IETF Logo Mail Archive

Re: [OAUTH-WG] MTLS vs. DPOP

Brian Campbell <bcampbell@pingidentity.com> Tue, 07 May 2019 17:18 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1A961202D2 for <oauth@ietfa.amsl.com>; Tue, 7 May 2019 10:18:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ev22BsRBXCAd for <oauth@ietfa.amsl.com>; Tue, 7 May 2019 10:18:50 -0700 (PDT)
Received: from mail-it1-x135.google.com (mail-it1-x135.google.com [IPv6:2607:f8b0:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 527871202D9 for <oauth@ietf.org>; Tue, 7 May 2019 10:18:48 -0700 (PDT)
Received: by mail-it1-x135.google.com with SMTP id l140so27021439itb.0 for <oauth@ietf.org>; Tue, 07 May 2019 10:18:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DExUIVhLdiArxwxJ0NmQk4sZz21SX2YmVeGp5M7H3E4=; b=Qqkf1xzCfAO62wEy4+47ehZZfNgN3ep+Mgif5tN9k4K6MQzASs0K5Y8FJ6glbnzVTs 15T4AcDY1Pf7/CCjyEumcqhZHgZ6AMJ8AG9MXLJ7qgRPYV/YMWAVTGRFkzPOlypFxIV4 8FlxyxVe4Sjs4C8pQZTYe8XCFTu4A9bjN8U48=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DExUIVhLdiArxwxJ0NmQk4sZz21SX2YmVeGp5M7H3E4=; b=F8dfafWsQ8IUZdNcKmlmJQUrKRECKuHP1SMajP+csnz33qBo2qHhGSImvepNUmt0Cv 91sWKZqzRDu+NQWGd+EDVF41HtpljhPOS85U+uq2f/pZd2Ccp26184yyORbyL2kzN/gL y//Qxc0ZYzbMZMa5H2nUPAKhA97tmHqngnLxuo7N4qeBdBAH+kbp4fJNx431shgSdZgz RieU1xXc7VP2N1QIy23TTQmw3O0FipEFXDIs4TBzdQbED8QVxx+RQDJ/GEUYIxqDcShK CkIw3cqbwnpuMTyB7bp69WtF/51v6YPkxITeb+ujU0iV6r1w/l9D30zM3MYD8N3sCK10 oo4Q==
X-Gm-Message-State: APjAAAXqqWGeYKTwN8X3dzbt/4sw5vhPPm+IexMihyHiMxB7hp2zigin 99saiuwmWfm6SBp0HExkEgTVVEPxbIFzgpLhpeXDMPtiJwbXkIApojt2PYEV9EHvhvRMR8/RFeN lsT5ZgDtKHmb2KmMr
X-Google-Smtp-Source: APXvYqx9HsDvW6a1KRTc1QQ8nNU5ukpNFfzehRxe2tbkq+lrkHDqNoMQbbELF3826nVsADx4CKbQgPnnLDhOxGA9jus=
X-Received: by 2002:a02:62ce:: with SMTP id d197mr23922642jac.91.1557249527436; Tue, 07 May 2019 10:18:47 -0700 (PDT)
MIME-Version: 1.0
References: <DBBPR08MB4539BA4621AC8029AEF4F8C8FA310@DBBPR08MB4539.eurprd08.prod.outlook.com> <31bec10c-e245-12b4-c092-2928b8e286d7@aol.com> <CAO_FVe4f3eTJKa1tZjrwkLxnrejX9n+5mU8PJBU5KaRw_TMDzg@mail.gmail.com>
In-Reply-To: <CAO_FVe4f3eTJKa1tZjrwkLxnrejX9n+5mU8PJBU5KaRw_TMDzg@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 07 May 2019 11:18:21 -0600
Message-ID: <CA+k3eCQWcHoM4OLeuVGEG2FccOXYWVUwnO00LhaEBTvBZXbFog@mail.gmail.com>
To: Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org>
Cc: George Fletcher <gffletch=40aol.com@dmarc.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e9025705884f680b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7roRXIdBvymPXGN5P_E0WKWXq5o>
Subject: Re: [OAUTH-WG] MTLS vs. DPOP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 May 2019 17:19:00 -0000

