Re: [OAUTH-WG] re comments on MTLS (was Re: Call for Adoption: Mutual TLS Profiles for OAuth Clients)

John Bradley <ve7jtb@ve7jtb.com> Sat, 22 April 2017 00:18 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 231E91293FD for <oauth@ietfa.amsl.com>; Fri, 21 Apr 2017 17:18:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gT5Ry5mKcSID for <oauth@ietfa.amsl.com>; Fri, 21 Apr 2017 17:18:46 -0700 (PDT)
Received: from mail-qt0-x230.google.com (mail-qt0-x230.google.com [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4D6A127A97 for <oauth@ietf.org>; Fri, 21 Apr 2017 17:18:45 -0700 (PDT)
Received: by mail-qt0-x230.google.com with SMTP id m36so81098013qtb.0 for <oauth@ietf.org>; Fri, 21 Apr 2017 17:18:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=2dQcnM9VAlQ2v/CXXNLjjOg5Etcaiah3HxiB6o3jenc=; b=MsEpwP9XIOv7iIyve8trp4QqvNm0HrLMiUj8C1dhaEEnp0aLDlQbL3fA58eHKYfkyn sRE0EqN6kZSGECnwbDeDHeiSI41baDKPqOP3uNg/Qeoy6DLq/ULoComEOe8eCmU8OTCU na7hqMBMRHInlh3FMGvvNHoApp7qRfgzQeQagZNSi4yBVbrr5xMLyXurH8nY9sKixFYC 8ZS4yUqeUEgRukLSjuezlVf596EIkYrOyEFl3oNjE1CauE/Jyn6T0zjeYLPO3iB+j5WM Gw/VqFay5huQCaV7lTu3oULVJRFd5vysHHU1NNhqxuO5iIZQc/XpUe6xIgK24rxjqrkR 7KKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=2dQcnM9VAlQ2v/CXXNLjjOg5Etcaiah3HxiB6o3jenc=; b=t0mFzEoZveJJUD77b1ACNykYo8o4C8X8OhaeDcXDp1Do3S9P/H3cSvvIMnr0bqbfyD AePplOSwH8/XsOZN+gYC/G41efH9pnVLTGsbkR0jCG9kWcd/9aWDW8V1hFjn10qAEjXc NU5ayuLvBpeGmoikR5jh1lcwVzAfmaWqFz3usfphJhg6xiTovm9paXBcBSV9CWvMIRlt +aacPvztHOkT8/V2FK8DpdpGMVAYDOeyyQLty2syK+I7ieOuOtk/1VfDHIfwybgLZc1S a6U3tIhl4UePkd5T13u5dORR8wdcrp/IqH3Q9WUqcTJwiqM/EcUfDqLsHg3s5Jp+pWgL nhoA==
X-Gm-Message-State: AN3rC/4bTS4uyku843A/snTRSTKIoAE7a8pXfGH34IEe6NENS0HSN0hF P7wsJZowImjk0Oaw
X-Received: by 10.237.53.236 with SMTP id d41mr17311524qte.158.1492820324777; Fri, 21 Apr 2017 17:18:44 -0700 (PDT)
Received: from [192.168.8.100] ([181.201.182.20]) by smtp.gmail.com with ESMTPSA id k65sm7478675qkf.18.2017.04.21.17.18.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 21 Apr 2017 17:18:43 -0700 (PDT)
From: John Bradley <ve7jtb@ve7jtb.com>
Message-Id: <698E4B80-754F-42E1-AD2B-602CD605C680@ve7jtb.com>
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Fri, 21 Apr 2017 21:18:40 -0300
In-Reply-To: <CA+k3eCSqVmevpN_Rc5mcVborRk3hh0H6T_o8SAsJ=cJ6uw16xg@mail.gmail.com>
Cc: "Manger, James" <James.H.Manger@team.telstra.com>, "oauth@ietf.org" <oauth@ietf.org>
To: Brian Campbell <bcampbell@pingidentity.com>
References: <CA+k3eCSqVmevpN_Rc5mcVborRk3hh0H6T_o8SAsJ=cJ6uw16xg@mail.gmail.com>
X-Mailer: Apple Mail (2.3273)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="001a11c111e4301003054db65113"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/KBc2kbNWMO1R5CcETv7k8x79zQE>
Subject: Re: [OAUTH-WG] re comments on MTLS (was Re: Call for Adoption: Mutual TLS Profiles for OAuth Clients)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Apr 2017 00:18:49 -0000

I agree with Brian.

Trying to do anything with PKIX opens up cans of worms.  One of the reasons we have resisted to this point.

However there are server to server use cases that legitimately need this.

I agree that in general DN is a mess, I suspect that telling people to directly use the DER encoded version wont fly, so my thought was to use the RFC 4514 string representation that most tools produce.

