IETF Logo Mail Archive

Re: [OAUTH-WG] New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt

Jim Manico <jim@manicode.com> Thu, 24 November 2016 08:42 UTC

Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DE281295C4 for <oauth@ietfa.amsl.com>; Thu, 24 Nov 2016 00:42:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.877
X-Spam-Level:
X-Spam-Status: No, score=-0.877 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n0T-n-qT6hhg for <oauth@ietfa.amsl.com>; Thu, 24 Nov 2016 00:42:19 -0800 (PST)
Received: from mail-wj0-x230.google.com (mail-wj0-x230.google.com [IPv6:2a00:1450:400c:c01::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 359821295ED for <oauth@ietf.org>; Thu, 24 Nov 2016 00:42:18 -0800 (PST)
Received: by mail-wj0-x230.google.com with SMTP id v7so27868680wjy.2 for <oauth@ietf.org>; Thu, 24 Nov 2016 00:42:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode-com.20150623.gappssmtp.com; s=20150623; h=from:content-transfer-encoding:mime-version:subject:date:message-id :references:cc:in-reply-to; bh=zkMRe4qSFj7u82+lXoPYL1NgGDmD6nQ38XMsyT29nO4=; b=wBzMqpkNlN6448lor/50vVGm9X9JH3lz5yNPu0STYlOGdaHr9tDfk1r9jvajmIQQQP Y1MNFpslXc9/65sIBO/bJ5Sxj3Rw3ednpjyx5AXwec6wdIT9VmYbH7JQf0YtTD7Y0BKW hM5ucI9z7GzSGfqsE/3yl/N+g+gj4ffVo4XGvB0q6soXWIQhvfYeUVJJgLqYs4j/sF1A 8y78a12tzs48dQF+gUcS4GOF/I/ocbSq8Tf/GI5DYWdgPanTA77IVHdHK5qsJiBimzzD hmbVdLqwNRafhB2uhLsgBut4b5mitMwls5d1bE1BE0baZy8C0I6T/FlX9de7o/smwts1 HvQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:date:message-id:references:cc:in-reply-to; bh=zkMRe4qSFj7u82+lXoPYL1NgGDmD6nQ38XMsyT29nO4=; b=kFRGIjFjTRvKrewmidIleIBD1ailXjig08RTYgXI7B7BHUaetepcfcLSl1R9mzs/N5 Fqsm2MvbXPtQB4JENp0gWYLlxKv5DpRXz3R14hzh5j00+4K4r0GqeQJZDk59DzUiGTVv GdQJzgnxWyanci96h4BM4MFXi9RHDUjWhhseA+QnczrFVaZ/SeH+b+1ZkUG8EY4etuIg unJBkNN1dNVWjF1sPKNfu5Je5ikxB3itKNS3n/x4Ju+ElQV2MFjxNBu6WXFEEXEWasqn X+o9ZU2cSM80jAZ7geCoPu2CTtmteWydK1mnFRAIXPI/KDe8fFIvQqGRnxZINEWC/AHE 76RA==
X-Gm-Message-State: AKaTC02nVZBZAAl3a99g1BZxt9O9QVafFIMwHsUGpApGCupf2+EYjJy1PlSgps2T6nhseEGh
X-Received: by 10.194.78.195 with SMTP id d3mr1138897wjx.96.1479976936733; Thu, 24 Nov 2016 00:42:16 -0800 (PST)
Received: from [10.159.1.15] (smb-adpcdg2-02.hotspot.hub-one.net. [213.174.99.136]) by smtp.gmail.com with ESMTPSA id i132sm6980227wmf.14.2016.11.24.00.42.15 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 24 Nov 2016 00:42:15 -0800 (PST)
From: Jim Manico <jim@manicode.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-DDF87DAC-A5CE-40D3-9B6E-4770063B407A"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
Date: Thu, 24 Nov 2016 09:42:15 +0100
Message-Id: <F32E7B08-C8F2-4C52-AC30-CD613759725B@manicode.com>
References: <147613227959.31428.2920748721017165266.idtracker@ietfa.amsl.com> <9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com> <5827DE8A.4010807@lodderstedt.net> <4372F560-F98E-491B-BEDD-B02A2671D96C@mit.edu> <5827F848.3060803@lodderstedt.net> <2164E521-236F-46FC-AAF1-D2EE80F29BA9@mit.edu> <58280139.2040505@lodderstedt.net> <CA+k3eCS-S8G-jxRMnvczaysdNZSRWwiPnGTMnGVnh8dWgh0k-A@mail.gmail.com> <F31A1C87-C18F-4203-A1AE-DF32BCB005B4@mit.edu> <CAF2hCbYxcVzfPCQ5vLm9-Xnz3y_tMOepx1Gkwx9-2txKJo1zKg@mail.gmail.com> <CA+k3eCTuC7EfXm-aGKDEPFUDjAjB4nZyy9wHCBwYVfRX6-zdzw@mail.gmail.com> <CAF2hCbbQkwObfhXkTpUjXdwA+OBOeHUDf81MHDJ6Ovh9NPYf6Q@mail.gmail.com>
In-Reply-To: <CAF2hCbbQkwObfhXkTpUjXdwA+OBOeHUDf81MHDJ6Ovh9NPYf6Q@mail.gmail.com>
X-Mailer: iPhone Mail (14B150)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/HdAIiN2dULIw9s0S8pSNlT-QGjk>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2016 08:42:22 -0000

