[OAUTH-WG] Alternatives to unverified key sharing
Watson Ladd <watsonbladd@gmail.com> Tue, 10 June 2025 21:31 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 395FD33618AD for <oauth@mail2.ietf.org>; Tue, 10 Jun 2025 14:31:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -0.699
X-Spam-Level:
X-Spam-Status: No, score=-0.699 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Frfn01ppqUgt for <oauth@mail2.ietf.org>; Tue, 10 Jun 2025 14:31:07 -0700 (PDT)
Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com [IPv6:2a00:1450:4864:20::32f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id A48BC33618A1 for <oauth@ietf.org>; Tue, 10 Jun 2025 14:31:07 -0700 (PDT)
Received: by mail-wm1-x32f.google.com with SMTP id 5b1f17b1804b1-450ce3a2dd5so53010935e9.3 for <oauth@ietf.org>; Tue, 10 Jun 2025 14:31:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1749591066; x=1750195866; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=RDCjnlmWqvOfYG62I2nKh/OGDL6a9SVCN0sJhiCkYY4=; b=Z1snzVGdm63XSGdLlL3BwDdCwURGgnLEtprSyHAfPdkQg4BmLQJrTgJTKsWToVoVMV UUZ723AlqKLQJNo4+irbuiadDZ26HCOtnRUItJ/DzuV+xVJCvXIOtlhh/F5zmlCXviEr JnBddcFOPBZ4fJkQHv318WtGFNlfxUjkwrqZlnZqhwhBGKpyD2QpThWBV+A2zDV3yIwk fVUI+EkWgnDk61MzjopbV+duUR+OE/t8rxrlP3l+80yTTov3vRcRu7PHx1j4l3nIVCTC ysWUI+38zZG9LDdeozj5jVLOdffPObo/mdmD7ah4uO2WCL6EZvSSiHr7HoSTHyYeiUf0 K22w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749591066; x=1750195866; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=RDCjnlmWqvOfYG62I2nKh/OGDL6a9SVCN0sJhiCkYY4=; b=TZLyn75oO1/gOEbC+dQlsv2nBZRh8JT+VLjbZyBJ/3LOdOtciVPW8yRSs0cBj3i51n PE8aGKNIjXs2UzV9Gdxu/wUi2EEKY+jGMWC0y2SGukDbMPEXrOfLAaxXz7rt28OW+9dD z/AhfIos+fOvO6fGnvlK1GFwNITWC4VjO3Xvh+Qx72+LaBc1zxqCdbw1rmaWgCNFijPp lHIxJQvPlEqx2XK3pL0TUsQmDR4fivS3BdPi7wbcLW69cUwbdemnT/lUgVllJ7cptM2t BlMoYPkJK5qpeCSBl7mIT9MsbBHgQGV2le9PGxXZBuMIi8hDmhB2OcR/qusFeH/P3n2X vnMQ==
X-Gm-Message-State: AOJu0YyVSCXY9tNSBAfPIWAKG39ddcTgoRacJ/S9rPumJ2DLzrz7rfxO XKi+mdjuNoEF5FRP3mxm7jdYC8aCnZBX3+har0pTOuvEMDnzYdeDDNv6K292XIpvs3qLJo7X+R8 7wbv5EFAs9s2eNsKpJZECtL0g7xK1JJUnew==
X-Gm-Gg: ASbGncvaJk2xJ2bxEu91EiR+Y7GoIdnLoU2a8PkJzz5/1ezkvhls6pkiy/0NB5ucxIh XcmZW81xx26pcow9kXJm9EwJpPm7Ym3OHlVeKi62n3LtK9hGbhA8pNTzdpC/l4K6l2b1o0i7Ej8 nkyW4RRaiyjHwU/VYRABMGLTtd8cMGsT2mKgYbvjMWtTnbtwbMV6bPYXVdWDHuxNnb3Cw6+sAMz KLd
X-Google-Smtp-Source: AGHT+IGjbW4deKVbe+WELeSh/u1r46+AUi1JPO2kX7LeiAg4EQOcir6CIExl4K8vmm+ToHnrqzhLRnMIa6YFR7oW1q0=
X-Received: by 2002:a05:600c:8b48:b0:43d:47b7:b32d with SMTP id 5b1f17b1804b1-453248e143amr4561485e9.25.1749591066339; Tue, 10 Jun 2025 14:31:06 -0700 (PDT)
MIME-Version: 1.0
From: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 10 Jun 2025 14:30:54 -0700
X-Gm-Features: AX0GCFsba2D2-7wJJMkpe6AN0oeWyfxtZtZm_Fa0zPpg1dBKxV8Q9dbsFOxGaCc
Message-ID: <CACsn0ckzOXW7XLELD+D0C3h7M9MDbQQmC7=MESjU44Tnm=m_Lg@mail.gmail.com>
To: IETF oauth WG <oauth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Message-ID-Hash: Q3YGHBUWSTP34QKI7SGRHGBQ4NKO3AND
X-Message-ID-Hash: Q3YGHBUWSTP34QKI7SGRHGBQ4NKO3AND
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Alternatives to unverified key sharing
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/FgqTykDaGvRxy79jKYOGP08ngyA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Dear ouath WG, I watched the Bangkok presentation and I think that the problem presented as motivation really has better solutions, or maybe I didn't quite understand it. As I understand it the issue is that we have a client that needs an oauth token where the fields are dynamically produced as a result of one coming in, and the client doesn't know how to get one. I think it would be safer to have the auxiliary process produce a grant to an existing token that the client does have where proof of possession of the key already exists via chaining, akin to how we can use intermediates in X509. This avoids the issues with unknown key share that are an unfixable issue with the current proposal. Sincerely, Watson -- Astra mortemque praestare gradatim