We did talk about subject alt DNS Names, however those may not be present in eIDAS certificates that some people may need to use for legal reasons, or if it is present it might be an email.

I suspect that users of this will fall into two camps.  One that has a small set of trusted CA that are configured out of band and any certificate from those roots with the correct DN is OK.

The other group will be trying to do something more dynamic with SSL server certs (May or may not be EV)   I could see those people preferring DNS Name subject alt, or using JWKS to publish there certs.

The problem is finding the right balance of flexibility without too many options to confuse people.

I am inclined towards DN for those that are willing to suffer the pain, and JWKS_uri for everyone else.   One advantage of the JWKS_URI approach is that self signed certs should work just fine, that is something that the R&E people will want if they use this.  

For most proof of possession we should be promoting token binding as the most flexible approach as it also works with mobile without per instance registration.

John B.


> On Apr 21, 2017, at 7:41 PM, Brian Campbell <bcampbell@pingidentity.com>; wrote:
> 
> Thanks, James, for the adoption support as well as the review and comments. I've tried to respond to the comments inline below. 
> 
> On Thu, Apr 20, 2017 at 11:33 PM, Manger, James <James.H.Manger@team.telstra.com <mailto:James.H.Manger@team.telstra.com>> wrote:
> I support adoption of draft-campbell-oauth-mtls.
> 
> Now some comments on the doc:
> 
> 1. [§2.3] The syntax of tls_client_auth_subject_dn is not specified. Perhaps LDAP's "String Representation of Distinguished Names" [RFC4514]? Perhaps a base64url-encoding of a DER-encoded DN? It would actually be better to allow any subjectAltName to be specified, instead of a DN.
> 
> How about calling it tls_client_auth_subject and defining it as a string and allowing it to represent the expected subject which could be in the cert as the subject DN or a subjectAltName? For Subject DN and DN subjectAltNames it would be the "String Representation of Distinguished Names" and an appropriate string for the other subjectAltName types (I'll have to look at what's there 'cause I don't know off hand and guidance or suggested text is always more than welcome). 
>  
> 
> 
> 
> 2. [§2.3] Change the name of tls_client_auth_issuer_dn (maybe tls_client_auth_root_dn). Given tls_client_auth_client_dn, it will be too easy to assume this pair refer to the issuer and subject fields of the cert.
> 
> The accompanying text tries to make it clear that it's the root issuer but the tls_client_auth_issuer_dn name can certainly be changed to tls_client_auth_root_dn or something along those lines, if folks think the name in -01 is liable to cause confusion?
>  
> 
> 
> PKI chains can be complex so the expected root might not be such a stable concept. For example, the Let's Encrypt CA chains to an ISRG Root and an IdenTrust DST Root [https://letsencrypt.org/certificates/ <https://letsencrypt.org/certificates/>].
> 
> The goal was to provide a metadata field to express some constraint for what is kind of expected to be a common deployment of a number of entities participating in some OAuth API thing and are being issued certificates from a common issuer for the group of participants. 
> 
> Perhaps it should be an array of strings rather than a single value?
> 
> Or do you have suggestions for some alternative?
> 
> 
> 
> 
> 3. [§2.3] If a client dynamically registers a "jwks_uri" does this mean the authz server MUST automatically cope when the client updates the key(s) it publishes there?
> 
> If the authz server supports that kind of trust model as well as dynamically registration, then I would expect so, yes. 
>  
> 
> 
> 
> 4. [§3] An access token is bound to a specific client certificate. That is probably ok, but does mean all access tokens die when the client updates their certificate (which could be every 2 months if using Let's Encrypt). This at least warrants a paragraph in the Security Considerations.
> 
> In my own mind that was implied and okay because it's likely that access tokens will have a shorter lifespan than certificates and refreshing or getting a new access token is typically easy anyhow.
> 
> Anyway, it doesn't hurt to be explicit about it, can you propose some such text for the Security Considerations?
> 
> 
>  
> 
> 5. [§3.1] "exp" and "nbf" values in the example need to be numbers, not strings (drop the quotes).
> 
> Silly mistake on my part. Thanks for catching that. Will fix. 
> 
>  
> 
> 6. An access token linked to a client TLS cert isn't a bearer token. The spec should really define a new token_type for responses from the token endpoint. That might not necessarily mean we needs a new HTTP authentication scheme as well (it might just hint that "Bearer" wasn't quite the right name).
> 
> Indeed "Bearer" isn't quite right and very likely a name that would be different with the benefit of hindsight. But other than having names on the wire that are more true to the nature of the tokens, I don't know that a new token_type or HTTP auth scheme adds value to the use cases here. However, they would likely make deployment of this stuff more cumbersome and take longer.  Whereas many systems can likely plug in mutual TLS on top of the existing token_type and HTTP auth scheme without major changes. I'm strongly inclined to not introduce a new token_type and more inclined to not do a new HTTP auth scheme.
> 
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth