[OAUTH-WG] Meeting Notes (9th March 2020)
Hannes Tschofenig <Hannes.Tschofenig@arm.com> Tue, 17 March 2020 12:11 UTC
Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3DC43A1DE0 for <oauth@ietfa.amsl.com>; Tue, 17 Mar 2020 05:11:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=GsLVnVhC; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=GsLVnVhC
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BrfH-jac4i-9 for <oauth@ietfa.amsl.com>; Tue, 17 Mar 2020 05:11:24 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60045.outbound.protection.outlook.com [40.107.6.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74F0E3A1DE1 for <oauth@ietf.org>; Tue, 17 Mar 2020 05:11:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yES2i1tbNCcgxBMFjIaWL+RymeC/i2iDhveQxvRFy4E=; b=GsLVnVhCQIhk1PxQyK+7N+dqLpt4VVhHIbqfYKKdFxstfjuMIUHiZAvQetNrMI3sTsv6/UWEY+3ka3Q0//DVvdzIx5Boy6OAniuOxjgcE2IsfXaZN42R2lBLo57iEwwIORkALgr1NvIhxkFv5J0teN2ZeRz42sxvmTrRNPTYzL0=
Received: from DB3PR0202CA0003.eurprd02.prod.outlook.com (2603:10a6:8:1::16) by DB6PR08MB2677.eurprd08.prod.outlook.com (2603:10a6:6:1c::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2814.22; Tue, 17 Mar 2020 12:11:21 +0000
Received: from DB5EUR03FT036.eop-EUR03.prod.protection.outlook.com (2603:10a6:8:1:cafe::9) by DB3PR0202CA0003.outlook.office365.com (2603:10a6:8:1::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2814.19 via Frontend Transport; Tue, 17 Mar 2020 12:11:21 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT036.mail.protection.outlook.com (10.152.20.185) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2814.13 via Frontend Transport; Tue, 17 Mar 2020 12:11:21 +0000
Received: ("Tessian outbound 3a0cbd311638:v42"); Tue, 17 Mar 2020 12:11:21 +0000
X-CR-MTA-TID: 64aa7808
Received: from 4404de203281.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 04122226-88B7-47DB-A761-B3A90C8D4733.1; Tue, 17 Mar 2020 12:11:16 +0000
Received: from EUR01-VE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 4404de203281.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Tue, 17 Mar 2020 12:11:16 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CxVtOnAQFNCx0b+iKNzm8ez0/czzT7IBVBkpjkAv1M1tIAhDK4hnAmS1Nc3HBIRLX/6SVhhzH9wOxuVCxE8j+QP3pKYPeACq0skw8L4agAjDmqRuLRgTvPXmq3QgJ9aCNcqxrG0kCiD/DSGsu8aMqNpi72yEvq1ilpfuSFLIp4faAmQS7dVnfCa4JLF2NAi7LKrsTHiLNTHz9ZtkRydMXGChy2nl6mQL1ZxUVqazLXEhQOmICcMVK4fZzMRXQ6QElzR2wwYvgAP03qxudPvK/AxkPo06B2YPjN6CHUyxzmyBN+seboPt8yKmpMpZLycZxYq6tvAqS4nFIKvu5kDbjw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=yES2i1tbNCcgxBMFjIaWL+RymeC/i2iDhveQxvRFy4E=; b=UdeGB7R2mOtvRibWsN/8/5o4mynP2Yuv59hJQPL5zG/0QnRUBGNFXqWBUewxdy6lJF4fTDb165xptVjFfwFjHN9EBm7lUZBDlDaMkbfHAnTTa/LJHQtYzbDWFOHPlHdTWVHa/kW6OLNmVw71u5pEjTzOCSGdA4Ew9el6w7v7atsgVNuZ1P7cS2MuuGnaBjovjzUHTi9sqCoqFMms4U4PssNYcwp5hQUTr5rFfW48CWqKFNLFtcF+xCotqT6LtwN6PjVDVF0K84kbw5dcRbAEVZ+sPCFiftNpa9FInRv5JvcKf4ljeEr0oePjbmSFHCTOy5Wo4L0Vb8Hwyq+fEKlzrA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yES2i1tbNCcgxBMFjIaWL+RymeC/i2iDhveQxvRFy4E=; b=GsLVnVhCQIhk1PxQyK+7N+dqLpt4VVhHIbqfYKKdFxstfjuMIUHiZAvQetNrMI3sTsv6/UWEY+3ka3Q0//DVvdzIx5Boy6OAniuOxjgcE2IsfXaZN42R2lBLo57iEwwIORkALgr1NvIhxkFv5J0teN2ZeRz42sxvmTrRNPTYzL0=
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com (20.178.23.205) by AM0PR08MB2947.eurprd08.prod.outlook.com (52.134.94.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2814.19; Tue, 17 Mar 2020 12:11:14 +0000
