IETF Logo Mail Archive

Re: [OAUTH-WG] convert to credentialed client... ( was OAuth2.1 credentialed client )

Brian Campbell <bcampbell@pingidentity.com> Fri, 15 October 2021 18:34 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B3723A0980 for <oauth@ietfa.amsl.com>; Fri, 15 Oct 2021 11:34:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qw_Gd_AtmqnC for <oauth@ietfa.amsl.com>; Fri, 15 Oct 2021 11:34:27 -0700 (PDT)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 078D93A086A for <oauth@ietf.org>; Fri, 15 Oct 2021 11:34:26 -0700 (PDT)
Received: by mail-lf1-x12f.google.com with SMTP id x192so10364874lff.12 for <oauth@ietf.org>; Fri, 15 Oct 2021 11:34:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=S64eK72uIXLcw/odennZDEygqMGaohSiFq0gbBVY6/g=; b=Va/kDLVNASK+L5ap9q22D7phys2DGMhLopwIYj/zrYIcV2XsMpMmYdHHqpynPsWNC+ /7ysNXleJ/Ti4yAjPKCr0CGMWu24W1sQK5pXPXIqZzgiNH2rYt5EFxmR4kw5WzNl4Bcu /TjqQ1UsGaMW40ySdJ9H0hZ71q7RiQipbubmazt29tFoEruaProoEuPRBfIpzb8aclaJ cTxKEzBOuxPsSVNHP4OhWlCrXVhkURlhuYo+UC3wYbbUOJznS8oCNlY/7RWTVQLaaYHh 0W2VDhXRpIO76f6SoKTi5MkcAY4qXk5GAynP0IwfmLnQX6Dt1uibAxS3YUR+KyZh5AX0 5lHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=S64eK72uIXLcw/odennZDEygqMGaohSiFq0gbBVY6/g=; b=cfji8Ge6BWdCawQbL4uKK5fQzpVKRF6GqseZKqLB0Mi17G+BaOGQxiEe+R10Y4DE3O 5b0fCUGr3i60zY61W3REfy47qPOT6OnG8jYutbTQrBXG+vmoWlrERb3vqhokIuyIuqEu uzMmdH1vvR4iYXccUXOgImtcr51/drsEMyX7Q2CQ6cRJzVlRzb/8rB3Cn53o0VdtOE6e 2WlZxAkurwkz+WESMuYep09HZPW2dhE/nzRO36QiAIlQB4MFADjQGUIfAfMpcHlFQWYf GFtH3qpGVfMnobbZXT1zIypVtGKUEtyxuThEyesDJ+vdVObAkmikBRSp7ZKsSb8hxfEx hZTQ==
X-Gm-Message-State: AOAM533zagVnnHdYcj+ozyZ850C67DYOQT+4QmSFPGJ/3WF5L1bLvKn4 4ZR7FLLwT4bOQSy7btsNHVcA1wxcNkHaiO/j9xaErtEh9CFZ4VgM1ev98LxlzBDrnWDESfbao7K MNI7pahHaAo6/CqUhI3Y=
X-Google-Smtp-Source: ABdhPJzts9nZarm+q5FS4RehqxxyY/blnvmACoaVEXeSYU6GBO/5RFKqdm/wGeYNnehMVRCHYGpSDBPEKi4IOG4nZSc=
X-Received: by 2002:a05:6512:3a92:: with SMTP id q18mr12724081lfu.250.1634322864961; Fri, 15 Oct 2021 11:34:24 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-uWw0TZ9cZPzWLNJn5-J025xOO7AiKcxdmezVVhEx13oQ@mail.gmail.com> <7BC470C3-EB07-4C8F-BF9F-7A0C9F5B1DF2@alkaline-solutions.com>
In-Reply-To: <7BC470C3-EB07-4C8F-BF9F-7A0C9F5B1DF2@alkaline-solutions.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 15 Oct 2021 12:33:58 -0600
Message-ID: <CA+k3eCQtO-Qa7+yigjnsdhXHSqst-QZFHQPY-zYxewmmgWwXmg@mail.gmail.com>
To: David Waite <david=40alkaline-solutions.com@dmarc.ietf.org>
Cc: Dick Hardt <dick.hardt@gmail.com>, OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d0a7f005ce687118"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/FZkd5fPolu7PKx5uXV15A79aLTc>
Subject: Re: [OAUTH-WG] convert to credentialed client... ( was OAuth2.1 credentialed client )
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Oct 2021 18:34:33 -0000

Looking/searching through
https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-04.html and all the
occurrences of "credentialed" outside of sec 2.4 and the text I was
complaining about previously are treating confidential and credentialed the
same. I.e. "If the client is confidential or credentialed", "Confidential
or credentialed clients MUST", "authentication for confidential and
credentialed clients", etc. So the distinction/definition isn't serving a
meaningful function in the rest of the document. As such, I'd suggest
removing the credentialed concept entirely and using sec 2.4, as
appropriate or needed, to discuss the subtleties of the various ways
clients establish themselves with an AS and the implications to the amount
of trust that can be placed therein.

On Mon, Oct 11, 2021 at 4:53 PM David Waite <david=
40alkaline-solutions.com@dmarc.ietf.org> wrote:

>
> > On Oct 11, 2021, at 11:52 AM, Dick Hardt <dick.hardt@gmail.com> wrote:
> >
> > 
> > Thanks for the feedback Brian. We have struggled in how to concisely
> describe credentialed clients.
> >
> > "identifying a client" can be interpreted a number of ways.
> >
> > The intent is that the AS knows a credentialed client is the same client
> it previously interacted with, but that the AS can not assume any other
> attributes of the client, for example that it is a client from a given
> developer, or has a specific name.
>
> It sounds like the goal is to distinguish authenticating the client from
> trust of the client pedigree, e.g. the only authenticity of a public client
> might be that it can catch the redirect_uri, and the only authenticity of a
> dynamically registered client is what you required and verified up to that
> point.
>
> Some of that trust may be on confidentiality of data, prior reputation,
> safeguards to prevent token exfiltration or unauthorized token use locally,
> etc.
>
> A credentialed client is not more trusted than a confidential client - it
> is just more uniquely identifiable. A public client does not have a
> mechanism (within OAuth today) to prove its trustworthiness on request
> because it is not authenticated as the party with that trust.  You instead
> would need to e.g. do client registration with a software statement.
>
> It may help to know what actions are MUST NOT or SHOULD NOT for
> credentialed clients vs confidential clients. Without that, the distinction
> seems it should be self contained in 2.1 like the client profiles, and
> maybe the term confidential client be explained to be a misnomer and more
> broadly explained that confidential vs public client is _not_ to meant to
> be a described as a trust distinction.
>
> -DW
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.37.1 | Report a Bug | By Email | System Status