Re: [OAUTH-WG] MTLS and SAN
Filip Skokan <panva.ip@gmail.com> Thu, 04 April 2019 20:23 UTC
Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDA71120601 for <oauth@ietfa.amsl.com>; Thu, 4 Apr 2019 13:23:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TOLRGw4gzQpN for <oauth@ietfa.amsl.com>; Thu, 4 Apr 2019 13:23:34 -0700 (PDT)
Received: from mail-oi1-x22f.google.com (mail-oi1-x22f.google.com [IPv6:2607:f8b0:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 147F41200B2 for <oauth@ietf.org>; Thu, 4 Apr 2019 13:23:33 -0700 (PDT)
Received: by mail-oi1-x22f.google.com with SMTP id l203so3046409oia.3 for <oauth@ietf.org>; Thu, 04 Apr 2019 13:23:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gH8yAy82YPrJa1A09VS1yVLZWeYwzNVyV3zAT9RZK7g=; b=Rop2r96K2KSIniPCipdQermbURK7fTxC81bJDh3MezihX45dCWH7YesheCgADKrvse M9bNKQbFNP5h1/wValZ09oLq84DaQ0qI36ZCkDqzXc9NZZv/w9kvBfLeMFXH/1Rfzg4d budO+t1B3IvopA63oFonALBN+95puhXvLgGahaONxu+jZKWpCj6ZgEowZfl2/MCTp89D YWXArnkzf2N8LYYBAZrWkdoJVJ6CK9YeHTUPaEL49sDCWvpY1Qf6vZfiesXj60OJFrYE DY0k9sa6oLLFVSz8IHkqzQEN+cxc6ym9VKV1d0EWiKApRkCKDTwHW9TTeycycZGC3phv yxsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gH8yAy82YPrJa1A09VS1yVLZWeYwzNVyV3zAT9RZK7g=; b=iLf02PoTQ/BH+EZdh+P111TIz3gm2bqHXRTKz6OJ9lyqZKF5+cGr4eVsZsii8SgTzP s2Cs72bA+9lFbTfolReKH7YhUQbvJwFSSKCDafkB1W/Pwa9GfI1jx7prEZyliXlj8Knj K+0ojdJVYu1/NNG8bO37alJF6yoDGaZNv7noq5V5PwraSRVg1PbZZrinobM4pS2mZZTG JgbsKV79uD14bxWwo6atIQDw8ypbjpJwrz6kxdsKiW738BnNJ30ArXD4m4s51gSZOjpj Ytnqfpxhe2tnKSJYTR/Sr6fpiyJ9q6jgWvJ62xdIRi1Rjeg9eEk6vvn/d+LDGa/YOvFn 5QIw==
X-Gm-Message-State: APjAAAVuuspJBrdjg5OqllkN7vZQJ/i0TiX7aFLTsxtAmkT+Q3va1mWO /fww6GQAidxuyMfDjWfvtk/xNGBzKjsbZzth+Q==
X-Google-Smtp-Source: APXvYqz2ffE+mNuvB9NPU8U1XxtbshAcVoHT6XAy/6v4hc2G6OrqboNX48IOYWPPNIpKxgcqzWy5H1fuwakEFgc4BF0=
X-Received: by 2002:aca:eb55:: with SMTP id j82mr4691959oih.178.1554409412186; Thu, 04 Apr 2019 13:23:32 -0700 (PDT)
MIME-Version: 1.0
References: <220488FB-C7EB-42A3-85D6-BD3756786550@mit.edu>
In-Reply-To: <220488FB-C7EB-42A3-85D6-BD3756786550@mit.edu>
From: Filip Skokan <panva.ip@gmail.com>
Date: Thu, 04 Apr 2019 22:23:21 +0200
Message-ID: <CALAqi_-0wXCurgqQq5=YfD0XhjeeoqPE=TX2XkDpgM2ci8E7qw@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d9591c0585ba24fb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/C2bumXCTPYxvW-yK49vOalK4b5E>
Subject: Re: [OAUTH-WG] MTLS and SAN
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2019 20:23:39 -0000
Justin, I had the exact same question off list and believe draft 13 clarified this. https://tools.ietf.org/html/draft-ietf-oauth-mtls-13#section-2.1.2 A client using the "tls_client_auth" authentication method MUST use exactly one of the below metadata parameters to indicate the certificate subject value that the authorization server is to expect when authenticating the respective client. Then it lists the different dn/san properties. S pozdravem, *Filip Skokan* On Thu, 4 Apr 2019 at 22:20, Justin Richer <jricher@mit.edu> wrote: > We’ve just started implementation of SAN-based certificate authentication, > based on the changes in version -13 of the draft. I believe this addition > is a bit unclear, due to it being added so late in the document process. > > My question is how does an AS determine whether to DN or SAN for > certificate checking? Corollary, are these mutually exclusive or can they > be used together? Currently, the specification text lists DN and SAN as an > “or” with no indication whether this is an inclusive or exclusive “or”, and > what to do when there’s overlap. > > This has implications both for the implementation of the server processing > the request as well as the client metadata model, since the client fields > are all in parallel to each other. I can see a few ways of handling this. > > > 1) One of the fields takes precedence over the other. Say for example you > choose the DN field: if it’s set, then you do DN matching and ignore the > SAN fields entirely, both in the cert and in the client’s registration. > Inverse is true if you choose the SAN fields over the DN but the principle > is the same. We should be explicit if there’s an intended precedence > between these two, and even more explicit if the DN and SAN are at equal > level and the AS gets to choose. We also need to be clear if it’s an error > condition if both are set simultaneously, like the way that jwks and > jwks_uri are mutually exclusive. > 2) You set an explicit switch in your client model that says whether to > use the DN or the SAN fields in comparison, and your code branches based on > that to either DN or SAN processing. This could also be added as an > explicit client metadata field, or it could be an internal detail. If an > internal detail, we should be explicit about there not being a predefined > precedence between the fields. > 3) If it’s allowable to use them together, you match everything that’s set > in the client, and at least one field MUST be set. > > > What’s the intended behavior for implementers, and should we be more > explicit about this? We are starting our implementation with (1) pending > the outcome of this thread, and I’d be curious to know how others are > implementing this in their systems. > > Thanks, > — Justin > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] MTLS and SAN Justin Richer
- Re: [OAUTH-WG] MTLS and SAN Filip Skokan
- Re: [OAUTH-WG] MTLS and SAN Justin Richer
- Re: [OAUTH-WG] MTLS and SAN Filip Skokan
- Re: [OAUTH-WG] MTLS and SAN Jim Willeke
- Re: [OAUTH-WG] MTLS and SAN Brian Campbell
- Re: [OAUTH-WG] MTLS and SAN Justin Richer
- Re: [OAUTH-WG] MTLS and SAN Brian Campbell