IETF Logo Mail Archive

Re: [OAUTH-WG] New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt

Samuel Erdtman <samuel@erdtman.se> Mon, 07 November 2016 16:43 UTC

Return-Path: <samuel@erdtman.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D6A9129953 for <oauth@ietfa.amsl.com>; Mon, 7 Nov 2016 08:43:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZpuUesuDbzcW for <oauth@ietfa.amsl.com>; Mon, 7 Nov 2016 08:43:31 -0800 (PST)
Received: from mail-wm0-x231.google.com (mail-wm0-x231.google.com [IPv6:2a00:1450:400c:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE0DA12973D for <oauth@ietf.org>; Mon, 7 Nov 2016 08:43:30 -0800 (PST)
Received: by mail-wm0-x231.google.com with SMTP id p190so194552273wmp.1 for <oauth@ietf.org>; Mon, 07 Nov 2016 08:43:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=YncGBzbPExxL3i6Ry0laEcP/eZb7l/iHp/tjYm3lzdc=; b=ufNVy5LdCgpM4mQscBUl+aV88nN4qQi5bJgUvnwP5Wzt0cgCXXgl6Rgznx9Ftf9Tf8 E8bx7i3PtlQdfssPj1aVE0CLJtq6eC1iF3oiRD2xk23bWcIWn4NPY1FK5cqcbTFUeJ2+ 0T/LoWIgdlDyUU1cJDFDV2PNjiRnqvOq0SjApOb1I7HfkDy7T1OFiaEMynmWdaZONFVN jwwkg0FY8q5NaATtjtnx43tDk31EqXJrvSQYeQ0UCv5dkk+UCHK2HCDdfaCrbtqmixSF Hrz5iQnzc2U3QdzoAXEK0twmk25XoO+VfGpMZK9olkwgvDPfU/o8RicB6lhAPHZjU0hG RG2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=YncGBzbPExxL3i6Ry0laEcP/eZb7l/iHp/tjYm3lzdc=; b=SVWot47g7xFKOTYjEyovV86O2qVRITvXbSbQl2zYmRU3VzHGvTMVsNF2OvDk58H5yJ ykPIrepR3CHzjkDkShXf5QzlX8SYzEGv7Rgm4q9nRNPupQohJAYjjZA+zJgrntnowvWu HUPnd2u1jBiC6tiHKsDu4apXNhqU9uVxp7L6GG+OetKdSh0x9aTVf7cdAT3AC7ogDE2j EqcqesQJ+Mh5KxNxh9Qc+8DH7ezrNgbSzjG19mGOY2uvIJaiJhUzllE+9am+XQ9UwNTQ CU/WFH2FNoMtfewyxVsZq617yyCABq3dhPFfQnYjsk+OO3pyrVT+9perEOhUwnG3xDTs 7gdg==
X-Gm-Message-State: ABUngvdkkSUtb8TkUzLpADNFAWlzOHmNsXtk/n401hcS4LhN5GsTCYqj5UgNL+hQJQo+n7AT3ienYeSNssjx4g==
X-Received: by 10.28.40.67 with SMTP id o64mr9533935wmo.5.1478537009418; Mon, 07 Nov 2016 08:43:29 -0800 (PST)
MIME-Version: 1.0
Received: by 10.194.172.232 with HTTP; Mon, 7 Nov 2016 08:43:28 -0800 (PST)
In-Reply-To: <F6BC29BC-17E9-43B4-8A60-47D23765DF48@oracle.com>
References: <147613227959.31428.2920748721017165266.idtracker@ietfa.amsl.com> <9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com> <26838e0e-1aee-04ca-4f7e-f6cff8dcfacf@connect2id.com> <CA+k3eCQaWm+O8VMNGGJG41j=dW2vqa4n6QZgKmVM9=d0HxgnCA@mail.gmail.com> <853d5445-72e4-a1fb-b89c-919864f051f6@connect2id.com> <CA+k3eCSLvDd8PSzN53w6+QtzGrBiFgaO5=Vnjs1MMnb9oHWtpw@mail.gmail.com> <3B6518A2-CE89-48A4-B817-02C774C786B4@ve7jtb.com> <F6BC29BC-17E9-43B4-8A60-47D23765DF48@oracle.com>
From: Samuel Erdtman <samuel@erdtman.se>
Date: Mon, 07 Nov 2016 17:43:28 +0100
Message-ID: <CAF2hCbb39qUm4cug+pkP4j3i0A26N82aT=uk5MsEQfiDExCn4A@mail.gmail.com>
To: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="001a114973c23bf7600540b8b922"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/IuelrIq7OD-qFKkt4KQiBDg2TTU>
Cc: Nat Sakimura via Openid-specs-fapi <openid-specs-fapi@lists.openid.net>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Nov 2016 16:43:34 -0000

