IETF Logo Mail Archive

Re: [OAUTH-WG] [UNVERIFIED SENDER] RE: Cryptographic hygiene and the limits of jwks_uri

Dick Hardt <dick.hardt@gmail.com> Fri, 10 January 2020 18:59 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADC5C120BE5 for <oauth@ietfa.amsl.com>; Fri, 10 Jan 2020 10:59:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id po8mgixHM7jq for <oauth@ietfa.amsl.com>; Fri, 10 Jan 2020 10:59:27 -0800 (PST)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 756EB120B69 for <oauth@ietf.org>; Fri, 10 Jan 2020 10:59:24 -0800 (PST)
Received: by mail-lf1-x136.google.com with SMTP id l18so2278548lfc.1 for <oauth@ietf.org>; Fri, 10 Jan 2020 10:59:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MT4vhvtE85iiNEhej0010sy5BdZ9Fst26qFk4aiagwY=; b=lNqPLDnI2ROG5ZAoCl+x+1Bknisn2hF3+9bHlq482mB6suWOJFLIs4TME4+fxe0jua ml5F2KmHjch6g4NJuEF0MDtv0WHvb2UT+8k3xHP5pB35BtLEaqqQIkMXs8mhINMfk7qr QSZo++V4MXLts2drgtwz2eq1ZE5rgmMC4eqhl7uBV69d/ufVXXLt76h1RT4lpwpa/tXF G28JWTTNoBkMMcxOjI0EmGc2DJ+qFxBT9jPgPlhSyg0WY5XI1mjZO/Is5cIFer5N12Dn Pf/TyLXcL/OkU4BvDCbh7HTU9SdCgOIhH6W9ZGhLD06DbJGvZmd5o+pOBqwLB08s1GPg GY/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MT4vhvtE85iiNEhej0010sy5BdZ9Fst26qFk4aiagwY=; b=LqJD42vMDfRGKz/TytwRrlvO4ixUnU+wXt5ofVVlpFxue0TfFDdWbrRjQPk3BJDM5r cdjEbHrVIl9w9AdV32OA440T8qrR29Hwy2yDo75RyyLw+SGZ60nu3+ShK23WHfOuKFFz 7r6uDx15xiyCxcgPE7aCBAZXpy/cZYeWS8yvkqz+gUKpd0Vd3aUYPxyZv9Rn6rhfaLV+ lFwA+RG43k/A23cWDp3ixQlw8bEOM7R6wnKhWu1lx48cEJllTu5Sdsm5EP7vgObTXku6 QbX69lt0EZw4yxMDIOStWzuhI9IQ52C44yziz5SKzxSSdNl2CgQG4MYgTmQubSPbGsLy v2lQ==
X-Gm-Message-State: APjAAAUxjaeQiYPXxeBs98Rv+LYCzeGKhOHgQOPWBhmkFGjO62hy+O5M +DkBc5Ig4qW9oxPoKBSdJpnJfUGWYFzwakNQX2U=
X-Google-Smtp-Source: APXvYqxY6reqDqyjNLF8jLkZD7GBrcnDqI4UGWjZ8Y2LMisIkNrXeokZFgf8+8KRnZqENBTYG6NW2s+QNBtVwIBby6g=
X-Received: by 2002:ac2:50cc:: with SMTP id h12mr3210412lfm.29.1578682762573; Fri, 10 Jan 2020 10:59:22 -0800 (PST)
MIME-Version: 1.0
References: <CAGBSGjpFMKTCNYgeh4p7Nyh6urTbmQ0qYFHPUa+OX51Hj88UVg@mail.gmail.com> <23D54EBE-359C-40FF-8204-9F03E45D09E9@forgerock.com> <CAD9ie-vCzedTkdb-GXBVgahFb1jZcA9NdUfb0rsOAqrtup95cg@mail.gmail.com>
In-Reply-To: <CAD9ie-vCzedTkdb-GXBVgahFb1jZcA9NdUfb0rsOAqrtup95cg@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Fri, 10 Jan 2020 10:59:11 -0800
Message-ID: <CAD9ie-u52XjXYd8RiMgOYFpLVd7fhiBOMLOwECD3u60ygovZRw@mail.gmail.com>
To: Neil Madden <neil.madden@forgerock.com>
Cc: Aaron Parecki <aaron@parecki.com>, oauth <oauth@ietf.org>, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="00000000000046c4f4059bcdb947"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/8hQScCF1n3GA76cfXQPxSU36gkI>
Subject: Re: [OAUTH-WG] [UNVERIFIED SENDER] RE: Cryptographic hygiene and the limits of jwks_uri
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2020 18:59:35 -0000

To restate my previous point, we may not be able to change what is
currently specified and deployed, but we can for future extensions such as
RAR and PAR.

