IETF Logo Mail Archive

[OAUTH-WG] Re: Call for adoption - PIKA

Vladimir Dzhuvinov <vladimir@connect2id.com> Tue, 17 September 2024 20:01 UTC

Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC5CCC18DB99 for <oauth@ietfa.amsl.com>; Tue, 17 Sep 2024 13:01:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=connect2id.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u-GtTL3O-zVe for <oauth@ietfa.amsl.com>; Tue, 17 Sep 2024 13:01:09 -0700 (PDT)
Received: from mout-b-203.mailbox.org (mout-b-203.mailbox.org [IPv6:2001:67c:2050:102:465::203]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 517A5C151995 for <oauth@ietf.org>; Tue, 17 Sep 2024 13:01:08 -0700 (PDT)
Received: from smtp102.mailbox.org (smtp102.mailbox.org [IPv6:2001:67c:2050:b231:465::102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-203.mailbox.org (Postfix) with ESMTPS id 4X7Xhs4K0rz9vXY for <oauth@ietf.org>; Tue, 17 Sep 2024 22:01:01 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=connect2id.com; s=MBO0001; t=1726603261; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=ZSjTpXYfW7sup09EY+e4p5dD+nkCVtdXQy+G3RTqSqc=; b=KFOPGLGrqge5LPBNHlboOAZGYrq7zyM8ZqQpqgPbELFP9z/2JRosEKTQOt/8/0Fw9FcDqs T6dccBBClR+CLF2I2DNezTVxSLTRIkWMjOovFlxnbgXegsPH91zNTKPOPYWYseA8StfwRU 17HXeXz8ShQhkvph0dhb1HJgPVrV3VaFwUwcgAGzh4JLXlaGKIZ9XWuRx2oB0hc2DAHLAU hxG/YOeCZMVXxY2RiPLz354aGii7cOLbjP6l60AE+S+OyFqLWzbmxq9D5pzVC0koYMJOzo eG5cSdOGVcfQaLTCeoAS9bm+hYHhknhkPTGtHKGVImi77QQBAmrzKgFFEcq02g==
Message-ID: <ff6a0d93-af5d-479f-9ae7-14815364a73e@connect2id.com>
Date: Tue, 17 Sep 2024 22:58:25 +0300
MIME-Version: 1.0
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
To: oauth@ietf.org
References: <CADNypP80YnzxOc_NDbFqK0bv=i0Ys1s8hYHwo-PqhUPbAWs4sg@mail.gmail.com>
Content-Language: en-US
Organization: Connect2id Ltd.
In-Reply-To: <CADNypP80YnzxOc_NDbFqK0bv=i0Ys1s8hYHwo-PqhUPbAWs4sg@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms040402010307050007020708"
X-Rspamd-Queue-Id: 4X7Xhs4K0rz9vXY
Message-ID-Hash: JEJGBGMX5KBW2KHQJRLGX2FO57ZAE6JM
X-Message-ID-Hash: JEJGBGMX5KBW2KHQJRLGX2FO57ZAE6JM
X-MailFrom: vladimir@connect2id.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - PIKA
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ChO-1vakQYveyjxfMIgzL8aFhz4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

I frankly don't see how the central premise of PIKA - the reliance on a 
TLS web domain certificate - can be made to work in practice.


Reasons: Infrastructure in the real world, mixing of concerns, conflict 
with CA policies and CAB Forum requirements, NIST etc guidance 
compliance issues.


The argument - JWKs are already published at an HTTPS URL - so let's 
take the private key from the web reverse proxy (assuming there is no 
HSM) and start signing JWTs at some application with it - how I would be 
able to make this argument at some company X.

When we look at how infrastructure is setup and administered - even if 
we here in the OAuth WG decide to say "using the private TLS key for 
other purposes is entirely okay" - there are significant practical 
issues with this. It's not just a matter of being theoretically able to 
cross from the app layer into the TLS layer. These two layers are 
typically managed by different departments in orgs, and there are good 
reasons to isolate them. I can't imagine being able to go to the admins 
and say, make me a copy of the private key so I can sign JWTs with it, 
or let me install this service on your infra to sign my JWTs.

Let's also think about the potential legal and compliance issues.

CAs that issue certs that prove web domain control have policies. These 
policies are linked to the EKU values in the certs. Using the cert to 
sign stuff other than that expressly identified in the CA policy and the 
extKeyUsage fields can be seen as breaking those policies.

https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf

> 3.6 Installation and Use of Your Certificate
> The purpose of Your Certificate is to authenticate and encrypt 
> Internet communications.

I'd also suggest to go and check whether the CA / Browser Forum, in its 
"Baseline Requirements for the Issuance and
Management of Publicly‐Trusted TLS Server Certificates" does not 
stipulate an overarching policy for CAs that generally prohibits issue 
of TLS certs with additional EKU values.

Orgs that seek compliance with NIST and similar guidance are likely to 
see issue with this approach too. Documents like NIST Special 
Publication 800-57 / Recommendation for Key Management.

I'm not in favour of adopting this spec as it is in the WG. Let's 
consider the practical situation apart from what seems technically possible.

I made a diff between drafts 01 & 02 and noticed that in 02 the policy 
issues of using CA TLS certs for PIKA were probably recognised to some 
degree, in the "5.2. Signing Key Compromise" section.

https://author-tools.ietf.org/iddiff?url1=draft-barnes-oauth-pika-00&url2=draft-barnes-oauth-pika-01&difftype=--html

Apart from the "5.2. Signing Key Compromise" section, draft 02 that is 
now proposed for adoption is identical to the original 01 that wasn't 
adopted in June. It's okay to explain the intent to resubmit without 
changes, just as it's okay to disagree on a particular adoption. I get 
it that the topic of PIKA feels contentious.


Vladimir Dzhuvinov

On 03/09/2024 13:47, Rifaat Shekh-Yusef wrote:
> All,
>
> As per the discussion in Vancouver, this is a call for adoption for 
> the *Proof of Issuer Key Authority (PIKA) *draft:
> https://datatracker.ietf.org/doc/draft-barnes-oauth-pika/
>
> Please, reply on the mailing list and let us know if you are in favor 
> or against adopting this draft as WG document, by *Sep 17th*.
>
> Regards,
>  Rifaat & Hannes
>
> _______________________________________________
> OAuth mailing list --oauth@ietf.org
> To unsubscribe send an email tooauth-leave@ietf.org

v2.37.1 | Report a Bug | By Email | System Status