Re: [OAUTH-WG] MTLS vs. DPOP
Hannes Tschofenig <Hannes.Tschofenig@arm.com> Wed, 08 May 2019 08:15 UTC
Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D0D5120090 for <oauth@ietfa.amsl.com>; Wed, 8 May 2019 01:15:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j1H1PMSdK8NF for <oauth@ietfa.amsl.com>; Wed, 8 May 2019 01:15:52 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-he1eur02on0631.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe05::631]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0910C12002F for <oauth@ietf.org>; Wed, 8 May 2019 01:15:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QQM4HcChqINj+9g3p+Wdhe45vPDQ5hySIQFp1tP99eM=; b=FvR28l1+3gMZxss08+BKq7w+0h/lzz2KsUP8DkcNIzAPjh8ekNgTAr7V9YMjfcqFmj/6d61L734aJPyNMMcdzYxRxKGf3ZECHW6TzTKAPGptVYtNH7JHwJkS4Lm/BxXSRdElENGyYWf20NLjqwNuNYEj3O7V9GwTYvGGgz+VaUw=
Received: from DBBPR08MB4539.eurprd08.prod.outlook.com (20.179.44.144) by DBBPR08MB4267.eurprd08.prod.outlook.com (20.179.40.213) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1856.12; Wed, 8 May 2019 08:15:49 +0000
Received: from DBBPR08MB4539.eurprd08.prod.outlook.com ([fe80::3803:e042:abea:cd93]) by DBBPR08MB4539.eurprd08.prod.outlook.com ([fe80::3803:e042:abea:cd93%5]) with mapi id 15.20.1856.012; Wed, 8 May 2019 08:15:49 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Benjamin Kaduk <kaduk@mit.edu>, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
CC: Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org>, George Fletcher <gffletch=40aol.com@dmarc.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] MTLS vs. DPOP
Thread-Index: AdUErRQrEyJTkDUdQjmHcwr6XcEhZQAMeI0AAAMz3AAAA0YxgAABc6OAAB054iA=
Date: Wed, 08 May 2019 08:15:49 +0000
Message-ID: <DBBPR08MB45393CBB78656E23B286241AFA320@DBBPR08MB4539.eurprd08.prod.outlook.com>
References: <DBBPR08MB4539BA4621AC8029AEF4F8C8FA310@DBBPR08MB4539.eurprd08.prod.outlook.com> <31bec10c-e245-12b4-c092-2928b8e286d7@aol.com> <CAO_FVe4f3eTJKa1tZjrwkLxnrejX9n+5mU8PJBU5KaRw_TMDzg@mail.gmail.com> <CA+k3eCQWcHoM4OLeuVGEG2FccOXYWVUwnO00LhaEBTvBZXbFog@mail.gmail.com> <20190507175954.GM19509@kduck.mit.edu>
In-Reply-To: <20190507175954.GM19509@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.123.90]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ceb962b6-086d-48f3-6b4d-08d6d38d6112
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(4618075)(2017052603328)(7193020); SRVR:DBBPR08MB4267;
x-ms-traffictypediagnostic: DBBPR08MB4267:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <DBBPR08MB42677432868579CFF6B8CBA5FA320@DBBPR08MB4267.eurprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0031A0FFAF
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(136003)(376002)(39860400002)(346002)(366004)(40434004)(189003)(199004)(72206003)(81156014)(3846002)(53936002)(478600001)(76116006)(6116002)(446003)(5024004)(2171002)(14454004)(14444005)(8676002)(6246003)(7696005)(68736007)(966005)(25786009)(256004)(99286004)(33656002)(66446008)(5660300002)(186003)(26005)(6506007)(66476007)(66556008)(316002)(66066001)(110136005)(54906003)(73956011)(66946007)(4326008)(102836004)(52536014)(6436002)(2906002)(11346002)(7736002)(229853002)(74316002)(86362001)(305945005)(8936002)(486006)(64756008)(71190400001)(71200400001)(76176011)(476003)(6306002)(9686003)(55016002)(81166006); DIR:OUT; SFP:1101; SCL:1; SRVR:DBBPR08MB4267; H:DBBPR08MB4539.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 6tyEIzY2lFRTEaWr+0bXQeul1GRvOcCX7tewTtbDs1QsE1bYe2NnnEPdsZ1ql1y9/czSVk3ZJUn9BdYugfBcNjmoD4ttrhogQX0F08Z0XdDtP9FOHRPSHOZAT4ZrhVLVbDGAw+xpUgSGpWq2Pt2LzcfdxgW+2hy/UtiKgyEaFyGzmUfK8plAtoQzHY6g2f2pFF6HTTFaxnUBXuSfNpioEs+MlPFCOk+RfJwCLfExwY807d4G+vhjGAmiv/uQzz7nYygARJsIVClsk3hqcvXSJjlqtrvDPhucuxgMUWtHBZWIOp64RV/aJUd25CAKCtEGuMWFkUZIHBOlFks0cU8JfYls9Tipg9/xxHoCE/vNaO7ebrrt5pfCBcH+O+4iixegPwweMVKQ1dyQ2KAL3sTxSdobEn0fEuNOTlIXvGB0njA=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ceb962b6-086d-48f3-6b4d-08d6d38d6112