Dude. You're freaking awesome. Thanks for this insight.

--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805

> On Nov 24, 2016, at 7:48 AM, Samuel Erdtman <samuel@erdtman.se> wrote:
> 
> +1 on providing guidance.
> 
> 
>> On Wed, Nov 16, 2016 at 12:08 AM, Brian Campbell <bcampbell@pingidentity.com> wrote:
>> Yes, I believe you are correct. Client certificates are provided in the handshake (initial or renegotiated) at the request of the server. If the server asks and the client doesn't provide a cert, it's up to the server whether to continue or about the handshake. 
>> 
>> There seem to be a number of different ways of trying to deal with this (not strictly for this OAuth case but similar situations).
>> 
>> The AS could always request client certs but allow connections to proceed regardless. Then check for certs for appropriate clients while processing token requests.  I guess there's a little overhead in the handshake with this for all the connections that won't present a cert. But not a ton. The main drawback is that some/many browsers have UI that will prompt users to choose a cert even when they don't have any. And the user experience can be very bad or confusing as a result.
>> 
>> The token endpoint could be on a different host or port which always requests client certs. Still allow connections to proceed regardless and check the client credentials at the OAuth layer. Pretty similar to the above but avoids the usability issues with end users because it's only at the token endpoint. 
>> 
>> Trying renegotiation after the application sees that it's a token request or that it's a token request from a client id that's configured for mutual TLS is another approach. In my own limited experience with this kind of thing, however, this approach can be kind of flaky. And your point about the initial data not being trustworthy is legitimate. I'm not sure if it really matters in this case. I don't know. And signaling to resubmit is another issue all together. 
>> 
>> There are probably other approaches too but those are the things I've seen or can imagine. In all (or nearly all) the deployments of our stuff that I know about that deal with mutual TLS, some variation of the second option is used. 
>> 
>> All this seem like implementation/deployment details though and I'm hesitant to try and define how to do it in this doc. Maybe providing some guidance. I'm not exactly sure how to do that though.  
>> 
>> 
>> 
>>> On Tue, Nov 15, 2016 at 10:14 AM, Samuel Erdtman <samuel@erdtman.se> wrote:
>>> Torstens questions triggers another question from me. 
>>> 
>>> If we have an AS that can handle both certificate client auth and client secret, how does the AS know that it should ask for client certificate on the TLS layer.
>>> 
>>> It was a while since I last read the TLS specification and it might have changed but if i remember correctly client certificates are provided in initial handshake or in re-negotiate and it is only provided on request by the server.
>>> 
>>> If this is still true the AS would need to first get the token request, see that this is a client that authenticates with certificate and request a TLS re-negotiate to get the certificate authentication and a re-submission of the token request since we cannot trust the data first submitted.
>>> 
>>> Are I missing something obvious, or is this something that needs to be defined?
>>> 
>>> //Samuel
>>> 
>>> 
>>> 
>>> 
>>> 
>>>  
>>> 
>>>> On Mon, Nov 14, 2016 at 1:26 AM, Justin Richer <jricher@mit.edu> wrote:
>>>> Right — this is a fine way to put it. RFC7591 defines a client model where RFC6749 didn’t. Ideally all that metadata would’ve been in the original spec, but it’s not. It doesn’t matter whether the client was registered dynamically or statically, it just matters that the AS knows what to expect from a given client.
>>>> 
>>>>  — Justin
>>>> 
>>>>> On Nov 14, 2016, at 6:21 AM, Brian Campbell <bcampbell@pingidentity.com> wrote:
>>>>> 
>>>>> Yes, the intend is that the authentication method is determined by client policy regardless of whether the client was dynamically registered or statically configured or whatever. I can make that point more explicit in future revisions of the draft. 
>>>>> 
>>>>>> On Sat, Nov 12, 2016 at 10:59 PM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
>>>>>> I understand. My point is different: the text seems to assume everybody is using client registration, but that's not the case. I would like to point out it makes sense to explicitely state the assumption that it is determined by client policy (indepedent of the way this policy is established).
>>>>>> 
>>>>>> 