Phil, what is your +1 referring to?

//Samuel

On Sat, Nov 5, 2016 at 2:14 AM, Phil Hunt (IDM) <phil.hunt@oracle.com>
wrote:

> +1
>
> Phil
>
> On Nov 4, 2016, at 6:11 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>
> I can easily see Research and education publishing self signed certs in
> meta-data that is then used for client authentication and other things.
> I don’t want to limit this to only CA issued certs where the client_id is
> in the DN.    Client_id tend not to be domain names currently.
> Looking up a raw key  provided via JWK in registration based on client_id
> will be one way that people will use this.   Passing the cert is seen as
> just a way of passing the key to many people.
>
> I also understand the desire in ACE to save bytes.
>
> If you are using self signed certs then including the client_id in the
> cert vs as a parameter is a bit of a no op re size.
>
> Perhaps if there is a common pattern we could document a IoT profile where
> ca issued cert is used and what it would look like.
>
> I have concerns that this may open a can of worms around what the CN would
> be and the interpretations of use extensions if this is flagged as
> something other than a host cert.    What do devices do now when they are
> issued certs.  Is there a common standard or is it by manufacturer.
>
> My main concern would be to not hold up what should be a simple spec for
> the server to server case, but am willing to accommodate IoT if possible.
>
> Regards
> John B.
>
> On Oct 28, 2016, at 5:31 PM, Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
> Not wanting to add more meta parameters was a motivation. Also not being
> sure of how to enumerate the possible approaches. My thinking was also that
> there are a lot of factors involved and that it'd probably be better left
> to service documentation to describe things like what authorities are
> trusted and what the client to cert binding is. Like I said, we can look at
> adding more metadata, if there's some consensus to do so. But I worry that
> it'll just be bloat that doesn't really add value.
>
> I also think that, in many situations, it's unlikely that a cert will
> contain a client id anywhere as subject information. A client id is scoped
> to a particular authorization server and it's hard to imagine a CA issuing
> a cert with an identifier that's only meaningful in the context of some
> other entity like that. Maybe in a more closed system where the AS and an
> organizational CA are both in the same management/administrative domain but
> not in the more general case.
>
>
>
> On Wed, Oct 26, 2016 at 8:42 PM, Vladimir Dzhuvinov <
> vladimir@connect2id.com> wrote:
>
>> I see. Do you reckon the AS could simply probe the likely cert places
>> for containing the client_id? My reasoning is that there aren't that
>> many places where you could stick the client_id (let me know if I'm
>> wrong). If the AS is in doubt it will respond with invalid_client. I'm
>> starting to think this can work quite well. No extra meta param will be
>> needed (of which we have enough already).
>>
>> On 22/10/16 01:51, Brian Campbell wrote:
>> > I did consider something like that but stopped short of putting it in
>> the
>> > -00 document. I'm not convinced that some metadata around it would
>> really
>> > contribute to interop one way or the other. I also wanted to get the
>> basic
>> > concept written down before going too far into the weeds. But I'd be
>> open
>> > to adding something along those lines in future revisions, if there's
>> some
>> > consensus that it'd be useful.
>> >
>> > On Mon, Oct 17, 2016 at 2:47 AM, Vladimir Dzhuvinov <
>> vladimir@connect2id.com
>> >> wrote:
>> >> Superb, I welcome that!
>> >>
