Re: [OAUTH-WG] [EXT] Re: DPoP followup III: client auth
Denis <denis.ietf@free.fr> Fri, 04 December 2020 17:38 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0686D3A0E3C for <oauth@ietfa.amsl.com>; Fri, 4 Dec 2020 09:38:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.497
X-Spam-Level:
X-Spam-Status: No, score=-1.497 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.399, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UqeWuWF9PrTw for <oauth@ietfa.amsl.com>; Fri, 4 Dec 2020 09:38:29 -0800 (PST)
Received: from smtp.smtpout.orange.fr (smtp05.smtpout.orange.fr [80.12.242.127]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 988943A0913 for <oauth@ietf.org>; Fri, 4 Dec 2020 09:38:28 -0800 (PST)
Received: from [192.168.1.11] ([90.91.135.71]) by mwinf5d45 with ME id 0HeP2400G1Ybo4i03HePjs; Fri, 04 Dec 2020 18:38:24 +0100
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Fri, 04 Dec 2020 18:38:24 +0100
X-ME-IP: 90.91.135.71
To: oauth@ietf.org
References: <CA+k3eCQjCjbcHxmTFn_Ce1aQ-gn31mAXNp9PGp7d6mXkfyDWPA@mail.gmail.com> <3134_1606988830_5FC8B41D_3134_178_1_CALAqi_-6ovK4otw9JW+c5H3qjnFrUqbwn-AoyGnA_EHfCSgQNw@mail.gmail.com> <5F2D6022-CA13-4255-ADC2-78CCC1AED766@mitre.org>
From: Denis <denis.ietf@free.fr>
Message-ID: <88df3b77-73e6-58f2-1392-61b4547700e9@free.fr>
Date: Fri, 04 Dec 2020 18:38:28 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <5F2D6022-CA13-4255-ADC2-78CCC1AED766@mitre.org>
Content-Type: multipart/alternative; boundary="------------C72957B4FBC7353E7026BBB1"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/HjKQhohcxa6wzTBv_nTjwr2fw1k>
Subject: Re: [OAUTH-WG] [EXT] Re: DPoP followup III: client auth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 17:38:32 -0000
Hi Michael, > Hi Brian, > > I think I lean towards “Shut up and never speak of this again”, but > could you clarify some things? > > I missed the interim meeting discussion on this slide – it looks like > DPoP for client authentication would have very similar properties as > private_key_jwt, but using DPoP instead? i.e. both use a private key > to sign a JWT that authenticates the client. > > Could you expand a bit on the advantage of using DPoP for both client > authentication and sender-constraining the token vs. using > private_key_jwt (for client authentication) + DPoP (for > sender-constraining the token)? > > Adding to Filip’s comment, is there just one DPoP proof sent in the > token request to cover both client authentication and > sender-constraining the token, meaning the same keypair would be used > for both DPoP usages? That would go against DPoP’s key rotation > guidance, but maybe would be okay if freshness guarantees of the DPoP > proof get added? > One or more client-AS authentication methods using asymmetric cryptography might be developed in a separate draft. However this does not mean that they should be based on the DPoP protocol. FIDO is one example of such a protocol, but its public key registration protocol has a weakness: after registration, the server has no proof that the client indeed possesses the private key, unless/until an authentication exchange is performed afterwards. Different keys should be used for DPoP and client-AS authentication. See an email related to privacy considerations about which key pairs may be used for DPoP : https://mailarchive.ietf.org/arch/browse/oauth/?q=Proposed%20text%20for%20a%20Privacy%20considerations%20section%20in%20draft-ietf-oauth-dpop-02 Denis > Thanks, > > Mike > > *From: *OAuth <oauth-bounces@ietf.org> on behalf of Filip Skokan > <panva.ip@gmail.com> > *Date: *Thursday, December 3, 2020 at 4:49 AM > *To: *Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> > *Cc: *"oauth@ietf.org" <oauth@ietf.org> > *Subject: *[EXT] Re: [OAUTH-WG] DPoP followup III: client auth > > 🤫, better not open up the possibility of thinking of DPoP Proof keys > as pre-registered (i.e. not "ephemeral"). > > Best, > *Filip* > > On Wed, 2 Dec 2020 at 23:30, Brian Campbell > <bcampbell=40pingidentity.com@dmarc.ietf.org > <mailto:40pingidentity.com@dmarc.ietf.org>> wrote: > > There were a few items discussed somewhat during the recent > interim > <https://datatracker.ietf.org/meeting/interim-2020-oauth-16/session/oauth> > that I committed to bringing back to the list. The slide below > (also available with a few extra spelling errors as slide #19 from > the interim presentation > <https://datatracker.ietf.org/meeting/interim-2020-oauth-16/materials/slides-interim-2020-oauth-16-sessa-dpop-01.pdf>) > is the last of them. > > To summarize, I'm wondering if there's WG interest in working to > formalize a client-to-AS authentication mechanism based on DPoP. I > think it potentially would be problematic to put into the current > document (for a number of reasons) so am preemptively ruling out > that option. Thus, basically, I'm asking the WG if there is > some/much interest in the idea? In which case I'll find some time > (at some point) to write up an I-D for it and bring that back to > the group for consideration. Or if I should, as the slide says, > "shut up and never speak of this again"? > > > */CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). > Any review, use, distribution or disclosure by others is strictly > prohibited. If you have received this communication in error, > please notify the sender immediately by e-mail and delete the > message and any file attachments from your computer. Thank > you./*_______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] DPoP followup III: client auth Brian Campbell
- Re: [OAUTH-WG] DPoP followup III: client auth Filip Skokan
- Re: [OAUTH-WG] DPoP followup III: client auth Neil Madden
- Re: [OAUTH-WG] DPoP followup III: client auth toshio9.ito
- Re: [OAUTH-WG] [EXT] Re: DPoP followup III: clien… Michael A Peck
- Re: [OAUTH-WG] [EXT] Re: DPoP followup III: clien… Denis
- Re: [OAUTH-WG] [EXT] Re: DPoP followup III: clien… Brian Campbell
- Re: [OAUTH-WG] DPoP followup III: client auth Brian Campbell