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::2159:870b:25df:e612]) by AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::2159:870b:25df:e612%5]) with mapi id 15.20.2814.021; Tue, 17 Mar 2020 12:11:14 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: oauth <oauth@ietf.org>
Thread-Topic: Meeting Notes (9th March 2020)
Thread-Index: AdX8VP9fzY4uauwiTZy76xOjEIyzFQ==
Date: Tue, 17 Mar 2020 12:11:14 +0000
Message-ID: <AM0PR08MB3716E48583372E610EA016F6FAF60@AM0PR08MB3716.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 482fcdb6-5e05-4031-aa40-5ab188322684.0
x-checkrecipientchecked: true
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [213.162.80.181]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 7043adcd-ddea-4f87-b81c-08d7ca6c4e70
x-ms-traffictypediagnostic: AM0PR08MB2947:|DB6PR08MB2677:
X-Microsoft-Antispam-PRVS: <DB6PR08MB2677DA1E291D708B9E4303CAFAF60@DB6PR08MB2677.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 0345CFD558
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(136003)(376002)(366004)(39860400002)(346002)(396003)(199004)(26005)(186003)(33656002)(9686003)(55016002)(5660300002)(966005)(478600001)(7696005)(6916009)(76116006)(316002)(66446008)(66556008)(66476007)(66946007)(64756008)(86362001)(52536014)(8936002)(6506007)(2906002)(45080400002)(81166006)(71200400001)(8676002)(81156014); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR08MB2947; H:AM0PR08MB3716.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: +69Iq3Stw/AFD81V1dRS0itHeL0VsWngMp5et+qic1LGhfDTIQIBbeHuhG+gg0KkVGHic6A0TLgnkizcFVxkNf8nAi34AsFT/zFwx0CS/9rMvqswmWa/rBkNowxmuclZ8+yZIcVIvTvnl5zdkQw8p9UBynEHtGyT1s4VAz/NEN1KC2AYEjUh7pOFNGfGRMLkEuX/SEWrIv2FpqAY9w5k/opX0xZB0bEG+EQ8dHINqDfMPK8pT1NmrMuyukmjNOaME0H6hxKZD5gEAqZNidPX+rivuHuwxX9DwHlxcxOQDH/aMn1RcT8u+hbkAfSxLZS2jGtqCNsgM1QR73CDf4+pBckDRv3dxC1GDo8v3YjMxfhO86KTGHKCtAGPBzjKpuHuLdT/lmHeuN6OzFWNCeCVsd1WLnT0Ml6rpTvXV1aLHeO0Bg0TusjoYYaHECEOdLz8bc/yVniU3GGQw1XWeFVjmuG9E2stSeEF/a7sRKviKm6RNKbmn01fzHsSkN1BQWuNzJAxMgThEpv6NdswLIDlJQ==
x-ms-exchange-antispam-messagedata: Smi/7pWppPj19I5IH+CdAL6Qy5b1DgYV6aCAQU+2whvY6swU8RoPsoAcNI3y1KHiQdh3Dih4xHTdOtYCHQ7OCpkMx2ycV9Ya59KS4sbFdvHqWlIyOBX6tU1J9UIr1ivTmq9/57obiAUakLyLV2JrOA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0PR08MB3716E48583372E610EA016F6FAF60AM0PR08MB3716eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB2947
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT036.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(396003)(376002)(136003)(39860400002)(346002)(199004)(46966005)(7696005)(26005)(86362001)(186003)(8676002)(45080400002)(6916009)(70206006)(70586007)(8936002)(966005)(47076004)(6506007)(55016002)(81166006)(26826003)(478600001)(356004)(81156014)(9686003)(336012)(2906002)(30864003)(316002)(33656002)(52536014)(5660300002); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR08MB2677; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:Pass; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; A:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 9bad162e-9c30-445f-0399-08d7ca6c4a1d
X-Forefront-PRVS: 0345CFD558
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: /HvfPjduDE+SWxs10uslm2kI92lArn6SWtJgNtbUraWM4tWny+hBGmYtXy8HBMTd5jSHkc4T1f6Pqema/69K8PPutEq2Tp6SgIfr8yzIP2VjnjfX6BBNF5tYb7M/ssShlRin65BpVrqdGEUKftm+bzQ8yPzLuls/T30rD+U0Cp9URaQ+LxEMqt8a5ovl8MTyF2Q2WSuTqKxur+z3pEFdGiYnyoBNuywTc1UXEzfOHoPnLOiNc8BGSb4MZLfxZmcweiFURnoOXnIp6kPMm4W903yaHGUtDyUZjfLX6RcagvUh5gwxwRTly0N1OYySW8CCNzX4oa4jn67vNtEXSBvHTBV2HwKjYKaGLMOBN8g2Eql9JAYZw/6ntIcRFdRc6MuhH3hxBpHMq09KgZskyN6DBnFt2nuT7NboeaD/trwR8fkkAlA/PTmfZ8wlZyXfajsx63lgikBlamkPrw+/VuKSQPhwFitLlh0hTXnzY1LEQfFCjF+KKtIpU7vteyA5o5CdPKjoM2VJPhsnajIZKvnxNbz97CLTVeVeK+7Kjko9tKzg02ymJvr46cYX9JjVz0d4exY15SRz9I6EgZj2rJZKBA==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Mar 2020 12:11:21.7062 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 7043adcd-ddea-4f87-b81c-08d7ca6c4e70