>> >> Regarding https://tools.ietf.org/html/draft-campbell-oauth-tls-
>> >> client-auth-00#section-5.2 :
>> >>
>> >> My concern is that the choice of how to bind the client identity is
>> left
>> >> to implementers, and that may eventually become an interop problem.
>> >> Have you considered some kind of an open ended enumeration of the
>> possible
>> >> binding methods, and giving them some identifiers or names, so that AS
>> /
>> >> OPs can advertise them in their metadata, and clients register
>> accordingly?
>> >>
>> >> For example:
>> >>
>> >> "tls_client_auth_bind_methods_supported" : [ "subject_alt_name_match",
>> >> "subject_public_key_info_match" ]
>> >>
>> >>
>> >> Cheers,
>> >>
>> >> Vladimir
>> >>
>> >> On 10/10/16 23:59, John Bradley wrote:
>> >>
>> >> At the request of the OpenID Foundation Financial Services API Working
>> group, Brian Campbell and I have documented
>> >> mutual TLS client authentication.   This is something that lots of
>> people do in practice though we have never had a spec for it.
>> >>
>> >> The Banks want to use it for some server to server API use cases being
>> driven by new open banking regulation.
>> >>
>> >> The largest thing in the draft is the IANA registration of
>> “tls_client_auth” Token Endpoint authentication method for use in
>> Registration and discovery.
>> >>
>> >> The trust model is intentionally left open so that you could use a
>> “common name” and a restricted list of CA or a direct lookup of the subject
>> public key against a reregistered value,  or something in between.
>> >>
>> >> I hope that this is non controversial and the WG can adopt it quickly.
>> >>
>> >> Regards
>> >> John B.
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> Begin forwarded message:
>> >>
>> >> From: internet-drafts@ietf.org
>> >> Subject: New Version Notification for draft-campbell-oauth-tls-clien
>> t-auth-00.txt
>> >> Date: October 10, 2016 at 5:44:39 PM GMT-3
>> >> To: "Brian Campbell" <brian.d.campbell@gmail.com> <
>> brian.d.campbell@gmail.com>, "John Bradley" <ve7jtb@ve7jtb.com> <
>> ve7jtb@ve7jtb.com>
>> >>
>> >>
>> >> A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
>> >> has been successfully submitted by John Bradley and posted to the
>> >> IETF repository.
>> >>
>> >> Name:                draft-campbell-oauth-tls-client-auth
>> >> Revision:    00
>> >> Title:               Mutual X.509 Transport Layer Security (TLS)
>> Authentication for OAuth Clients
>> >> Document date:       2016-10-10
>> >> Group:               Individual Submission
>> >> Pages:               5
>> >> URL:            https://www.ietf.org/internet-
>> drafts/draft-campbell-oauth-tls-client-auth-00.txt
>> >> Status:         https://datatracker.ietf.org/
>> doc/draft-campbell-oauth-tls-client-auth/
>> >> Htmlized:       https://tools.ietf.org/html/d
>> raft-campbell-oauth-tls-client-auth-00
>> >>
>> >>
>> >> Abstract:
>> >>   This document describes X.509 certificates as OAuth client
>> >>   credentials using Transport Layer Security (TLS) mutual
>> >>   authentication as a mechanism for client authentication to the
>> >>   authorization server's token endpoint.
>> >>
>> >>
>> >>
>> >>
>> >> Please note that it may take a couple of minutes from the time of
>> submission
>> >> until the htmlized version and diff are available at tools.ietf.org.
>> >>
>> >> The IETF Secretariat
>> >>
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> OAuth mailing listOAuth@ietf.orghttps://www.
>> ietf.org/mailman/listinfo/oauth
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> OAuth mailing list
>> >> OAuth@ietf.org
>> >> https://www.ietf.org/mailman/listinfo/oauth
>> >>
>> >>
>>
>>
>>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email