IETF Logo Mail Archive

Re: [OAUTH-WG] DPoP and client registration metadata

George Fletcher <gffletch@aol.com> Thu, 17 February 2022 23:29 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AB523A03F5 for <oauth@ietfa.amsl.com>; Thu, 17 Feb 2022 15:29:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.812
X-Spam-Level:
X-Spam-Status: No, score=-2.812 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.714, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZmnuW7l3Tj_W for <oauth@ietfa.amsl.com>; Thu, 17 Feb 2022 15:29:14 -0800 (PST)
Received: from sonic303-22.consmr.mail.ne1.yahoo.com (sonic303-22.consmr.mail.ne1.yahoo.com [66.163.188.148]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BC133A0BC8 for <oauth@ietf.org>; Thu, 17 Feb 2022 15:29:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1645140552; bh=7x7+a6Z7XboOCm74Qfrqqcwh5tm3VPl8jT5Ik9N7gqY=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From:Subject:Reply-To; b=QOlBAd5Vjf8jeMu5B1IhOn2l+I4zAzE2MOAfa1p9sY5Tj3A3LpelGumQwrmqaDkkuhQJCuDNhZKdunGiXvoVsPH6oVDfQ2WVY2mIpsfzAlH0+C6T1NEbkxDYmxkahIsJ56KYG6ibHx86Oh5QntnuO8j4rG8t/+CzllWFADBujQEZWxC81P0WdF/gmfV1ot4aK2MXUh+8Qeet5OduZPfSO897v37KaoDV8vw9BbYKdVGAeI3UOGrRBj+FTZZICKUbfVnorGbXU+zCuMdvxHwX1YVn5mXn+Gg3vJPG75MeVakJ+AU59lWeV3LK/bUUjno3/IEF5YfUkRASvrGonJ/jzA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1645140552; bh=GzNU+6P/S8sfK0C0KvN0prE0mVIC08anbRajEYrqWgB=; h=X-Sonic-MF:Date:Subject:To:From:From:Subject; b=RLeQHs8oaDwA8uc9uHRT7rvUNTwkhvrS5JNSL4vJvjjRFZ0MtwSBZZ4538ZFRBM2hw1P1P/z8wx/Wg9VfYiyLKT+F67kOG1bZaVW6LxUgrF+wbeoclQW5boYpZjdpIhlXuTY006RrvWPaOt/AYB9pCqDrHS8VECVjU6e/N3cKgUzd9hcD+llk00FXVZ2TsxR5grjviNBFHY/tYTjs/kgB27ZGyHnFN0rChgd0DHT1/bLGiY1crI143lcOmWFdWA6HvbWg1dBgbMR3YoRq/2qICBqXtgcvVRC9u8LaslR+X/3f5FN2jPdG301kTgZC3DYeQLljJNeP0FBqOib+Ua2Kg==
X-YMail-OSG: CCVhn44VM1kQgEO7HsolFjj6KvCv3NlI9L512WBK1JlzD2kwckTvUl2av2AyFDX 8L6CK.fYSo5WaOr2nfPXJqo.gf1VcLL7uKMwmqdCLE1dRTLnq5uG_SkJfJJc1rOLcQl5WNWzjUD0 _uEZmFVyoMOnYY.NIm4_phY7siUDmJP10pNBzZwl6aqhWyp91wB1RfHn4v4Q8qnI2BD1VC3ONj7b UXznMThstQNE3szZH7zkuAD.sUCq.5.PmQR2W5NyBfgbD3GTYQn3ie5HLrfkltj_oIQmBmOT5xQM mR9vZUG8vTg8OodXsLDey3rmNQeLMjyBB3Zw97.4fBXnvf9r4wKWIRhFNj1wC3ySDP5_gw.VC3zm 7t74Lj6F4enT6g6i74rdBTIjkPQI58wTdqNBqj4HVL5vhmiElGTCZTiT97XWGPWmQDSm0KgZDChh r_PXvD7U6AhtC7n1yBcfgzcoKVjUdhs9iVqEfnQnBav2PLiuwAvoREg.c1JS2SSujsRudMDA7q38 XxnRqLN.pUO0zR7XRHqWSeyWgXfcS0czFWNHkhUGlxHk96dbuXps7teKJ0I1nvPw9_z8ykBHkbG8 4.6WrL6mLM.z7TrkUiJvcJZSu47Nr0FvXd0fcRKAfn1K3cb5H8INcSfPAoSPF1G0Vqc1EE2fmiZY FmIHigWxRS5sv6M6ELifkZl8EpYoFdNANZWalOt5cQjLk9SVaiuWz1OwDj0P8otO0zVBk0K8TR5m i_s.p7QI6ulqK8QaJeW0FNl0hcPP4Mi_mZilqvxgw87VJdcnNGvMVQaNEwt6oIyP9YmiaqS6YkWE dILoL2kFxj8J.RptJbV9Qq6BZ.jTuXVoqZna6TD.ppVg0wmi8MJ.MFh4k8VbpGiZJr52s57Mq6Nm AUMhWyRECm4D2mVwynklAh0m1HBrQRCSlSiPL3bDZifRlv5rCgaT2qcuobsW9oDMwnBXcqQSzqKR MOBOV64OhQ1rl9IhDDr3T5kjgiwYhhPl.yPaHCD.4rTcKHT17kU6OA9IGu7COKdXrtAOQNh7zffJ UYdbUq0rtCbephYlOX887rfrUKbYRs_Id9jnxrzo3KF_8AY5zIfB6D6cfbsrvYJcllWLbjhz82CB px12DcwjhFjstWX7PJVUHEGDf0FsvaQr0mnReKSq7WfsP2RDliukcbbqMFBekwLU1lOIpvOKCRMM 2DdKtfPWQYiBfjpFFMfWW5fQWYsRpqpf8x5gywqyl2OOF5nlij7eFjxyHmGoh7g1ZSC.OSU6.mcM tE29m2MUHzhPfDYf4cVJiJdZsPKJuZGp8X5qCfIfeXNfTkktOb.JjDzYFMkXAOrrG7hGNQ6IcyY7 F.T5QUJhnPhfK0KDbz69uEdlTdgAz6FSj.ITIbyiujCuJocALblckmhHXLgE_Cy568FmozYdTUgc mjMJDBf6aUAx0SE4G0lmEr7aIrr8xy7Wz1wpD2trlBVmlSlsyM3ck465tT6AomTMasV8lRKnXQQ4 .TYIEg_s7zm_6QwylExcxN28c2JxU2l5kBtdtFqAO1RYF4vx4jIf5K06ChD9CT677xz_EDBWRsll 1unjthStPVDNpRW55119tm8F72d5F6HGlb04.kBD0sqcVuQop6q8h503brtwjtgbCv0Gdilrpjte 2YSV2IiZ5DhwciaCf9a04g1wWg688Mctwcn5y3lfgI4o_N0egdcQjvBy2ytPczEKVtCAVJqF8NLC hINbYtJfLxbWFotcqJrRQ2D6vi8W7LDuwQ092gRULxXhYLtK_f9y5kjtvbQ6pYCDPoSpxmmmnodu nHMaIQfPji_QEMDpG05v2MD4GHutgSDXYx0ijjvcIX2b2ZfYUJ_8sCtWY9.HhNyVV84xKU5cHPT3 mINGOw.mtE7GLtF7jtk.el52jzC2hIE3WK7HG6hB.g.BYiHNrcmNeDg92ADzRZpVX6.nit0DnM_q wENbrWtHxOPsdbjQrui5VyZRec6Tlv_M6932VpGgNrMUsgQ1wpbSBj0lrPzL_YgCC8o3y3D84KYu gBVje23G6hq4CZ6kIOvMwziVc1M90rJSxyaL9Zmi7tWBIIEkszk0GcazCiLX6Rzm_sZ6mxh7Brer _nW7nlUFUilYnK2gSA8Z2449DoO_6iixgYe2tnDbFRpHi68MU1ILpv2Wa5fiEl2ZE_TGZn_mnrJx AZ8UhsJ7ucYLZBsvHv7BcXO30jau.M6Kvm5jWFseYlJgz.NzgLZjWGY_KkXVKpjsQM5q85z_VGG5 JVRaJ3Mzl9BbBI.6zmCT_x0NW2JZIgCY-
X-Sonic-MF: <gffletch@aol.com>
Received: from sonic.gate.mail.ne1.yahoo.com by sonic303.consmr.mail.ne1.yahoo.com with HTTP; Thu, 17 Feb 2022 23:29:12 +0000
Received: by kubenode502.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 0e55e201f0daf5866c7358a970166042; Thu, 17 Feb 2022 23:29:08 +0000 (UTC)
Content-Type: multipart/alternative; boundary="------------qaaQdMx67oQDC6VqHW21l94G"
Message-ID: <c9ec493e-9be3-1b51-deed-ebbaf08202ff@aol.com>
Date: Thu, 17 Feb 2022 18:29:02 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.6.0
Content-Language: en-US
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Cc: Dmitry Telegin <dmitryt@backbase.com>, oauth <oauth@ietf.org>
References: <CAOtx8DkFrDBk==_4Yr8JFiNmPSQkhMnVDk09RGhz_Kb52gMMtA@mail.gmail.com> <CA+k3eCSG0-bjJRsVrgAtVocvRBpwY+7fBxr=WPAYdUBd25g=pQ@mail.gmail.com> <CA+k3eCTCjawQx7g8Q+tUwtC7oRCkpev0r-kCuo3n3Xy18XvgVA@mail.gmail.com> <9b66ac72-19af-974a-d85d-c7ab88f31183@aol.com> <CA+k3eCTbWHJdVLOFspgrFtq9K4QdXcqkfMQh6JtsFh7O-h7b1g@mail.gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
In-Reply-To: <CA+k3eCTbWHJdVLOFspgrFtq9K4QdXcqkfMQh6JtsFh7O-h7b1g@mail.gmail.com>
X-Mailer: WebService/1.1.19804 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.aol
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/AIxlW0AdgitwTwMPbh4ChwPYiqg>
Subject: Re: [OAUTH-WG] DPoP and client registration metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Feb 2022 23:29:24 -0000