>>>>>>> Am 13.11.2016 um 14:24 schrieb Justin Richer:
>>>>>>> As part of the client’s registered data model. At least, based on how our own implementation works (where we support client_secret_basic, private_key_jwt, etc), that’s where we’d check to see if the client was supposed to be using TLS auth or not.
>>>>>>> 
>>>>>>> We don’t let clients switch away from their registered auth mechanism.
>>>>>>> 
>>>>>>>  — Justin
>>>>>>> 
>>>>>>>> On Nov 13, 2016, at 2:21 PM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
>>>>>>>> 
>>>>>>>> Justin,
>>>>>>>> 
>>>>>>>>> Am 13.11.2016 um 13:39 schrieb Justin Richer:
>>>>>>>>> Torsten, I believe this is intended to be triggered by the tls_client_auth value specified in §3. 
>>>>>>>> 
>>>>>>>> in the token request?
>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> Nit on that section, the field name for the client metadata in RFC7591 is token_endpoint_auth_method, the _supported version is from the corresponding discovery document.
>>>>>>>>> 
>>>>>>>>>  — Justin
>>>>>>>>> 
>>>>>>>> Torsten.
>>>>>>>>>> On Nov 13, 2016, at 12:31 PM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
>>>>>>>>>> 
>>>>>>>>>> Hi John and Brian,
>>>>>>>>>> 
>>>>>>>>>> thanks for writting this draft.
>>>>>>>>>> 
>>>>>>>>>> One question: how does the AS determine the authentication method is TLS authentication? I think you assume this is defined by the client-specific policy, independent of whether the client is registered automatically or manually. Would you mind to explicitely state this in the draft?
>>>>>>>>>> 
>>>>>>>>>> best regards,
>>>>>>>>>> Torsten.
>>>>>>>>>> 
>>>>>>>>>>> Am 11.10.2016 um 05:59 schrieb John Bradley:
>>>>>>>>>>> At the request of the OpenID Foundation Financial Services API Working group, Brian Campbell and I have documented 
>>>>>>>>>>> mutual TLS client authentication.   This is something that lots of people do in practice though we have never had a spec for it.
>>>>>>>>>>> 
>>>>>>>>>>> The Banks want to use it for some server to server API use cases being driven by new open banking regulation.
>>>>>>>>>>> 
>>>>>>>>>>> The largest thing in the draft is the IANA registration of “tls_client_auth” Token Endpoint authentication method for use in Registration and discovery.
>>>>>>>>>>> 
>>>>>>>>>>> The trust model is intentionally left open so that you could use a “common name” and a restricted list of CA or a direct lookup of the subject public key against a reregistered value,  or something in between.
>>>>>>>>>>> 
>>>>>>>>>>> I hope that this is non controversial and the WG can adopt it quickly.
>>>>>>>>>>> 
>>>>>>>>>>> Regards
>>>>>>>>>>> John B.
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> Begin forwarded message:
>>>>>>>>>>>> 
>>>>>>>>>>>> From: internet-drafts@ietf.org
>>>>>>>>>>>> Subject: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
>>>>>>>>>>>> Date: October 10, 2016 at 5:44:39 PM GMT-3
>>>>>>>>>>>> To: "Brian Campbell" <brian.d.campbell@gmail.com>, "John Bradley" <ve7jtb@ve7jtb.com>
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
>>>>>>>>>>>> has been successfully submitted by John Bradley and posted to the
>>>>>>>>>>>> IETF repository.
>>>>>>>>>>>> 
>>>>>>>>>>>> Name:		draft-campbell-oauth-tls-client-auth
>>>>>>>>>>>> Revision:	00
>>>>>>>>>>>> Title:		Mutual X.509 Transport Layer Security (TLS) Authentication for OAuth Clients
>>>>>>>>>>>> Document date:	2016-10-10
>>>>>>>>>>>> Group:		Individual Submission
>>>>>>>>>>>> Pages:		5
>>>>>>>>>>>> URL:            https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt
>>>>>>>>>>>> Status:         https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/
>>>>>>>>>>>> Htmlized:       https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> Abstract:
>>>>>>>>>>>>   This document describes X.509 certificates as OAuth client
>>>>>>>>>>>>   credentials using Transport Layer Security (TLS) mutual
>>>>>>>>>>>>   authentication as a mechanism for client authentication to the
>>>>>>>>>>>>   authorization server's token endpoint.
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> Please note that it may take a couple of minutes from the time of submission
>>>>>>>>>>>> until the htmlized version and diff are available at tools.ietf.org.
>>>>>>>>>>>> 
>>>>>>>>>>>> The IETF Secretariat
>>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> OAuth mailing list
>>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>> 
>>>>>>>>>> _______________________________________________
>>>>>>>>>> OAuth mailing list
>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>> 
>>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>> 
>> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email