Practically speaking there's the MTLS draft, which has been sent to the
IESG for publication, has commercial and opensource implementations as well
as production deployments, and is referenced by other prospective standards
and profiles. It's not uncommon to receive off list inquires about the
document status from people involved in those things asking when it will be
"finished". Which is to say that there's a good amount of interest from the
community at large in seeing the MTLS document go to RFC. And it's
relatively close to doing so (as these things go anyway). The DPoP
document, on the other hand, is currently an individual draft submission.
And while it has generated some good interest and discussion, it is only an
individual draft submission and carries the same authority as any other
individual draft submission (see
https://tools.ietf.org/html/draft-abr-twitter-reply-00 for example). I
believe that the MTLS draft should continue on the it's course. And am
interested in seeing where we can take the DPoP work and if the WG wants to
take it on.

Your point about the "PR" perspective is taken. And I probably shouldn't
even bring these up but that whole situation is exacerbated by the
expired/dormant WG documents like draft-ietf-oauth-token-binding and
draft-ietf-oauth-signed-http-request. Some organizations out there touting
their support for RFC 7800 as a complete solution in the
pop/sender-constrained space aren't helping matters either. So while I
think I hear what you are saying, I don't personally see much of anything
reasonable or actionable that can done about it.




On Tue, May 7, 2019 at 9:45 AM Vittorio Bertocci <Vittorio=
40auth0.com@dmarc.ietf.org> wrote:

> To clarify, I wasn’t suggesting we drop one or the other. Both have their
> merit and use cases, and both should be developed all the way to standard
> IMO. But from some preliminary exploration, it seems unlikely that services
> will adopt both at the same time. From the “pr” perspective, having a clear
> _default_ answer to the question “how do I add sender constraint
> capabilities to my service?” would greatly enhance the chances of getting
> something out in the real world quickly, make it possible to interop and
> iron out wrinkles, etc etc-
> For the general developer populace, at this point “sender constraint”
> remains something vaguely exotic and often decisions made on that (like the
> ones on the implicit deprecation) are poorly received. Even the ones who
> had exposure had been somewhat “burned” by how token binding is going, and
> we are in need for something easy to grok and actionable to rekindle
> interest IMO. The sooner we can get the concept mainstream the better.
>
> On Tue, May 7, 2019 at 07:13 George Fletcher <gffletch=
> 40aol.com@dmarc.ietf.org> wrote:
>
>> I don't see them the same at all. With MTLS, the token is bound to the
>> transport layer (and the key used to establish that encrypted connection).
>> With DPOP, the token is bound to the private key known to the client.
>>
>> To compromise an MTLS bound token the attacker has to compromise the
>> private key. To compromise a DPOP bound token, depending on what HTTP
>> request elements are signed, and whether the DPOP is managed as
>> one-time-use etc, there are additional attacks. (Ducks head and waits for
>> all the real security experts to prove me wrong:)
>>
>> The deployment models are also different. With MTLS bound tokens the
>> clients don't really have to know about the binding because it is
>> established at the AS and the deployment of the service manages the cert
>> used for the MTLS connection. This is simpler for client development
>> (provided the environment is already set up for MTLS everywhere).
>>
>> I'd strong encourage us to continue supporting both methods.
>>
>> On 5/7/19 4:25 AM, Hannes Tschofenig wrote:
>>
>> Hi all,
>>
>> ?
>>
>> In the OAuth conference call today Vittorio mentioned that some folks are
>> wondering whether DPOP is essentially a superset of MTLS and whether it
>> makes sense to only proceed with one solution rather potentially two.
>>
>> ?
>>
>> I was wondering whether others in the group have a few about this aspect?
>>
>> ?
>>
>> Ciao
>>
>> Hannes
>>
>> ?
>> IMPORTANT NOTICE: The contents of this email and any attachments are
>> confidential and may also be privileged. If you are not the intended
>> recipient, please notify the sender immediately and do not disclose the
>> contents to any other person, use it for any purpose, or store or copy the
>> information in any medium. Thank you.
>>
>> _______________________________________________
>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth <https://www..ietf.org/mailman/listinfo/oauth>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email