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR08MB2677
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/xX7z0yOtFZgWE9HGEh3wwcQ790c>
Subject: [OAUTH-WG] Meeting Notes (9th March 2020)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2020 12:11:28 -0000
Participants: - Roman Danyliw - Torsten Lodderstedt - Travis Spencer - Aaron Parecki - Ben Kaduk - Brian Campbell - Cigdem Sengul - Daniel Fett - David Waite - Filip - Jim Schaad - Justin Richer - Marco Tiloca - Matthew de Haast - Michael Peck - Mike Jones - Phil Hunt - Hannes Tschofenig - Joseph Heenan - David Waite - Bjorn Hjelm - Cristofer Gonzales - Tony Nadalin - Vittori - Rifaat Notes: Rifaat showed the list of documents relevant for the discussion Several documents are relevant to this discussion, including https://tools.ietf.org/html/draft-ietf-oauth-pop-architecture-08 https://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-03 https://tools.ietf.org/html/draft-richanna-oauth-http-signature-pop-00 https://tools.ietf.org/html/draft-cavage-http-signatures-12 https://tools.ietf.org/html/rfc8613 https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-07 https://tools.ietf.org/html/rfc7800 https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-33 https://tools.ietf.org/html/draft-ietf-oauth-mtls-17 Brian went through his presentation. Hannes notes that OSCORE, a solution presented from the ACE group, is missing in the list. Brian responds that nobody in the OAuth world cares about OSCORE. Discussion about whether the ACE group uses the key distribution parameters for use with HTTP. Jim believes it does. Justin explained the work Annabelle was doing. Rifaat asked whether PoP + HTTP signing will solve his problem. Brian does not believe that HTTP signing solves anything and if it gets done then it will take a long time. It also does not cover the refresh token case. HTTP Signing is a lot about HTTP canonicalization. It will allow for signing and HMAC computation over the resulting string. Roman: For some HTTP signing may still be too expensive? Justin: Yes, we are starting with the cavage-http-signatures draft. There are some big problems with it. For example, what parts are signed. Depends on we sign it will be necessary to re-create the signature with every request. We need a profile for OAuth use to indicate where to send the token and what to include in the signature. Brian: I believe that every request should require a new signature. Finding out whether a signature can be omitted will be prohibitive. Justin: DPOP signs only a small number of elements and does not require HTTP signing. Justin: For the HTTP signature solution we are planning to offer a symmetric and an asymmetric key version. Justin: DPOP is a key presentation for single page application and it can probably be used with other apps too. We are going to have a PoP solution with an generic HTTP message mechanism. Torsten: How many deployable solutions do we have? Brian: We have probably 3 or 4 solutions. Justin: In terms of implementations we have 3. ?: What if we split the key distribution from the