Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
Warren Parad <wparad@rhosys.ch> Thu, 14 October 2021 15:19 UTC
Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79AC93A1705 for <oauth@ietfa.amsl.com>; Thu, 14 Oct 2021 08:19:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.089
X-Spam-Level:
X-Spam-Status: No, score=-2.089 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5IhnMYfBJFzT for <oauth@ietfa.amsl.com>; Thu, 14 Oct 2021 08:19:06 -0700 (PDT)
Received: from mail-yb1-xb2f.google.com (mail-yb1-xb2f.google.com [IPv6:2607:f8b0:4864:20::b2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FED23A1708 for <oauth@ietf.org>; Thu, 14 Oct 2021 08:19:06 -0700 (PDT)
Received: by mail-yb1-xb2f.google.com with SMTP id s64so15465596yba.11 for <oauth@ietf.org>; Thu, 14 Oct 2021 08:19:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=d314gBr9yb5tdgHFGUNNWqNRh0+/C75JHZtVn78+l5Y=; b=dfjlASzzUn/UBrfyAzTAoUBnfellqQUCRZuRtEpSU3xilRuFTA1p1U8p9DWIiGNhxO n4Q3UEvZGGh01rus2R5RxF+4UoH1XQu53QIchRwTVZbYPf18pjmIJ2qZuh7EmoXVi6mQ ZOktf1Lkxe1NscOP+i/ctyXCqZLY+O5s7enkXnbofiRzBzHJLcwpEBjnk75XvkJqMFIC AKlA0Swvx0qW+ywHYjzNvH17CNJOvC+guRp7B6QzwJhz59mrF0tm+c93fjTKw8GAZhGD reirAhbxt2EbJ/6KBABXZcXZdTOckhBbTDlFZPnIvpY7NVwhUKFqmOJns6QpON4g6ek0 ipow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=d314gBr9yb5tdgHFGUNNWqNRh0+/C75JHZtVn78+l5Y=; b=U+thEc81J6SDNSjgFdos2u4PDeCzeblpldvrusfuwbv4G5XmrprXsyMa464soB20T2 dKAik9a/mNPoOV29GEwy8k+Oyl6XTzRWrxHSYLhvcQshhqZPZ4i0Y2ehqniJG/9/bszh UZ46a7fR84M1wxtu4EGEluI6nQzP5z4Hlfz8AX7cQU5fDB2dMT6cIfsSftA0nF2sr6IW wo3b6GTaODqh0aw3CDoXToU9x1qEWQR+W37ffBgROGBYwBGi3RwwnP1xXaOk4Dmz7Spw Ueh/k4jGRNFhfIfIyKr74gWMFzlp7PWOqnfOHElgH1Qr0co+cdlOhTTG6BPozrUzC5gC Cw3A==
X-Gm-Message-State: AOAM532iMXlLF35u6DUYFNT78B+xDihBcTZuebcam17V/mTwGmPRHm71 RO6WOmWiVbLwq8+0r9zobA+JnnldUjNSpd1nSaYz
X-Google-Smtp-Source: ABdhPJynu6E9vFT0hCXB6qEkw8bHKknNDgUp2Ko5imGIA7G46J+1yEAUUJg+SZ8plqABAMHRvlVVCdOdS09N2HqbI6Q=
X-Received: by 2002:a25:5f46:: with SMTP id h6mr6991633ybm.209.1634224744711; Thu, 14 Oct 2021 08:19:04 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9QXCEjJmkhBvTHn68kDcJ2Mfg-tSQx1-hvfPoOTXCKzA@mail.gmail.com> <1BCD53C7-4802-42A1-97EE-81C93F54588E@mit.edu>
In-Reply-To: <1BCD53C7-4802-42A1-97EE-81C93F54588E@mit.edu>
From: Warren Parad <wparad@rhosys.ch>
Date: Thu, 14 Oct 2021 17:18:53 +0200
Message-ID: <CAJot-L2K1MYp46bJcrXzj7b67aL8R+wT9qJXRwcq2vQ56TXmQA@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000064622605ce5199f9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/DmBXfGU4yDYeiyHw1VB1KXTSb0c>
Subject: Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Oct 2021 15:19:12 -0000
I'm glad you brought this up, since Signatures can already be used with OAuth, the question is exactly that. What are the ways using these together without an explicit RFC would cause a problem? I'm not totally sure that makes sense, so let me give an example. If the draft says "we need to exchange keys, but it isn't part of the draft" and we have that for every section, what's the benefit of the RFC in the first place. Sure PoP needs a solution, is it solved without an RFC for anyone using OAuth and the Signature draft as is, or is there something meaningful that needs to be documented? Without providing author recommendations in the form of filling in at least part of the draft, instead of the question being *is this the right way to solve this part of the problem* it becomes *should we even have a draft.