Re: [OAUTH-WG] New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
Samuel Erdtman <samuel@erdtman.se> Mon, 07 November 2016 16:43 UTC
Return-Path: <samuel@erdtman.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D6A9129953 for <oauth@ietfa.amsl.com>; Mon, 7 Nov 2016 08:43:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZpuUesuDbzcW for <oauth@ietfa.amsl.com>; Mon, 7 Nov 2016 08:43:31 -0800 (PST)
Received: from mail-wm0-x231.google.com (mail-wm0-x231.google.com [IPv6:2a00:1450:400c:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE0DA12973D for <oauth@ietf.org>; Mon, 7 Nov 2016 08:43:30 -0800 (PST)
Received: by mail-wm0-x231.google.com with SMTP id p190so194552273wmp.1 for <oauth@ietf.org>; Mon, 07 Nov 2016 08:43:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=YncGBzbPExxL3i6Ry0laEcP/eZb7l/iHp/tjYm3lzdc=; b=ufNVy5LdCgpM4mQscBUl+aV88nN4qQi5bJgUvnwP5Wzt0cgCXXgl6Rgznx9Ftf9Tf8 E8bx7i3PtlQdfssPj1aVE0CLJtq6eC1iF3oiRD2xk23bWcIWn4NPY1FK5cqcbTFUeJ2+ 0T/LoWIgdlDyUU1cJDFDV2PNjiRnqvOq0SjApOb1I7HfkDy7T1OFiaEMynmWdaZONFVN jwwkg0FY8q5NaATtjtnx43tDk31EqXJrvSQYeQ0UCv5dkk+UCHK2HCDdfaCrbtqmixSF Hrz5iQnzc2U3QdzoAXEK0twmk25XoO+VfGpMZK9olkwgvDPfU/o8RicB6lhAPHZjU0hG RG2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=YncGBzbPExxL3i6Ry0laEcP/eZb7l/iHp/tjYm3lzdc=; b=SVWot47g7xFKOTYjEyovV86O2qVRITvXbSbQl2zYmRU3VzHGvTMVsNF2OvDk58H5yJ ykPIrepR3CHzjkDkShXf5QzlX8SYzEGv7Rgm4q9nRNPupQohJAYjjZA+zJgrntnowvWu HUPnd2u1jBiC6tiHKsDu4apXNhqU9uVxp7L6GG+OetKdSh0x9aTVf7cdAT3AC7ogDE2j EqcqesQJ+Mh5KxNxh9Qc+8DH7ezrNgbSzjG19mGOY2uvIJaiJhUzllE+9am+XQ9UwNTQ CU/WFH2FNoMtfewyxVsZq617yyCABq3dhPFfQnYjsk+OO3pyrVT+9perEOhUwnG3xDTs 7gdg==
X-Gm-Message-State: ABUngvdkkSUtb8TkUzLpADNFAWlzOHmNsXtk/n401hcS4LhN5GsTCYqj5UgNL+hQJQo+n7AT3ienYeSNssjx4g==
X-Received: by 10.28.40.67 with SMTP id o64mr9533935wmo.5.1478537009418; Mon, 07 Nov 2016 08:43:29 -0800 (PST)
MIME-Version: 1.0
Received: by 10.194.172.232 with HTTP; Mon, 7 Nov 2016 08:43:28 -0800 (PST)
In-Reply-To: <F6BC29BC-17E9-43B4-8A60-47D23765DF48@oracle.com>
References: <147613227959.31428.2920748721017165266.idtracker@ietfa.amsl.com> <9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com> <26838e0e-1aee-04ca-4f7e-f6cff8dcfacf@connect2id.com> <CA+k3eCQaWm+O8VMNGGJG41j=dW2vqa4n6QZgKmVM9=d0HxgnCA@mail.gmail.com> <853d5445-72e4-a1fb-b89c-919864f051f6@connect2id.com> <CA+k3eCSLvDd8PSzN53w6+QtzGrBiFgaO5=Vnjs1MMnb9oHWtpw@mail.gmail.com> <3B6518A2-CE89-48A4-B817-02C774C786B4@ve7jtb.com> <F6BC29BC-17E9-43B4-8A60-47D23765DF48@oracle.com>
From: Samuel Erdtman <samuel@erdtman.se>
Date: Mon, 07 Nov 2016 17:43:28 +0100
Message-ID: <CAF2hCbb39qUm4cug+pkP4j3i0A26N82aT=uk5MsEQfiDExCn4A@mail.gmail.com>
To: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="001a114973c23bf7600540b8b922"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/IuelrIq7OD-qFKkt4KQiBDg2TTU>
Cc: Nat Sakimura via Openid-specs-fapi <openid-specs-fapi@lists.openid.net>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Nov 2016 16:43:34 -0000
Phil, what is your +1 referring to? //Samuel On Sat, Nov 5, 2016 at 2:14 AM, Phil Hunt (IDM) <phil.hunt@oracle.com> wrote: > +1 > > Phil > > On Nov 4, 2016, at 6:11 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: > > I can easily see Research and education publishing self signed certs in > meta-data that is then used for client authentication and other things. > I don’t want to limit this to only CA issued certs where the client_id is > in the DN. Client_id tend not to be domain names currently. > Looking up a raw key provided via JWK in registration based on client_id > will be one way that people will use this. Passing the cert is seen as > just a way of passing the key to many people. > > I also understand the desire in ACE to save bytes. > > If you are using self signed certs then including the client_id in the > cert vs as a parameter is a bit of a no op re size. > > Perhaps if there is a common pattern we could document a IoT profile where > ca issued cert is used and what it would look like. > > I have concerns that this may open a can of worms around what the CN would > be and the interpretations of