HTTP signing? Justin: That's how we wanted to do the generic approach. It is how we do it with HTTP signing. ?: What are you signing in the HTTP message? Justin: I believe if we have generic HTTP signing then we could re-use it with DPOP. Mike: Microsoft is internally deployed the old HTTP signing. The reason is that it is stable (although abandoned). Our product groups that is simple, like DPOP. John and I talked at the last IETF on how we wanted to do symmetric DPOP. Inherently you have to do a key distribution step. I would like to see the DPOP draft adopted as a WG draft (recognizing that it may be revised to include a symmetric key solution). The working group needs to make a decision on how to add symmetric key distribution. Filip: We would also like to see adoption. Roman: three options 1) Stay with POP key distribution 2) DPOP (as is) 3) Use ECDHE exchange from Neil Brian: We could add (3) to (2) but it would be difficult and prohibitively difficult. (3) should its own thing. Or maybe if the push for performance improvements is so big that we need to jump straight to (3). There is the risk of too many options. Torsten: Is the concern that (2) is too slow? Filip: At the last meeting there was a concern from AWS that signing of each request is prohibitively complex. But (2) works in my deployment. Mike: It depends on the use case. Phil: How does TLS 1.3 alter some of the requirements? What about the HTTP group doing the work on signing? Brian: I don't think there is any dependency. Justin: I do think that there is room for both. I don't think DPOP should be stretched to a generic solution and it isn't. It is a clever hack for a specific use case. Brian: I wouldn't agree on the term "hack". Phil: I am concerned that the market tries to apply a limited solution to everything. Justin: That's why we need to standardize many solutions. DPOP makes a lot of sense as it is today. If you can layer a symmetric key solution then that's fine too. I think AWS should not use DPOP. Phil: I think we need to make clear that PoP is orthogonal to message signing. Saying that those things are separate going forward. I am worried that we are repeating the cycle for the 3rd or 4th time in 10 years. Mike: The market left OAuth 1.0 because of HTTP signing interoperability problems. Phil: When I was looking at MTLS there was a similar perception about whether it is actually needed. There are two extreme: (1) sign everything and encrypt everything and then (2) just use the existing stuff. Mike: I like DPOP because it does very little. It just as little as possible to demonstrate PoP for the token. Phil: Yes, I like that. Brian: There is certainly opportunity in the draft to make the draft clear. It is certainly for more use cases than for SPA-type apps. Rifaat: Any other comments? Next step is to take it to the list. There is also another question about the use of symmetric key in addition to asymmetric key. Roman: We will only do a call for adoption of the DPOP solution and not for any other option. Rifaat: Yes. Rifaat: Neither I nor Hannes will be at the Vancouver IETF meeting. The following participants are planning to be there: Justin, Aaron, Mike, Brian, David, Spencer, Tony, Matthew. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [OAUTH-WG] Meeting Notes (9th March 2020) Hannes Tschofenig
- Re: [OAUTH-WG] Meeting Notes (9th March 2020) Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Meeting Notes (9th March 2020) Brian Campbell