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 May 2019 08:15:49.1289 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBPR08MB4267
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/tbT2zFswRFd9IZIxSfLSjFoyWaA>
Subject: Re: [OAUTH-WG] MTLS vs. DPOP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 May 2019 08:15:56 -0000
Hi Ben, > I've forgotten the details of those two documents, but in the general case, if there's a WG document that is no longer actively being worked on (or is now believed to be a bad idea), the chairs can pretty easily get a new rev posted that has a "tombstone" notice, like "this document is no longer being worked on" or similar, which may help clarify the situation to external parties without much investment on time or tooling. When we started the work on the PoP tokens we were ahead of the OAuth deployment because many developers didn't see the need to switch from the bearer tokens to the proof-of-possession tokens. Hence, the work progressed very slowly. Now, the situation has changed with OAuth being used in use cases where there are higher security concerns, for example in the financial sector. There are, however, also technical challenges with the PoP token approach and we ran into one of them with the HTTP signing and also deployment challenges (see token binding). I believe many people want such a PoP solution but there are just cases where it does not work. For HTTP signing we have at least two solutions in the IETF right now, namely https://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-03 and https://tools.ietf.org/html/draft-cavage-http-signatures-11 DPoP does not address the issue of how the request from the Client to the RS is actually protected. It only hints to it. If you want to get this to work you have to use one of the above documents or come up with yet another method. Additionally, DPoP overlaps an already existing working group item, which we had planned to sent to the IESG soon: https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-07 One of the differences between DPoP and PoP key distribution is the question whether the client always needs to demonstrate possession of the private to the AS. As you remember I took the action item to work on a formal analysis, which I posted to the list. Why the extra DPoP functionality has not been incorporated into the already chartered working group item is not entirely clear to me. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [OAUTH-WG] MTLS vs. DPOP Hannes Tschofenig
- Re: [OAUTH-WG] MTLS vs. DPOP George Fletcher
- Re: [OAUTH-WG] MTLS vs. DPOP Daniel Fett
- Re: [OAUTH-WG] MTLS vs. DPOP Vittorio Bertocci
- Re: [OAUTH-WG] MTLS vs. DPOP Hannes Tschofenig
- Re: [OAUTH-WG] MTLS vs. DPOP Brian Campbell
- Re: [OAUTH-WG] MTLS vs. DPOP Torsten Lodderstedt
- Re: [OAUTH-WG] MTLS vs. DPOP Benjamin Kaduk
- Re: [OAUTH-WG] MTLS vs. DPOP Karl McGuinness
- Re: [OAUTH-WG] MTLS vs. DPOP Torsten Lodderstedt
- Re: [OAUTH-WG] MTLS vs. DPOP Karl McGuinness
- Re: [OAUTH-WG] MTLS vs. DPOP David Waite
- Re: [OAUTH-WG] MTLS vs. DPOP Torsten Lodderstedt
- Re: [OAUTH-WG] MTLS vs. DPOP Hannes Tschofenig
- Re: [OAUTH-WG] MTLS vs. DPOP Justin Richer