10:14 AM, Samuel Erdtman <samuel@erdtman.se>
> wrote:
>
>> Torstens questions triggers another question from me.
>>
>> If we have an AS that can handle both certificate client auth and client
>> secret, how does the AS know that it should ask for client certificate on
>> the TLS layer.
>>
>> It was a while since I last read the TLS specification and it might have
>> changed but if i remember correctly client certificates are provided in
>> initial handshake or in re-negotiate and it is only provided on request by
>> the server.
>>
>> If this is still true the AS would need to first get the token request,
>> see that this is a client that authenticates with certificate and request a
>> TLS re-negotiate to get the certificate authentication and a re-submission
>> of the token request since we cannot trust the data first submitted.
>>
>> Are I missing something obvious, or is this something that needs to be
>> defined?
>>
>> //Samuel
>>
>>
>>
>>
>>
>>
>>
>> On Mon, Nov 14, 2016 at 1:26 AM, Justin Richer <jricher@mit.edu> wrote:
>>
>>> Right — this is a fine way to put it. RFC7591 defines a client model
>>> where RFC6749 didn’t. Ideally all that metadata would’ve been in the
>>> original spec, but it’s not. It doesn’t matter whether the client was
>>> registered dynamically or statically, it just matters that the AS knows
>>> what to expect from a given client.
>>>
>>>  — Justin
>>>
>>> On Nov 14, 2016, at 6:21 AM, Brian Campbell <bcampbell@pingidentity.com>
>>> wrote:
>>>
>>> Yes, the intend is that the authentication method is determined by
>>> client policy regardless of whether the client was dynamically registered
>>> or statically configured or whatever. I can make that point more explicit
>>> in future revisions of the draft.
>>>
>>> On Sat, Nov 12, 2016 at 10:59 PM, Torsten Lodderstedt <
>>> torsten@lodderstedt.net> wrote:
>>>
>>>> I understand. My point is different: the text seems to assume everybody
>>>> is using client registration, but that's not the case. I would like to
>>>> point out it makes sense to explicitely state the assumption that it is
>>>> determined by client policy (indepedent of the way this policy is
>>>> established).
>>>>
>>>>
>>>> Am 13.11.2016 um 14:24 schrieb Justin Richer:
>>>>
>>>> As part of the client’s registered data model. At least, based on how
>>>> our own implementation works (where we support client_secret_basic,
>>>> private_key_jwt, etc), that’s where we’d check to see if the client was
>>>> supposed to be using TLS auth or not.
>>>>
>>>> We don’t let clients switch away from their registered auth mechanism.
>>>>
>>>>  — Justin
>>>>
>>>> On Nov 13, 2016, at 2:21 PM, Torsten Lodderstedt <
>>>> torsten@lodderstedt.net> wrote:
>>>>
>>>> Justin,
>>>>
>>>> Am 13.11.2016 um 13:39 schrieb Justin Richer:
>>>>
>>>> Torsten, I believe this is intended to be triggered by the
>>>> tls_client_auth value specified in §3.
>>>>
>>>>
>>>> in the token request?
>>>>
>>>>
>>>> Nit on that section, the field name for the client metadata in RFC7591
>>>> is token_endpoint_auth_method, the _supported version is from the
>>>> corresponding discovery document.
>>>>
>>>>  — Justin
>>>>
>>>> Torsten.
>>>>
>>>> On Nov 13, 2016, at 12:31 PM, Torsten Lodderstedt <
>>>> <torsten@lodderstedt.net>torsten@lodderstedt.net> wrote:
>>>>
>>>> Hi John and Brian,
>>>>
>>>> thanks for writting this draft.
>>>>
>>>> One question: how does the AS determine the authentication method is
>>>> TLS authentication? I think you assume this is defined by the
>>>> client-specific policy, independent of whether the client is registered
>>>> automatically or manually. Would you mind to explicitely state this in the
>>>> draft?
>>>>
>>>> best regards,
>>>> Torsten.
>>>>
>>>> Am 11.10.2016 um 05:59 schrieb John Bradley:
>>>>
>>>> At the request of the OpenID Foundation Financial Services API Working
>>>> group, Brian Campbell and I have documented
>>>> mutual TLS client authentication.   This is something that lots of
>>>> people do in practice though we have never had a spec for it.
>>>>
>>>> The Banks want to use it for some server to server API use cases being
>>>> driven by new open banking regulation.
>>>>
>>>> The largest thing in the draft is the IANA registration of
>>>> “tls_client_auth” Token Endpoint authentication method for use in
>>>> Registration and discovery.
>>>>
>>>> The trust model is intentionally left open so that you could use a
>>>> “common name” and a restricted list of CA or a direct lookup of the subject
>>>> public key against a reregistered value,  or something in between.
>>>>
>>>> I hope that this is non controversial and the WG can adopt it quickly.
>>>>
>>>> Regards
>>>> John B.
>>>>
>>>>
>>>>
>>>>
>>>> Begin forwarded message:
>>>>
>>>> *From: * <internet-drafts@ietf.org>internet-drafts@ietf.org
>>>> *Subject: **New Version Notification for
>>>> draft-campbell-oauth-tls-client-auth-00.txt*
>>>> *Date: *October 10, 2016 at 5:44:39 PM GMT-3
>>>> *To: *"Brian Campbell" < <brian.d.campbell@gmail.com>
>>>> brian.d.campbell@gmail.com>, "John Bradley" < <ve7jtb@ve7jtb.com>
>>>> ve7jtb@ve7jtb.com>
>>>>
>>>>
>>>> A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
>>>> has been successfully submitted by John Bradley and posted to the
>>>> IETF repository.
>>>>
>>>> Name: draft-campbell-oauth-tls-client-auth
>>>> Revision: 00
>>>> Title: Mutual X.509 Transport Layer Security (TLS) Authentication for
>>>> OAuth Clients
>>>> Document date: 2016-10-10
>>>> Group: Individual Submission
>>>> Pages: 5
>>>> URL:
>>>> <https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt>
>>>> https://www.ietf.org/internet-drafts/draft-campbe
>>>> ll-oauth-tls-client-auth-00.txt
>>>> Status:
>>>> <https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/>
>>>> https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/
>>>> Htmlized:
>>>> <https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00>
>>>> https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00
>>>>
>>>>
>>>> Abstract:
>>>>   This document describes X.509 certificates as OAuth client
>>>>   credentials using Transport Layer Security (TLS) mutual
>>>>   authentication as a mechanism for client authentication to the
>>>>   authorization server's token endpoint.
>>>>
>>>>
>>>>
>>>>
>>>> Please note that it may take a couple of minutes from the time of
>>>> submission
>>>> until the htmlized version and diff are available at tools.ietf.org.
>>>>
>>>> The IETF Secretariat
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>
>

v2.23.0 | Report a Bug | By Email