Re: [OAUTH-WG] Server cret verification in 10.9
John Bradley <ve7jtb@ve7jtb.com> Thu, 08 March 2012 13:41 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA87B21F86A5 for <oauth@ietfa.amsl.com>; Thu, 8 Mar 2012 05:41:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hE5-BG3j7IQ5 for <oauth@ietfa.amsl.com>; Thu, 8 Mar 2012 05:41:02 -0800 (PST)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id B42A521F86A3 for <oauth@ietf.org>; Thu, 8 Mar 2012 05:41:02 -0800 (PST)
Received: by ghbg16 with SMTP id g16so203465ghb.31 for <oauth@ietf.org>; Thu, 08 Mar 2012 05:41:02 -0800 (PST)
Received: by 10.236.78.6 with SMTP id f6mr10911572yhe.109.1331214062313; Thu, 08 Mar 2012 05:41:02 -0800 (PST)
Received: from [192.168.1.213] (190-20-3-127.baf.movistar.cl. [190.20.3.127]) by mx.google.com with ESMTPS id r68sm4818234yhm.18.2012.03.08.05.40.58 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 08 Mar 2012 05:40:59 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: multipart/signed; boundary="Apple-Mail=_56237A7A-317B-4B7E-9660-496199DFA835"; protocol="application/pkcs7-signature"; micalg="sha1"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723453AFCD4068@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Thu, 08 Mar 2012 10:40:56 -0300
Message-Id: <335B025F-D20A-4205-AF36-0D611638C464@ve7jtb.com>
References: <90C41DD21FB7C64BB94121FBBC2E723453AAB9653D@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4F1E2639.10902@stpeter.im> <494090F8-EEC5-4156-B372-D06745E01552@ve7jtb.com> <90C41DD21FB7C64BB94121FBBC2E723453AFCD4068@P3PW5EX1MB01.EX1.SECURESERVER.NET>
To: Eran Hammer <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1257)
X-Gm-Message-State: ALoCoQl+DVShLATTrvNDNokgL7yjlGA9AcLf6AK+WUF4Wpsk8YCRylwjm9zboidfKK2QDrdsE7vt
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Server cret verification in 10.9
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Mar 2012 13:41:03 -0000
Thanks, John B. On 2012-03-07, at 7:57 PM, Eran Hammer wrote: > New text: > > In order to prevent man-in-the-middle attacks, the authorization server MUST implement > and require TLS with server authentication as defined by <xref target='RFC2818' /> for > any request sent to the authorization and token endpoints. The client MUST validate the > authorization server's TLS certificate as defined by <xref target='RFC6125' />, and in > accordance with its requirements for server identity authentication. > > EH > >> -----Original Message----- >> From: John Bradley [mailto:ve7jtb@ve7jtb.com] >> Sent: Tuesday, January 24, 2012 2:24 PM >> To: Peter Saint-Andre >> Cc: Eran Hammer; OAuth WG >> Subject: Re: [OAUTH-WG] Server cret verification in 10.9 >> >> We added the reference to RFC6125 in openID Connect. >> >> The Client MUST perform a TLS/SSL server certificate check, per >> <xref target="RFC6125">RFC 6125</xref>. >> >> We wanted to be more general to allow for non http bindings in the future. >> >> If you don't do it in core, every spec that references core will probably have >> to add it. >> >> John B. >> >> >> On 2012-01-24, at 12:32 AM, Peter Saint-Andre wrote: >> >>> On 1/20/12 4:46 PM, Eran Hammer wrote: >>>> Stephen asked: >>>> >>>>> (13) 10.9 says that the client MUST verify the server's cert which is >>>>> fine. However, does that need a reference to e.g. rfc 6125? Also, do >>>>> you want to be explicit here about the TLS server cert and thereby >>>>> possibly rule out using DANE with the non PKI options that that WG >>>>> (may) produce? >>>> >>>> Can someone help with this? I don't know enough to address. >>> >>> The OAuth core spec currently says: >>> >>> The client MUST validate the authorization server's >>> TLS certificate in accordance with its requirements >>> for server identity authentication. >>> >>> RFC 2818 has guidance about endpoint identity, in Section 3.1: >>> >>> http://tools.ietf.org/html/rfc2818#section-3.1 >>> >>> RFC 6125 attempts to generalize the guidance from RFC 2818 and many >>> similar specs for use by new application protocols. Given that OAuth as >>> defined by the core spec runs over HTTP, I think referencing RFC 2818 >>> would make sense. So something like: >>> >>> The client MUST validate the authorization server's >>> TLS certificate in accordance with the rules for >>> server identity authentication provided in Section 3.1 >>> of [RFC2818]. >>> >>> Peter >>> >>> -- >>> Peter Saint-Andre >>> https://stpeter.im/ >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Server cret verification in 10.9 Eran Hammer
- Re: [OAUTH-WG] Server cret verification in 10.9 Peter Saint-Andre
- Re: [OAUTH-WG] Server cret verification in 10.9 John Bradley
- Re: [OAUTH-WG] Server cret verification in 10.9 Eran Hammer
- Re: [OAUTH-WG] Server cret verification in 10.9 John Bradley