Re: [OAUTH-WG] client certs and TLS Terminating Reverse Proxies (was Re: I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt)

Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Tue, 29 October 2019 11:57 UTC

Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADD9C120041 for <oauth@ietfa.amsl.com>; Tue, 29 Oct 2019 04:57:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U0MM4cbd18Tr for <oauth@ietfa.amsl.com>; Tue, 29 Oct 2019 04:57:37 -0700 (PDT)
Received: from mail-il1-x12d.google.com (mail-il1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5645B12016E for <oauth@ietf.org>; Tue, 29 Oct 2019 04:57:37 -0700 (PDT)
Received: by mail-il1-x12d.google.com with SMTP id d83so11077119ilk.7 for <oauth@ietf.org>; Tue, 29 Oct 2019 04:57:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HV7w/3Lic3wc8O///KhsiiDVUIXs1LC2MjZcBpmDl7s=; b=epjEEU20qvWgru8DYzTigV9iWtQywZ5HwdEFT4hRanovzdx94xNlXZ87FMkrXAgksQ pZgBtwRfrMbIPejs6M2tPawdVXeE3pH+W/0SMggdPn9K0cF9qUR2nVO2BE57ZiFUXlET J5Rsk7aboFo/tmGNZ5PEmNb/PUN1hetyoO1gb3y8bcqphS12akY1+3DSL0gkGPEtVw9d 3sAabezNKxErwTzcNa6zJXAyWZv0ih4yB/TIaaiWv8RuLvIY/PQ0+R1VAWbmmhIJYB2B 8wHz74CuT2d9eTZSxWqdkFHZeJKpfDo0FufSBClUSvPEB4ICit/1xAJjSSwasrd84a4U 9Hxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HV7w/3Lic3wc8O///KhsiiDVUIXs1LC2MjZcBpmDl7s=; b=U26stFheEcuOwR0YIF6GxRyhY2T57at71UU66IM+tTq8/Obr0pl235ENB+tsoNRRgk j7z5QH7Tot8oC7S6CQdJJgKyesLaUI7dJ976sbrrHvDxfZfCyomdF1Ai4+3FuHlBsPwn kl9dK91Sr6Fvm3+ZI1qKxiuV4VkyfsvwwGP8C1J7sxBExfkFgjI7DYtdXuyuFoMzQk/Q ZXjexrMPo7u0iP3ZXaL7dAI5WmFlTPAYOsx2YgiVa4EEchJMvLnx4KvMgiqdE3iDNaxD HeZaYPrv3WljkkMaKOYXCCd4+rCBz6wixaYZb9bscIgbaZUzLIKykFkf8JscrsaQk0L5 QT4A==
X-Gm-Message-State: APjAAAWka8RnfE0sbIr6BhZMAvKBQdJ9lNzvc40WzICLmzRRw+HY9V77 llPyeNe+Iw2D2EYqCVUi6HJsUOzVxyVSSLFQjL4=
X-Google-Smtp-Source: APXvYqx7RcIzkdOxWXRaAgsQgLAWNA+6InMM2Uwi6CcyF+KTJzx2AL9KFL5LV5dyW4rkXG0B1gbZJABElMDkTK4UzEk=
X-Received: by 2002:a92:8897:: with SMTP id m23mr23342740ilh.36.1572350256648; Tue, 29 Oct 2019 04:57:36 -0700 (PDT)
MIME-Version: 1.0
References: <85D42AA1-FF57-4383-BACB-57C5AA32CFAC@lodderstedt.net> <CAEKOcs2gkM3Henz5nS04_EuBQXWWbJU5K02ErP0rnVZXmjxXJQ@mail.gmail.com> <20191021020546.GZ43312@kduck.mit.edu> <CA+k3eCS7pf3wXBkpbXE0AXKUGogo0YcHd8oWfiBfkPB5axGQQw@mail.gmail.com> <8A8B8892-9D16-4210-BC13-47B5D7859976@mit.edu> <20191024170326.GO69013@kduck.mit.edu> <CAGL6epJZtTXKSGFj0BfhF3kd_Z-z2xzOWXOPEKXc5m18Z4L1uA@mail.gmail.com> <CA+k3eCS8VuCfy4XeqYmLuuLK=rLvHsonSZj4i9O11U-mcua9Pg@mail.gmail.com> <CAGL6epKTV5hXqm2-qgUyG-iA90eLu49GjOKeyLcfsn2naTSV5w@mail.gmail.com> <CA+k3eCQ87n4m--nBc+PX7qE727fqA6vM=meEJZxwfnbpJ2dOsw@mail.gmail.com> <CAGL6epJQbVDrAKB+zNAPuaG0+uLxF3HijEE6=vgYaeXxB_2PXQ@mail.gmail.com> <CA+k3eCQbku0V6z2wCM084FW342dY6=_H7mEv6U3sHCDgefkxXA@mail.gmail.com> <E03CD445-39E8-4262-97BE-E0EE11231A63@forgerock.com> <BE6B1D4A-26CB-42B0-89F9-88588E47E773@akamai.com> <CAGL6epKaFkOw=GaMxjSK90KxRmMsxrHe3og5704-2Ykq-aM5cg@mail.gmail.com> <045A61A9-A5E3-4700-8669-A74931D4E7FB@akamai.com>
In-Reply-To: <045A61A9-A5E3-4700-8669-A74931D4E7FB@akamai.com>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Tue, 29 Oct 2019 07:57:25 -0400
Message-ID: <CAGL6epJuA7+em3ODCcrCr02BRo92_yXaaDJuFwg2Yesq=iBfOg@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: Neil Madden <neil.madden@forgerock.com>, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000082976b05960b521a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/9CsvDcAwB8Daq8c4UT5L2Rxlzww>
Subject: Re: [OAUTH-WG] client certs and TLS Terminating Reverse Proxies (was Re: I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Oct 2019 11:57:40 -0000

Maybe I misunderstood what you meant by "client-cert". If you meant the
proxy client certificate, then that is obviously not enough. You seem to
suggest that you meant the remote client certificate to be installed on the
proxy to be used with the backend system; if this is the case, then this
would work and you would not need the signature, but the issue I see with
this approach is that you need to reconfigure the proxy every time you
change the client certificate, which is not practical if the certificate is
short lived.

Regards,
 Rifaat


On Mon, Oct 28, 2019 at 2:55 PM Salz, Rich <rsalz@akamai.com>; wrote:

>
>    - To avoid the misconfiguration issue Neil raised, you probably need
>    both: a client-cert *and* a signature over the certificate being
>    forwarded,
>
>
>
> I am not so sure.  One can argue that transport-level identity should be
> secured by transport-level.  But installing a client certificate on a
> reverse proxy can be difficult.  (Not if the reverse proxy is a CDN, of
> course :) And I don’t see how having both prevents misconfiguration, but
> that might be my fault.
>
>
>
>    - This could still be achieve by extending RFC7239 with new
>    parameter(s).
>
>
>
> I have no opinion on this part of it.
>
>
>