Re: [OAUTH-WG] client certs and TLS Terminating Reverse Proxies (was Re: I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt)

Neil Madden <> Wed, 30 October 2019 19:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8B7F4120866 for <>; Wed, 30 Oct 2019 12:18:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZswbP5V3m5Un for <>; Wed, 30 Oct 2019 12:18:31 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8A923120255 for <>; Wed, 30 Oct 2019 12:18:31 -0700 (PDT)
Received: by with SMTP id q70so3310271wme.1 for <>; Wed, 30 Oct 2019 12:18:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=Pr6/9Rai4XnQmEkrUSlPN9I3I95MkU2RJxLYZnbX1oU=; b=CE+RUpP0BZ76bbw9PhCXbYznrjbNzHufCekRAtHHU8QI7uy8VRh2kFh8zRz8gdmfju Nof8qzk3C83gQ9IiO8QXpIEcceqFyLVs6D0yBvXsf14itFlvTREF3itgWd8n2H5gmngI axv2eH+kSRdFCeF8Z5d+c0zU8n8EakABMGiwM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=Pr6/9Rai4XnQmEkrUSlPN9I3I95MkU2RJxLYZnbX1oU=; b=GpHXTboS12KlQzLkFe78OlQX2BfESCs6byxv/ZbKc2ZC+02WSGdIswY1HdsPU93WFY IrrdPDWY/ArAwmqQ0yBSHxV3RYKdiSvHgQdMHeh2nbrZTqmJs6+AvpyUR2ElV6uBsQpB dkM3C8LpAISchO7sWE+hHjI/90Yucwwxj4+AtukHGf0pkhViDvFA7DU9s1/zKQFl4FZR hzhKRS7txZv/ECAKXxFpJyZHPIgCOsumNpQfFKjFbXi7jLTj9Q80iLXyar3cZZ+r4sSD 5Cn+HJtqm92SHLiCzveQFXyi8LBRigQXU3RBF3Ak2BgHPAHFyuhgMrvbkhQfCV0WXslX ZVlg==
X-Gm-Message-State: APjAAAX1azjCf+kk1UbWnhsTjWEMBA87Gfde4+r5XE1Rbxum9f1+9ImP /8FerBWPvejbVi/YG7KMrM6ZIw==
X-Google-Smtp-Source: APXvYqxAFdFrEuelOna571ukE9K4cqKN5q6TYVvLOM+rFEm6hHStzIqEEyDKhyBhDHA39drQsmTxhw==
X-Received: by 2002:a1c:67d7:: with SMTP id b206mr1007901wmc.68.1572463109928; Wed, 30 Oct 2019 12:18:29 -0700 (PDT)
Received: from ?IPv6:2a01:4c8:9:46ab:edd0:36d9:9264:132d? ([2a01:4c8:9:46ab:edd0:36d9:9264:132d]) by with ESMTPSA id v6sm1473394wru.72.2019. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 30 Oct 2019 12:18:28 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-E6C615FD-1991-4CFA-8594-62B336B2042E"
Content-Transfer-Encoding: 7bit
From: Neil Madden <>
Mime-Version: 1.0 (1.0)
Date: Wed, 30 Oct 2019 19:18:27 +0000
Message-Id: <>
References: <>
Cc: Justin Richer <>, Brian Campbell <>, oauth <>
In-Reply-To: <>
To: "Salz, Rich" <>
X-Mailer: iPhone Mail (17A878)
Archived-At: <>
Subject: Re: [OAUTH-WG] client certs and TLS Terminating Reverse Proxies (was Re: I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 30 Oct 2019 19:18:34 -0000

If you can point out where I recommended disabling TLS or not bothering to strip headers from incoming requests, or anything else along those lines then please let me know. Otherwise, yes we’re done here. 

> On 30 Oct 2019, at 17:19, Salz, Rich <> wrote:
> To quote your previous claim: "There is no such thing as an unguessable name."
> Right.  That doesn’t mean *I* have to guess it.
> Even if your deployment team had such staggeringly bad operational security practices as to allow people to take packet captures from an internal network and show them on public slides without any kind of questions being asked, if this actually happens *YOU ARE NO WORSE OFF THAN IN THE SITUATION WHERE YOU USED A WELL-KNOWN HEADER NAME*!
> Yes you are worse off.  Because that now-exposed header value can be used for spoofing.  As opposed to protection by TLS, and then sending the plaintext message around.
> I don't know how many different ways I can say that this is a defense in depth
> Because it is not.  It is taking an application-level piece of configuration data and requiring it to be treated as if it were crypto material. Which it cannot be, because multiple parties need to know it (as I said, the proxy, the backend, the app developers, the support team, etc).  It’s defense by “collapsing layers” rather than “in depth.”
> As with all defense in depth, the aim is to be more than 1 configuration mistake away from total compromise.
> But that is exactly what you are proposing. Exposing the header *is* a total compromise and multiple entities will need to know that header value.
> At any rate,  I think we’re done here.