On 2/17/22 4:32 PM, Brian Campbell wrote:
> On Thu, Feb 17, 2022 at 12:28 PM George Fletcher 
> <gffletch=40aol.com@dmarc.ietf.org> wrote:
>
>     Given that the FAPI 2 baseline is requiring either DPoP or MTLS as
>     the sender-constraining methods, I think we need to provide more
>     guidance about how DPoP is used in cases outside of SPAs. Can a
>     mobile app using dynamic client registration via pub/priv key pair
>     generated on the device using the same public key for the DPoP
>     required portions of the flows?
>
>
> It could use the same key but there's nothing requiring it or checking 
> any association. In 
> https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-04.html#section-1-3 
> we say "DPoP can be used to sender-constrain access tokens regardless 
> of the client authentication method employed, but DPoP itself is not 
> used for client authentication." Which is meant to say that DPoP is 
> orthogonal to client auth.

Ok, I guess I was wondering if there are any security implications of 
using the same key or benefits of using different keys that might be 
helpful for developers.

>
> On 2/14/22 5:51 PM, Brian Campbell wrote:
>> This (more or less) has come up again in the from of a github issue: 
>> https://github.com/danielfett/draft-dpop/issues/105 and it has me 
>> sort of maybe reconsidering the idea of introducing some kind of 
>> client metadata that indicates that the client will always do DPoP. 
>> So I wanted to bring it up again here on the list to try and see what 
>> folks had opinions on it.
>>
>> On Tue, Oct 26, 2021 at 4:08 PM Brian Campbell 
>> <bcampbell@pingidentity.com> wrote:
>>
>>     There are no plans to introduce client registration metadata for
>>     DPoP - the requirement to use DPoP is more of a property of a
>>     resource so I don't think registration metadata for a client fits
>>     very well.
>>
>>
>>     On Tue, Oct 26, 2021 at 8:53 AM Dmitry Telegin
>>     <dmitryt=40backbase.com@dmarc.ietf.org> wrote:
>>
>>         For dynamically registered clients, there is currently no way
>>         to indicate the intention to use DPoP. Hence, it's completely
>>         up to the AS whether to enforce DPoP or not on such clients
>>         (for example, using client registration policies).
>>
>>         Seems like there is no common approach here; for example, RFC
>>         8705 (OAuth 2.0 Mutual-TLS Client Authentication and
>>         Certificate-Bound Access Tokens) does define client
>>         registration metadata (see section 9.5), whilst RFC 7636
>>         (PKCE) does not. I guess this is due to PKCE being initially
>>         conceived as a feature that would become mandatory in OAuth 2.1.
>>
>>         Are there any plans to introduce client registration metadata
>>         for DPoP?
>>
>>         Regards,
>>         Dmitry
>>         Backbase
>>
>>         _______________________________________________
>>         OAuth mailing list
>>         OAuth@ietf.org
>>         https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>> /CONFIDENTIALITY NOTICE: This email may contain confidential and 
>> privileged material for the sole use of the intended recipient(s). 
>> Any review, use, distribution or disclosure by others is strictly 
>> prohibited.  If you have received this communication in error, please 
>> notify the sender immediately by e-mail and delete the message and 
>> any file attachments from your computer. Thank you./
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
> /CONFIDENTIALITY NOTICE: This email may contain confidential and 
> privileged material for the sole use of the intended recipient(s). Any 
> review, use, distribution or disclosure by others is strictly 
> prohibited.  If you have received this communication in error, please 
> notify the sender immediately by e-mail and delete the message and any 
> file attachments from your computer. Thank you./

v2.23.0 | Report a Bug | By Email