To paraphrase Annabelle, this ship may have already sailed.

On Fri, Jan 10, 2020 at 10:52 AM Dick Hardt <dick.hardt@gmail.com> wrote:

> The metadata document is declarative, and can easily be yet another
> separate role in the AS.
>
> In large organizations, different people are empowered different roles, so
> the team owning the metadata document could be different from the team
> generating ID tokens, and different from the team generating JWTs.
>
>
> On Fri, Jan 10, 2020 at 10:27 AM Neil Madden <neil.madden@forgerock.com>
> wrote:
>
>> The problem with specifying a property on the key itself is that a
>> microservice might lie about what it’s keys are for. I think you either
>> need separate documents or some separate metadata mapping uses to key ids.
>>
>> — Neil
>>
>> On 10 Jan 2020, at 18:19, Aaron Parecki <aaron@parecki.com> wrote:
>>
>> !
>> Can the keys in the document at the jwks_uri indicate what they are for?
>> Either by adding other top-level properties next to "keys" or by specifying
>> a property on a key itself? At least that way implementations that expect
>> just one value of jwks_uri wouldn't have to change.
>>
>> Aaron
>>
>>
>>
>> On Fri, Jan 10, 2020 at 12:16 PM Dick Hardt <dick.hardt@gmail.com> wrote:
>>
>>> Yes. Thanks for clarifying.
>>> ᐧ
>>>
>>> On Fri, Jan 10, 2020 at 10:14 AM Torsten Lodderstedt <
>>> torsten@lodderstedt.net> wrote:
>>>
>>>> You mean additional JWKS URIs, for example?
>>>>
>>>> Am 10.01.2020 um 19:09 schrieb Dick Hardt <dick.hardt@gmail..com
>>>> <dick.hardt@gmail.com>>:
>>>>
>>>> 
>>>> Perhaps I am misunderstanding what Annabelle was getting at, but having
>>>> more than one key in the metadata document would solve the the issue. IE,
>>>> extensions would define their own key instead of using the same one.
>>>>
>>>> The metadata document itself was an extension.
>>>>
>>>>
>>>> On Fri, Jan 10, 2020 at 9:58 AM Torsten Lodderstedt <
>>>> torsten@lodderstedt.net> wrote:
>>>>
>>>>>
>>>>>
>>>>> > Am 10.01.2020 um 18:23 schrieb Dick Hardt <dick.hardt@gmail.com>:
>>>>> >
>>>>> > As OAuth 2.0 has been extended, the AS is now also an OpenID Connect
>>>>> Provider, and the access token is being defined. These extensions have
>>>>> assumed all of this functionality is a monolith.
>>>>> >
>>>>> > I'm not suggesting that we MUST make changes to existing extensions,
>>>>> but design future extensions so that an implementation can separate duties
>>>>> if desired.
>>>>>
>>>>> How do you envision this to work? As you said, OAuth 2.0 is built on
>>>>> the assumption the AS is (at least logically) a monolith. All extension
>>>>> were built on that underlying assumption. I don’t see how an arbitrary
>>>>> extension can relax that assumption and still be compatible with the rest
>>>>> (just revisit the discussion re PAR and keys).
>>>>>
>>>>> I think we should accept this design assumption, in the same way we
>>>>> should accept form encoding as request format instead of JSON, for OAuth
>>>>> 2.0 extensions.
>>>>>
>>>>> OAuth 3.0 could explicitely be developed with different architectures
>>>>> in mind.
>>>>
>>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>> --
>> ----
>> Aaron Parecki
>> aaronparecki.com
>> @aaronpk <http://twitter.com/aaronpk>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>

v2.23.0 | Report a Bug | By Email