Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt

Justin Richer <> Thu, 03 November 2016 12:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D2B061295A3 for <>; Thu, 3 Nov 2016 05:51:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.697
X-Spam-Status: No, score=-5.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id x9lAblJ78vNT for <>; Thu, 3 Nov 2016 05:51:26 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7B03512959D for <>; Thu, 3 Nov 2016 05:51:26 -0700 (PDT)
X-AuditID: 12074423-623ff70000001060-fd-581b32cbac77
Received: from ( []) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 26.42.04192.BC23B185; Thu, 3 Nov 2016 08:51:25 -0400 (EDT)
Received: from ( []) by (8.13.8/8.9.2) with ESMTP id uA3CpMJZ020540; Thu, 3 Nov 2016 08:51:23 -0400
Received: from [] ( []) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by (8.13.8/8.12.4) with ESMTP id uA3CpK7v025448 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 3 Nov 2016 08:51:21 -0400
To: Jim Manico <>
References: <> <> <> <> <> <> <> <> <> <> <>
From: Justin Richer <>
Message-ID: <>
Date: Thu, 03 Nov 2016 08:51:13 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------2B4D02C9812810AB04DD4778"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrCKsWRmVeSWpSXmKPExsUixCmqrXvWSDrCYOcVKYvV/28yWrzYf5Dd 4uTbV2wWn28dZrX4v/QUkwOrx4t/exg9liz5yeTxfGc/k0fjjAeMHnePXmQJYI3isklJzcks Sy3St0vgytg4dz97wd+yiuVNy1gaGF/5djFyckgImEgcOf2VpYuRi0NIoI1JYu36p1DOBkaJ 5evmMEI4t5gkdq55wALSIiyQLvF61j9mEFtEQFHiwJ4mJoii3awSbUveMIM4zAKXGCXeT3gO VsUmoCoxfU0LE4jNK2AlsfbFXDCbRUBF4tf802wgtqhAjMT1Z4/YIGoEJU7OfAK2jVPAQeLJ 072sIDazQJhE+9TlbBMY+WchKZuFJAVhm0nM2/yQGcKWl2jeOhvI5gCy1SSWtSohCy9gZFvF KJuSW6Wbm5iZU5yarFucnJiXl1qka6aXm1mil5pSuokRFBnsLso7GF/2eR9iFOBgVOLhzfgh GSHEmlhWXJl7iFGSg0lJlPeNpnSEEF9SfkplRmJxRnxRaU5q8SFGCQ5mJRFeRT2gHG9KYmVV alE+TEqag0VJnPe/29dwIYH0xJLU7NTUgtQimKwMB4eSBC8fMAEICRalpqdWpGXmlCCkmTg4 QYbzAA2/aggyvLggMbc4Mx0if4pRUUqcNwskIQCSyCjNg+sFJa6Et4dNXzGKA70izCsLsoIH mPTgul8BDWYCGmyeJAEyuCQRISXVwMjPr76fa/8ym8lnVthErF272bSyQrwgyeLgybSz/3kf xVv/2akiWLdsrwa3/9HTLOKbtN5rrLsQFXyB8c4f4ea3Oa8shZ9rTvw9ty48Rt93+oLv3i9r 97qUixyfKhSfEJik/41dccmB3MXzHtxu6e5PFBAWfmMZEJ8r9nXty+WeP8vc/m+dWKPEUpyR aKjFXFScCAC9y3TsNwMAAA==
Archived-At: <>
Cc: Nat Sakimura via Openid-specs-fapi <>, OAuth WG <>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 03 Nov 2016 12:51:29 -0000

Yes, I elided the certificate issuance process. The point remains the 
same: you're not going to be submitting a CSR to the same party you're 
getting your client_id from, usually. If the draft assumes that, then 
it's incredibly limiting.

Do people really use separate TLS client certs for separate connections 
in the wild? I've personally never seen that. What I've seen is that a 
piece of software gets its certificate that it uses to make whatever 
connections it needs to make.

  -- Justin

On 11/3/2016 8:48 AM, Jim Manico wrote:
> Just to be clear, the relationship should more like...
> AS issues public key to clients, or client sends public key to AS. The 
> authorities job is NOT to give the client the public key, but to sign 
> the public key for authenticity. It's bad practice to accept the full 
> cert (pub key+signature) from an authority. If an authority is 
> creating your public key, they are also creating your private key.... bad.
> > The client will use the same cert across multiple connections, 
> possibly multiple AS's, but the same isn't true of the client_id.
> This seems like a bad idea. I suggest a separate key/signature for 
> each service.
> --
> Jim Manico
> @Manicode
> Secure Coding Education
> +1 (808) 652-3805
> On Nov 3, 2016, at 8:41 AM, Justin Richer < 
> <>> wrote:
>> I agree that the client_id is unlikely to be found inside the 
>> certificate itself. The client_id is issued by the authorization 
>> server for the client to use at that single AS. The certificate is 
>> issued by the CA for the client to use on any connection. The AS and 
>> CA are not likely to be the same system in most deployments. The 
>> client will use the same cert across multiple connections, possibly 
>> multiple AS's, but the same isn't true of the client_id.
>> Additionally, I think we want to allow for a binding of a self-signed 
>> certificate using dynamic registration, much the way that we already 
>> allow binding of a client-generated JWK today.
>> I do think that more examples and guidance are warranted, though, to 
>> help AS developers.
>>  -- Justin
>> On 11/2/2016 5:03 PM, Brian Campbell wrote:
>>> On Sun, Oct 30, 2016 at 9:27 AM, Samuel Erdtman < 
>>> <>> wrote:
>>>     I agree it is written so that the connection to the certificate
>>>     is implicitly required but I think it would be better if it was
>>>     explicit written since the lack of a connection would result in
>>>     a potential security hole.
>>> That's fair. I agree it can be made more explicit and that it be 
>>> good to do so.
>>>     When it comes to the client_id I think subject common name or
>>>     maybe subject serial numbers will be the common location, and I
>>>     think an example would be valuable.
>>> In my experience and the way we built support for mutual TLS OAuth 
>>> client auth the client_id value does not appear in the certificate 
>>> anywhere. I'm not saying it can't happen but don't think it's 
>>> particularly common.
>>> I can look at adding some examples, if there's some consensus that 
>>> they'd be useful and this document moves forward.
>>>     I´m not saying it is a bad Idea just that I would prefer if it
>>>     was not a MUST.
>>>     With very limited addition of code it is just as easy to get the
>>>     certificate attribute for client id as it is to get it from the
>>>     HTTP request data (at least in java). I also think that with the
>>>     requirement to match the incoming certificate in some way one
>>>     has to read out the certificate that was used to establish the
>>>     connection to do some kind of matching.
>>> Getting data out of the certificate isn't a concern. I just believe 
>>> that the constancy of having the client id parameter is worth the 
>>> potential small amount duplicate data in some cases. It's just a -00 
>>> draft though and if the WG wants to proceed with this document, we 
>>> seek further input and work towards some consensus.
>>> _______________________________________________
>>> OAuth mailing list
>> _______________________________________________
>> OAuth mailing list
>> <>