IETF Logo Mail Archive

Re: [OAUTH-WG] PoP Key Distribution

Mike Jones <Michael.Jones@microsoft.com> Tue, 03 July 2018 20:11 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12C04130FF3 for <oauth@ietfa.amsl.com>; Tue, 3 Jul 2018 13:11:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KGrPGLQPKu4n for <oauth@ietfa.amsl.com>; Tue, 3 Jul 2018 13:10:55 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640122.outbound.protection.outlook.com [40.107.64.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C060130E75 for <oauth@ietf.org>; Tue, 3 Jul 2018 13:10:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BLjmhdayb/bcp1eK1iBk3VVbtyoFBL1LOt3JOE2Nf+k=; b=c1I0n/9Rpf670BuNLczFWQh5LwItZ3/IIS3XukqTPDYieiGjobD4U9reZqjGylrkKbv4CNA04dficUjxfL9Oi4Hed8c1zysb9cmrIm9cMJrdZ+scw3Ztgtyc85hPDBwHLd5n7NZYzPW+PyfF1vEqWLKVvXGpsq83GOFbeCsvisE=
Received: from DM5PR00MB0293.namprd00.prod.outlook.com (52.132.128.34) by DM5PR00MB0438.namprd00.prod.outlook.com (52.132.129.39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.967.0; Tue, 3 Jul 2018 20:10:52 +0000
Received: from DM5PR00MB0293.namprd00.prod.outlook.com ([fe80::4585:e342:2207:ca93]) by DM5PR00MB0293.namprd00.prod.outlook.com ([fe80::4585:e342:2207:ca93%4]) with mapi id 15.20.0967.000; Tue, 3 Jul 2018 20:10:52 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: PoP Key Distribution
Thread-Index: AdQTBj47ZlOcOW2pSHSpIBiWadk6FgAA3/bg
Date: Tue, 03 Jul 2018 20:10:52 +0000
Message-ID: <DM5PR00MB029359EBBE81D3899BEA34FBF5420@DM5PR00MB0293.namprd00.prod.outlook.com>
References: <VI1PR0801MB211213D11E7820FD31218663FA420@VI1PR0801MB2112.eurprd08.prod.outlook.com>
In-Reply-To: <VI1PR0801MB211213D11E7820FD31218663FA420@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [50.47.80.188]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR00MB0438; 6:6bk1n0sAd5r0GwUPvqTOivJPtKccvRyIrPOUwgJJstYxzJN0GWEsB11KqaAVzjXGR0YJizAt2um09qsBKWI0DhtX25unnLdh9KchJMApW/fAeWiF/MJieXciH2ET/UTpWxBJn7H6xkGlIx96sdVymN5n3/gpiBrSnMH6k19IImmsTLoerzW/KJ0NdyZIKZLo9//coQ0OsNLHUFGAAz5lGf8hLzD3ONRtTtsMBc2ceQWp2pCx95OQizbchumUSZqd7AWhChM3XAvk4jNnSHAVF55pd9zO2ykFuhewdNGhxAAo5WVzV81o/yxabEw9jZwA6nEZJLShwOXF3j6VkSpPchQEB4SdAmPig9r86XLigllv4rObP2LV/8Zq5ZWZxRIMiT7EpjQt/5PEb4hOjYYKiLDrXZYS8REPziOucGX2U5BueFIXXjcRv3EqE3wf/G19n3eDMNwR2UfRoXabdyV/lw==; 5:9O+ew5dyVUjLl4/Ig9wKzylSMDefY2wfJBI97kFbIPgNKEpmdR+dM+Zlt5byHKwvlGst3DJsvuw4CKFD/TyaMwgb5sydNmNxjLjXjDiwLok1OtBIJqUZHbBcIowFfh5xckGMe1POkiQPnLqCRGQcYso/zVzJQAnZyx/bPS72W70=; 7:gZdFQXbkoJmV/AbDXXcrMB5zGElrtDSSMvn3F13VnHs5JBA4LGvG5PVls/HHkRE5O/itwDe16/qVijjIAkPxa9/4iih3Me7aMMJE9LGczMzEJ3vwB+A5nA+3w27okdVO6M6EZuFrm1lRvUx7BS/QXdyQ1sAdUuEG2t3LRO5l5juPCnNbDinZYPjmC+Q34iLTECuHPT397OM0Tdo7UvjAF+ygnBMSjGBBehmadmG6uRqd2yYQm5UovxHb2Js49k1v
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 11157406-f59d-4e64-ed35-08d5e12113f4
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:(223705240517415); BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(48565401081)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7193020); SRVR:DM5PR00MB0438;
x-ms-traffictypediagnostic: DM5PR00MB0438:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr
x-microsoft-antispam-prvs: <DM5PR00MB0438B7AC983037C2FA2F8217F5420@DM5PR00MB0438.namprd00.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(223705240517415)(21748063052155);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(2017102700009)(2017102701064)(6040522)(2401047)(8121501046)(5005006)(2017102702064)(20171027021009)(20171027022009)(20171027023009)(20171027024009)(20171027025009)(20171027026009)(2017102703076)(3002001)(3231280)(2018427008)(944501410)(52105095)(10201501046)(93006095)(93001095)(6055026)(149027)(150027)(6041310)(20161123564045)(20161123560045)(20161123562045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:DM5PR00MB0438; BCL:0; PCL:0; RULEID:; SRVR:DM5PR00MB0438;
x-forefront-prvs: 0722981D2A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(346002)(136003)(396003)(376002)(366004)(53754006)(40434004)(189003)(199004)(8936002)(81166006)(10290500003)(790700001)(81156014)(3480700004)(8676002)(97736004)(86612001)(5250100002)(478600001)(68736007)(6116002)(3846002)(7736002)(6506007)(6246003)(53546011)(25786009)(8990500004)(256004)(6436002)(5024004)(14444005)(66066001)(102836004)(10090500001)(53936002)(76176011)(229853002)(7696005)(86362001)(99286004)(186003)(26005)(6306002)(11346002)(446003)(14454004)(9686003)(22452003)(105586002)(316002)(55016002)(2906002)(966005)(106356001)(72206003)(74316002)(7116003)(476003)(5660300001)(2900100001)(19609705001)(2501003)(486006)(236005)(54896002)(110136005)(606006)(33656002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR00MB0438; H:DM5PR00MB0293.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: vniEqEMGgacEMeVdbsWA/2m/S3wL9DyerQ1Y1FiOTbfV7w7I1ZrkX/b7LdULkbzvYTEXWba52njtIjqOyrFsk5O6cdmeLXEErOLXquCAWPBunI2snp4n1YWKgfjXNwhRnNYBf8StQbe3k05Ihz/GZTznaeAoSjpLlWz6lgZCWNe0VOaduKtcVykMBGaYtVnMfJtoPrYb2/ZQkMzsLdcPb1IGUobrcldWmHC92leuoJBYa1cxH/BmwiNAU3iuAv7TuKNvTDpBSf3nceEMiNJoe8meMkQRQr9gvWaN5VNJUzPlWfOde+HHp68cqG6klWRll7Jedet9Xr5Zmzhp6OApMOpeqqJooeo312PbUgeJHrg=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM5PR00MB029359EBBE81D3899BEA34FBF5420DM5PR00MB0293namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 11157406-f59d-4e64-ed35-08d5e12113f4
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jul 2018 20:10:52.6641 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR00MB0438
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/M03BrlHJgAzEQETMm5zVHBwMrzw>
Subject: Re: [OAUTH-WG] PoP Key Distribution
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jul 2018 20:11:08 -0000

