Re: [OAUTH-WG] MTLS and SAN
Filip Skokan <panva.ip@gmail.com> Thu, 04 April 2019 20:54 UTC
Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36B431201EF for <oauth@ietfa.amsl.com>; Thu, 4 Apr 2019 13:54:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4sSXlyEllNK0 for <oauth@ietfa.amsl.com>; Thu, 4 Apr 2019 13:54:54 -0700 (PDT)
Received: from mail-oi1-x231.google.com (mail-oi1-x231.google.com [IPv6:2607:f8b0:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9105E1204B4 for <oauth@ietf.org>; Thu, 4 Apr 2019 13:54:54 -0700 (PDT)
Received: by mail-oi1-x231.google.com with SMTP id x188so3073866oia.13 for <oauth@ietf.org>; Thu, 04 Apr 2019 13:54:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3fY7IF/Xvw1fueFCA4ZtrA2qocun+CirAWfHnnsC6NU=; b=Bh8+2gy1Lo/YwumPuK3K+LPcIWFUh6i/1eb0kOE7zmLQLqdM5RATED5J4ebxy8Pyaw 5gSTXiw8+AClctbBIdlQv7MhD+3yXEWVYW3vGbDFB7aRi9H5tQRhMfJ1Zo5VThOZkhqf tRs8lKC5aoUSVfwe9cxLxSdHNmtdckd6g/DP9fpogbV3ZnlbSSwysTxY0sfZBKyW9971 fVGyJ4tpNsvkgXUe2VDvGAe1BmRcVNikUe0DHgrin+mqLHG3PTUcq3CdZAyeVU1wT1C3 TO+mH5tuRlQjLFW48u4VdzqImx6uhsB5RjjHw4hS8Ge0j55bKHjFKJM9PHypQ5GqZnK1 qBLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3fY7IF/Xvw1fueFCA4ZtrA2qocun+CirAWfHnnsC6NU=; b=sZRvPBvjzJsLunrWwHPOsVOqv/FCj0vz2HN4okWh+KZ2u4jP/TlIvxXPkOm2b9rUvW Wn8fxMYugKpAdgxWZYhtbjAoV/jnEwydlMGbBQhMXPNGwgur6Lc8IoDU8qTTaGvLeEWO jgZ5U4Mwz3EdgfttB8TAN7yP+gmVSvqiStXpj+K/HkowufqnL/IdqQdWAyDdAtCLXnLA +keYl3CIo+tixQMDP0lbFVXH9U8d/blbyHDwupAhp6Kv+O05Dw6C5V7HZ/am1HVXIRQx +bTW/9YsUgLqnrV1vnKPEszGgi7CB7PMzTTRoOm/n/sLrv7WfdB24r7C70qEJBnfmW3V 2vYQ==
X-Gm-Message-State: APjAAAXlzpwvAHtHFYm2YiQrEY4SaEKeityKCbaMmWZ617VQOoQRlbLd 977rYePtjC7XhDaA/WzV98vJiL5v//THPWUvvA==
X-Google-Smtp-Source: APXvYqx3HtvhBIksgA9SivO1920VZCXH5eYj+X5u/ZAOMti7mveQd++/q+q7Jugly0atdcyyNFurnYmMQ/5TUALA2uc=
X-Received: by 2002:aca:db83:: with SMTP id s125mr4525160oig.61.1554411293790; Thu, 04 Apr 2019 13:54:53 -0700 (PDT)
MIME-Version: 1.0
References: <220488FB-C7EB-42A3-85D6-BD3756786550@mit.edu> <CALAqi_-0wXCurgqQq5=YfD0XhjeeoqPE=TX2XkDpgM2ci8E7qw@mail.gmail.com> <42790363-5D79-411C-BE4E-D99A90E36951@mit.edu>
In-Reply-To: <42790363-5D79-411C-BE4E-D99A90E36951@mit.edu>
From: Filip Skokan <panva.ip@gmail.com>
Date: Thu, 04 Apr 2019 22:54:42 +0200
Message-ID: <CALAqi__--y7PZvt4N4oSukJ6PB4BMGDDGS0HN7mwMpHDCDAADA@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000059810585ba950f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/M7hY9S84bdzf16doadNOmW7kFeM>
Subject: Re: [OAUTH-WG] MTLS and SAN
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2019 20:54:57 -0000
Yes. S pozdravem, *Filip Skokan* On Thu, 4 Apr 2019 at 22:36, Justin Richer <jricher@mit.edu> wrote: > Thank you, I did miss that text. This should be called out more explicitly > in §2.1, perhaps by specifying that it is only one field. This still > doesn’t set precedence, but it implies that it’s an error for a client to > have more than one field set of the available options. Is that your read on > this as well? > > — Justin > > On Apr 4, 2019, at 4:23 PM, Filip Skokan <panva.ip@gmail.com> wrote: > > Justin, I had the exact same question off list and believe draft 13 > clarified