* The one part of the draft that does exist is "Introduction of a new token type", which if we say: > The RS can get that through introspection, through something in the token > itself (like the JWT “cnf” claim) Then the obvious conclusion should be: we don't need a new token type. So if we remove that from that draft, it brings me back to the original point, what problem does this particular draft solve as part of PoP, other than saying we should have PoP via message signatures because message signatures can provide PoP. We could say things like "Key exchange needs to be defined so that..." or "a new claim needs to be added so that...", but I fear we haven't done that with the draft so far. Obviously this is only my perspective, which isn't saying let's not do this, it is "sure let's do this as long as we can answer these questions". Right now I'm not convinced of this actually solving the PoP situation for me, while it is a valid argument, it isn't a sound one, due to its implementation relying on Signatures and how Signatures is constructed at this moment. So rather than "this is PoP", let's focus on the problems needed to solve for PoP Signatures to work. Warren Parad Founder, CTO Secure your user data with IAM authorization as a service. Implement Authress <https://authress.io/>. On Thu, Oct 14, 2021 at 4:51 PM Justin Richer <jricher@mit.edu> wrote: > I wanted to jump back to the top of the thread to point out something that > seems to be getting missed: > > > This is not a call for adoption of HTTP Message Signatures. That document > already exists in the HTTP WG and will be published as an RFC from that > group. If you want to have discussions about how the HTTP Message > Signatures specification works, come to the HTTP working group for those > discussions. > > This is a call for adoption of an OAuth application of the HTTP Message > Signatures spec. Signatures will exist with or without the OAuth WG’s use > of it, and I would argue that people are going to attach OAuth access > tokens to requests using HTTP Message Signatures whether or not the > OAuth WG picks up the work. The question is whether those applications are > going to be isolated profiles and silos, like they are today, or whether > there can be one way to use them together across different systems. > > My recommendation is that the OAuth WG define how exactly HTTP Message > Signatures should be used with OAuth, which is what this proposal is > for. > > — Justin > > > On Oct 6, 2021, at 5:01 PM, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> > wrote: > > All, > > As a followup on the interim meeting today, this is a *call for adoption *for > the *OAuth Proof of Possession Tokens with HTTP Message Signature* draft > as a WG document: > https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/ > > Please, provide your feedback on the mailing list by* October 20th*. > > Regards, > Rifaat & Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Call for Adoption - OAuth Proof of Pos… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Aaron Parecki
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Aaron Parecki
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Denis
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Neil Madden
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Ash Narayanan
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Aaron Parecki
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Mike Jones
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Domingos Creado
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Mike Jones
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Dick Hardt
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… David Waite
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Richard Backman, Annabelle
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: Call for A… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… David Waite
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… David Waite
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: Call for A… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Warren Parad
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Justin Richer
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Warren Parad
- Re: [OAUTH-WG] Call for Adoption - OAuth Proof of… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Dick Hardt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Justin Richer
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Call for Adopt… Dick Hardt