Thanks for working these issues, Hannes.  I agree with your conclusion that the OAuth PoP Key Distribution spec should define the OAuth parameters for use with HTTP and the ACE OAuth profile should define those that are ACE-specific.  Therefore, we should encourage ACE spec to remove the duplicate definitions and instead reference those in the OAuth spec.

I believe that the ACE "profile" parameter is typically unnecessary and not in the spirit of normal OAuth.  Configuration information between OAuth participants is typically configured out of band and/or retrieved from the AS Discovery document (per the newly minted RFC 8414<https://tools.ietf.org/html/rfc8414>). There's no need to dynamically exchange a profile identifier when this is essentially always known in advance.  We should not include "profile".  For that matter, ACE should delete it as well, as it certainly isn't appropriate in constrained environments.

We should think some more about how we want to treat the function of the "alg" parameter and how to fully specify things for JWTs (an OAuth WG spec) while still enabling other representations when appropriate.

                                                       Thanks,
                                                       -- Mike

From: OAuth <oauth-bounces@ietf.org> On Behalf Of Hannes Tschofenig
Sent: Tuesday, July 3, 2018 12:46 PM
To: oauth@ietf.org
Subject: [OAUTH-WG] PoP Key Distribution

Hi all,

we have been working on an update for the draft-ietf-oauth-pop-key-distribution document in time for the deadline but we noticed several issues that are worthwhile to bring to your attention.

draft-ietf-oauth-pop-key-distribution defines a mechanism that allows the client to talk to the AS to request a PoP access token and associated keying material.

There are two other groups in the IETF where this concept is used.


  *   The guys working on RTCWEB is the first. Misi (Mészáros Mihály) has been helping us to understand their needs. They have defined their own token format, which has been posted on the OAuth group a while ago for review.


  *   The other group is ACE with their work on an OAuth-based profile for IoT.

Where should the parameters needed for PoP key distribution should be defined? Currently, they are defined in two places -- in https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-13 and also in https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-03. In particular, the audience and the token_type parameters are defined in both specs.

IMHO it appears that OAuth would be the best place to define the HTTP-based parameters. ACE could define the IoT-based protocols, such as CoAP, MQTT, and alike. Of course, this is subject for discussion, particularly if there is no interest in doing so in the OAuth working group.

There is also a misalignment in terms of the content.. draft-ietf-oauth-pop-key-distribution defined an 'alg' parameter, which does not exist in the draft-ietf-ace-oauth-authz document. The draft-ietf-ace-oauth-authz document does, however, have a profile parameter, which does not exist in draft-ietf-oauth-pop-key-distribution. Some alignment is therefore needed. In the meanwhile the work on OAuth meta has been finalized and could potentially be re-used.

When the work on draft-ietf-oauth-pop-key-distribution was initially started there was only a single, standardized token format, namely the JWT. Hence, it appeared reasonable to use the JWT keying structure for delivering keying material from the AS to the client.

In the meanwhile two other formats have been standardized, namely RFC 7635 and the CWT. For use with those specs it appears less ideal to transport keys from the AS to the client using the JSON/JOSE-based format. It would be more appropriate to use whatever PoP token format is used instead. Currently, this hasn't been considered yet.

Ciao
Hannes

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email