use extensions if this is flagged as > something other than a host cert. What do devices do now when they are > issued certs. Is there a common standard or is it by manufacturer. > > My main concern would be to not hold up what should be a simple spec for > the server to server case, but am willing to accommodate IoT if possible. > > Regards > John B. > > On Oct 28, 2016, at 5:31 PM, Brian Campbell <bcampbell@pingidentity.com> > wrote: > > Not wanting to add more meta parameters was a motivation. Also not being > sure of how to enumerate the possible approaches. My thinking was also that > there are a lot of factors involved and that it'd probably be better left > to service documentation to describe things like what authorities are > trusted and what the client to cert binding is. Like I said, we can look at > adding more metadata, if there's some consensus to do so. But I worry that > it'll just be bloat that doesn't really add value. > > I also think that, in many situations, it's unlikely that a cert will > contain a client id anywhere as subject information. A client id is scoped > to a particular authorization server and it's hard to imagine a CA issuing > a cert with an identifier that's only meaningful in the context of some > other entity like that. Maybe in a more closed system where the AS and an > organizational CA are both in the same management/administrative domain but > not in the more general case. > > > > On Wed, Oct 26, 2016 at 8:42 PM, Vladimir Dzhuvinov < > vladimir@connect2id.com> wrote: > >> I see. Do you reckon the AS could simply probe the likely cert places >> for containing the client_id? My reasoning is that there aren't that >> many places where you could stick the client_id (let me know if I'm >> wrong). If the AS is in doubt it will respond with invalid_client. I'm >> starting to think this can work quite well. No extra meta param will be >> needed (of which we have enough already). >> >> On 22/10/16 01:51, Brian Campbell wrote: >> > I did consider something like that but stopped short of putting it in >> the >> > -00 document. I'm not convinced that some metadata around it would >> really >> > contribute to interop one way or the other. I also wanted to get the >> basic >> > concept written down before going too far into the weeds. But I'd be >> open >> > to adding something along those lines in future revisions, if there's >> some >> > consensus that it'd be useful. >> > >> > On Mon, Oct 17, 2016 at 2:47 AM, Vladimir Dzhuvinov < >> vladimir@connect2id.com >> >> wrote: >> >> Superb, I welcome that! >> >> >> >> Regarding https://tools.ietf.org/html/draft-campbell-oauth-tls- >> >> client-auth-00#section-5.2 : >> >> >> >> My concern is that the choice of how to bind the client identity is >> left >> >> to implementers, and that may eventually become an interop problem. >> >> Have you considered some kind of an open ended enumeration of the >> possible >> >> binding methods, and giving them some identifiers or names, so that AS >> / >> >> OPs can advertise them in their metadata, and clients register >> accordingly? >> >> >> >> For example: >> >> >> >> "tls_client_auth_bind_methods_supported" : [ "subject_alt_name_match", >> >> "subject_public_key_info_match" ] >> >> >> >> >> >> Cheers, >> >> >> >> Vladimir >> >> >> >> On 10/10/16 23:59, John Bradley wrote: >> >> >> >> At the request of the OpenID Foundation Financial Services API Working >> group, Brian Campbell and I have documented >> >> mutual TLS client authentication. This is something that lots of >> people do in practice though we have never had a spec for it. >> >> >> >> The Banks want to use it for some server to server API use cases being >> driven by new open banking regulation. >> >> >> >> The largest thing in the draft is the IANA registration of >> “tls_client_auth” Token Endpoint authentication method for use in >> Registration and discovery. >> >> >> >> The trust model is intentionally left open so that you could use a >> “common name” and a restricted list of CA or a direct lookup of the subject >> public key against a reregistered value, or something in between. >> >> >> >> I hope that this is non controversial and the WG can adopt it quickly. >> >> >> >> Regards >> >> John B. >> >> >> >> >> >> >> >> >> >> >> >> Begin forwarded message: >> >> >> >> From: internet-drafts@ietf.org >> >> Subject: New Version Notification for draft-campbell-oauth-tls-clien >> t-auth-00.txt >> >> Date: October 10, 2016 at 5:44:39 PM GMT-3 >> >> To: "Brian Campbell" <brian.d.campbell@gmail.com> < >> brian.d.campbell@gmail.com>, "John Bradley" <ve7jtb@ve7jtb.com> < >> ve7jtb@ve7jtb.com> >> >> >> >> >> >> A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt >> >> has been successfully submitted by John Bradley and posted to the >> >> IETF repository. >> >> >> >> Name: draft-campbell-oauth-tls-client-auth >> >> Revision: 00 >> >> Title: Mutual X.509 Transport Layer Security (TLS) >> Authentication for OAuth Clients >> >> Document date: 2016-10-10 >> >> Group: Individual Submission >> >> Pages: 5 >> >> URL: https://www.ietf.org/internet- >> drafts/draft-campbell-oauth-tls-client-auth-00.txt >> >> Status: https://datatracker.ietf.org/ >> doc/draft-campbell-oauth-tls-client-auth/ >> >> Htmlized: https://tools.ietf.org/html/d >> raft-campbell-oauth-tls-client-auth-00 >> >> >> >> >> >> Abstract: >> >> This document describes X.509 certificates as OAuth client >> >> credentials using Transport Layer Security (TLS) mutual >> >> authentication as a mechanism for client authentication to the >> >> authorization server's token endpoint. >> >> >> >> >> >> >> >> >> >> Please note that it may take a couple of minutes from the time of >> submission >> >> until the htmlized version and diff are available at tools.ietf.org. >> >> >> >> The IETF Secretariat >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> OAuth mailing listOAuth@ietf.orghttps://www. >> ietf.org/mailman/listinfo/oauth >> >> >> >> >> >> >> >> _______________________________________________ >> >> OAuth mailing list >> >> OAuth@ietf.org >> >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> >> >> >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] Fwd: New Version Notification for draf… John Bradley
- Re: [OAUTH-WG] [Openid-specs-fapi] Fwd: New Versi… Preibisch, Sascha H
- Re: [OAUTH-WG] Fwd: New Version Notification for … Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fwd: New Version Notification for … Samuel Erdtman
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Samuel Erdtman
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Justin Richer
- Re: [OAUTH-WG] Fwd: New Version Notification for … Jim Manico
- Re: [OAUTH-WG] Fwd: New Version Notification for … Justin Richer
- Re: [OAUTH-WG] Fwd: New Version Notification for … Jim Manico
- Re: [OAUTH-WG] New Version Notification for draft… Justin Richer
- Re: [OAUTH-WG] New Version Notification for draft… Jim Manico
- Re: [OAUTH-WG] New Version Notification for draft… Samuel Erdtman
- Re: [OAUTH-WG] New Version Notification for draft… Sergey Beryozkin
- Re: [OAUTH-WG] New Version Notification for draft… Jim Manico
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… John Bradley
- Re: [OAUTH-WG] New Version Notification for draft… Phil Hunt (IDM)
- Re: [OAUTH-WG] New Version Notification for draft… Samuel Erdtman
- Re: [OAUTH-WG] New Version Notification for draft… Phil Hunt (IDM)
- Re: [OAUTH-WG] New Version Notification for draft… Vladimir Dzhuvinov
- Re: [OAUTH-WG] New Version Notification for draft… Sergey Beryozkin
- Re: [OAUTH-WG] Fwd: New Version Notification for … Samuel Erdtman
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Samuel Erdtman
- Re: [OAUTH-WG] Fwd: New Version Notification for … Samuel Erdtman
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Justin Richer
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Justin Richer
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Justin Richer
- Re: [OAUTH-WG] Fwd: New Version Notification for … Samuel Erdtman
- Re: [OAUTH-WG] New Version Notification for draft… Samuel Erdtman
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Samuel Erdtman
- Re: [OAUTH-WG] New Version Notification for draft… Jim Manico