this. > > https://tools.ietf.org/html/draft-ietf-oauth-mtls-13#section-2.1.2 > > A client using the "tls_client_auth" authentication method MUST use > exactly one of the below metadata parameters to indicate the certificate > subject value that the authorization server is to expect when > authenticating the respective client. > > Then it lists the different dn/san properties. > > S pozdravem, > *Filip Skokan* > > > On Thu, 4 Apr 2019 at 22:20, Justin Richer <jricher@mit.edu> wrote: > >> We’ve just started implementation of SAN-based certificate >> authentication, based on the changes in version -13 of the draft. I believe >> this addition is a bit unclear, due to it being added so late in the >> document process. >> >> My question is how does an AS determine whether to DN or SAN for >> certificate checking? Corollary, are these mutually exclusive or can they >> be used together? Currently, the specification text lists DN and SAN as an >> “or” with no indication whether this is an inclusive or exclusive “or”, and >> what to do when there’s overlap. >> >> This has implications both for the implementation of the server >> processing the request as well as the client metadata model, since the >> client fields are all in parallel to each other. I can see a few ways of >> handling this. >> >> >> 1) One of the fields takes precedence over the other. Say for example you >> choose the DN field: if it’s set, then you do DN matching and ignore the >> SAN fields entirely, both in the cert and in the client’s registration. >> Inverse is true if you choose the SAN fields over the DN but the principle >> is the same. We should be explicit if there’s an intended precedence >> between these two, and even more explicit if the DN and SAN are at equal >> level and the AS gets to choose. We also need to be clear if it’s an error >> condition if both are set simultaneously, like the way that jwks and >> jwks_uri are mutually exclusive. >> 2) You set an explicit switch in your client model that says whether to >> use the DN or the SAN fields in comparison, and your code branches based on >> that to either DN or SAN processing. This could also be added as an >> explicit client metadata field, or it could be an internal detail. If an >> internal detail, we should be explicit about there not being a predefined >> precedence between the fields. >> 3) If it’s allowable to use them together, you match everything that’s >> set in the client, and at least one field MUST be set. >> >> >> What’s the intended behavior for implementers, and should we be more >> explicit about this? We are starting our implementation with (1) pending >> the outcome of this thread, and I’d be curious to know how others are >> implementing this in their systems. >> >> Thanks, >> — Justin >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > >
- [OAUTH-WG] MTLS and SAN Justin Richer
- Re: [OAUTH-WG] MTLS and SAN Filip Skokan
- Re: [OAUTH-WG] MTLS and SAN Justin Richer
- Re: [OAUTH-WG] MTLS and SAN Filip Skokan
- Re: [OAUTH-WG] MTLS and SAN Jim Willeke
- Re: [OAUTH-WG] MTLS and SAN Brian Campbell
- Re: [OAUTH-WG] MTLS and SAN Justin Richer
- Re: [OAUTH-WG] MTLS and SAN Brian Campbell