IETF Logo Mail Archive

Re: [OAUTH-WG] [UNVERIFIED SENDER] RE: Cryptographic hygiene and the limits of jwks_uri

Aaron Parecki <aaron@parecki.com> Tue, 14 January 2020 02:38 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6D4012006F for <oauth@ietfa.amsl.com>; Mon, 13 Jan 2020 18:38:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RT4Hdkd_8wDc for <oauth@ietfa.amsl.com>; Mon, 13 Jan 2020 18:38:56 -0800 (PST)
Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D002112006B for <oauth@ietf.org>; Mon, 13 Jan 2020 18:38:55 -0800 (PST)
Received: by mail-io1-xd32.google.com with SMTP id t26so12141403ioi.13 for <oauth@ietf.org>; Mon, 13 Jan 2020 18:38:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Bfur3aPnu2Vjhbj5Vn5DIWwR/isw4PQknA8aDur4w8Q=; b=JvwCzPp3KY1dJa8n9+FofPDW7uflBxTrQimWg4wDqQzIQxIDS0m1zh3tYCDbF4ocUt jagejNRg+kze4yp2Xg1n+GXev8rbj49i3waOQNH+xuHc4lIz6WKz6DBvEJKbDOTt6GjN NCv8DYFHsAqNs6O6HibkYSzQHKSjQZb/oNweDDzSVDQKp1qNG+iCt0qamcxKrIyQNTeN 1ScSb/nwgvA6I1zAbsdB4zmAsaPd6V9EZG2+abr5WST66obZl7WbytEZAzZeysLOMwQ+ 7U8ukQJ2uwkDv4YaADyDycpZHpFkypo49Oxr1T5RmZ6ancTenpSLR/Mop5QV6As7jDp6 /BLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Bfur3aPnu2Vjhbj5Vn5DIWwR/isw4PQknA8aDur4w8Q=; b=rYblDbrWH9WSquaz06x2V8M0PuIf0brk0IZvzCBuwc9H9v+UcCDMQDSB3SVTHlVAtY UbmDb915wDTNYzFtPMNGt/QiDfpeuY9Mo5htVh4urmetB5JvvgIahibjXt93LfG4K8l6 2Pt95alX83etXqSdq9V8HbzcJ3rUqQF4c1B/7Zcj73BLuqHnzi0CP4C1gZLnI8hJILYt xBqhY9vijYJzIXw/0bEGMFVnlOSEc3daOG0dZeN8I+pb9x+VGBtlmKrZ0btpO6itUszB ftnw1KaFKCRIbiarYaL8JUyIP/yhAkhyv2/6s6tkq9dZh1O0MmWrR/vYw3H/XDOamteS FaQQ==
X-Gm-Message-State: APjAAAV8yBx5z13gYWJ9D2W8sRTOLkRmoDCtFVrYEJhTKcbK6cY0Itdk zvDgBB+M+OkZipEnUUc8fTVIMhUU0cA=
X-Google-Smtp-Source: APXvYqwlAWDoj9OnS24Ri0uxQ9WisEmSGYlnotNOR03OYkCPAH6sWEXlyXcbAra+8UBo9bARLvK8Zg==
X-Received: by 2002:a5d:964e:: with SMTP id d14mr14935862ios.193.1578969534696; Mon, 13 Jan 2020 18:38:54 -0800 (PST)
Received: from mail-io1-f45.google.com (mail-io1-f45.google.com. [209.85.166.45]) by smtp.gmail.com with ESMTPSA id w11sm4445420ilh.55.2020.01.13.18.38.53 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 13 Jan 2020 18:38:53 -0800 (PST)
Received: by mail-io1-f45.google.com with SMTP id h8so12185942iob.2 for <oauth@ietf.org>; Mon, 13 Jan 2020 18:38:53 -0800 (PST)
X-Received: by 2002:a05:6602:2345:: with SMTP id r5mr14248398iot.156.1578969533709; Mon, 13 Jan 2020 18:38:53 -0800 (PST)
MIME-Version: 1.0
References: <CAD9ie-vRsL9ey2LDNoaWkapRUewS_c1S0r3QCcqJLmJ5KqKsGw@mail.gmail.com> <5F7A3816-AC9B-4BA2-9D91-CF89109B6788@forgerock.com> <CAD9ie-uebUCw5vxELPXQvQSY3Z3T2dNJGOpzEQ8cMgZcCOu+tg@mail.gmail.com> <79DF80DA-6682-4F25-A02A-B4137053FD8A@mit.edu>
In-Reply-To: <79DF80DA-6682-4F25-A02A-B4137053FD8A@mit.edu>
From: Aaron Parecki <aaron@parecki.com>
Date: Mon, 13 Jan 2020 18:38:42 -0800
X-Gmail-Original-Message-ID: <CAGBSGjq9QWLR1n5sjE_rSyGmK_fqzgiSgyRhHZO_DhriHhgKjg@mail.gmail.com>
Message-ID: <CAGBSGjq9QWLR1n5sjE_rSyGmK_fqzgiSgyRhHZO_DhriHhgKjg@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: Dick Hardt <dick.hardt@gmail.com>, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002b0579059c107ed5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/JM_QamiM31uUgI5qHGyj-PufiGw>
Subject: Re: [OAUTH-WG] [UNVERIFIED SENDER] RE: Cryptographic hygiene and the limits of jwks_uri
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2020 02:38:58 -0000

Right now, Okta publishes two keys at the jwks_uri in order to be able to
rotate keys periodically. During the token lifetime window during key
rotation, the RSs can still find both the old and new key IDs in the set.

RSs are looking for a specific key ID when they do this, so it would be
fine to include additional keys that are used for something other than
access tokens since the RSs would just ignore them.

So an extension could say "use this key identified by kid" and that'd be a
decent extension mechanism.



On Mon, Jan 13, 2020 at 6:26 PM Justin Richer <jricher@mit.edu> wrote:

> I would rather see extensions define a key ID than a new key set URI.
> Otherwise what’s the point of having more than one key in the set, with
> unique identifiers?
>
> It would’ve been nice if JWK could’ve agreed on a URL-based addressing
> format for individual keys within the set, but that ship’s sailed.
>
>
>  — Justin
>
> On Jan 10, 2020, at 9:34 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
>
> I was not saying that there was anything special about keys, nor that we
> needed to change OAuth.
>
> While using one key and controlling where it us used via access control
> works, it is not ideal.
>
> OAuth could have had just one endpoint, and done access control for
> different roles -- but it did not. We enabled flexibility by separating the
> authorization endpoint and the token endpoint. The dynamic client
> registration extension defined a new endpoint, the registration endpoint.
>
> I don't think we can change what has been deployed today -- but NEW
> extensions that use keys for new purposes SHOULD define their own URI.
> ᐧ
>
> On Fri, Jan 10, 2020 at 11:31 AM Neil Madden <neil.madden@forgerock.com>
> wrote:
>
>> Sure, but we know how to run resilient services. My point is that there’s
>> nothing particularly special about cryptographic keys: if you want to
>> control how they are used there is a whole range of normal access control
>> methods you can apply to them without needing to change anything in OAuth.
>>
>> Neil
>>
>> On 10 Jan 2020, at 18:50, Dick Hardt <dick.hardt@gmail.com> wrote:
>>
>> 
>> There are many other factors to resiliency than multiple instances.
>>
>> On Fri, Jan 10, 2020 at 10:30 AM Neil Madden <neil.madden@forgerock.com>
>> wrote:
>>
>>>
>>>
>>> > On 10 Jan 2020, at 17:22, Dick Hardt <dick.hardt@gmail.com> wrote:
>>> [...]
>>> >
>>> > As to the suggestion of using a JWT-decryption-microservice, another
>>> goal would be increased resiliency of the components. If the
>>> JWT-decryption-microservice is unavailable, the whole system is
>>> unavailable. If there are separate keys, then a failure in one component
>>> does not fail the entire system.
>>>
>>> Well you can run more than one instance - it’s a completely stateless
>>> service. You can also run a separate instance (or set of instances) per key
>>> if you like.
>>>
>>> Neil
>>
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
-- 
----
Aaron Parecki
aaronparecki.com
@aaronpk <http://twitter.com/aaronpk>

v2.23.0 | Report a Bug | By Email