IETF Logo Mail Archive

Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

"Richard Backman, Annabelle" <richanna@amazon.com> Wed, 13 October 2021 00:54 UTC

Return-Path: <prvs=91300960f=richanna@amazon.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F6C23A14FD for <oauth@ietfa.amsl.com>; Tue, 12 Oct 2021 17:54:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.048
X-Spam-Level:
X-Spam-Status: No, score=-10.048 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G_ljRp_8TgJc for <oauth@ietfa.amsl.com>; Tue, 12 Oct 2021 17:54:27 -0700 (PDT)
Received: from smtp-fw-80007.amazon.com (smtp-fw-80007.amazon.com [99.78.197.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D995D3A14F8 for <oauth@ietf.org>; Tue, 12 Oct 2021 17:54:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1634086467; x=1665622467; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=DzfXfFYJLnOTV7ofUGKcY2HDu0KRy9enYTuIwxU9PQA=; b=lPU2sTTIi/7CGUkWj8BDcflEjswgHhtVN8/GnrdaRiHs1WhW1zY0qWrm ap3EjfVlcBcpsiyrIWhSXGjoYgIi73pK7AegHapDMTAfqV1KDTWrMeuox XB0LeRVJ7w0LAL/ErGVZ6qvdFsPDIiv4Y9cHvzFogYxaCIJwJDYJJjeQO 0=;
X-IronPort-AV: E=Sophos; i="5.85,369,1624320000"; d="scan'208,217"; a="33741566"
Thread-Topic: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
Received: from pdx4-co-svc-p1-lb2-vlan2.amazon.com (HELO email-inbound-relay-iad-1e-54c9d11f.us-east-1.amazon.com) ([10.25.36.210]) by smtp-border-fw-80007.pdx80.corp.amazon.com with ESMTP; 13 Oct 2021 00:54:25 +0000
Received: from EX13MTAUWB001.ant.amazon.com (iad12-ws-svc-p26-lb9-vlan2.iad.amazon.com [10.40.163.34]) by email-inbound-relay-iad-1e-54c9d11f.us-east-1.amazon.com (Postfix) with ESMTPS id 4D9FEC09A2; Wed, 13 Oct 2021 00:54:24 +0000 (UTC)
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13MTAUWB001.ant.amazon.com (10.43.161.207) with Microsoft SMTP Server (TLS) id 15.0.1497.23; Wed, 13 Oct 2021 00:54:23 +0000
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13D11UWC004.ant.amazon.com (10.43.162.101) with Microsoft SMTP Server (TLS) id 15.0.1497.23; Wed, 13 Oct 2021 00:54:23 +0000
Received: from EX13D11UWC004.ant.amazon.com ([10.43.162.101]) by EX13D11UWC004.ant.amazon.com ([10.43.162.101]) with mapi id 15.00.1497.023; Wed, 13 Oct 2021 00:54:23 +0000
From: "Richard Backman, Annabelle" <richanna@amazon.com>
To: David Waite <david=40alkaline-solutions.com@dmarc.ietf.org>
CC: Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>, oauth <oauth@ietf.org>
Thread-Index: AQHXuvWVTQTkcIrcmUG+kwSuqkjn9qvGdXKAgAABUwCAAANnAIAAARQAgAAGkQCAAAHwAIAC/q6AgAAPFwCAAAejAIAAAY4AgAAhT4CAABn1gIAGTdIA
Date: Wed, 13 Oct 2021 00:54:23 +0000
Message-ID: <3CAB48B9-B517-4693-8CBB-3377122A6077@amazon.com>
References: <CADNypP9QXCEjJmkhBvTHn68kDcJ2Mfg-tSQx1-hvfPoOTXCKzA@mail.gmail.com> <CAGBSGjqasD=eYnsMm7gZB2g+=C4abZoVi7FH4e7EFfgwKdjS8w@mail.gmail.com> <CAD9ie-uH9xGL9orTFxEd=tfhO6Q-S3sDHrQDtU7h0_dr6YeLOg@mail.gmail.com> <EE56CE99-5592-40AF-9BA5-7F3886ED315A@mit.edu> <CAD9ie-t9i1sVLhVhJp-mWSchV_x0b3no7i4qNXvcaQS+8OqCVA@mail.gmail.com> <CAGBSGjrgVbGWwFq6LDX_2Vhv7yQkwtEEjy36GpLj-bN+MtcX-w@mail.gmail.com> <CAD9ie-vJiwBSV71z4_2TJJO7A52mV763XvXmEPsEFgOMFVOwyQ@mail.gmail.com> <D445073E-D495-4250-9773-9AEEB09C01E0@amazon.com> <CAD9ie-t5EBZLtHmmbDQu9iq-d87gf07X5Fes_ZqFts5hDCOOuw@mail.gmail.com> <A312C403-3341-4B29-AEB3-B547E9A802E7@amazon.com> <CAD9ie-sW537PEzavzv1v6JSOFSfLa7iRVPAXD-miuEY8GMmDeQ@mail.gmail.com> <CAJot-L1fio+-1sSn6Z88ianq04RoHJ3M5yxe0Bzu2Cs-CWCPkg@mail.gmail.com> <54A59064-B40B-4F6C-9E7C-A5618C2C4D3E@alkaline-solutions.com>
In-Reply-To: <54A59064-B40B-4F6C-9E7C-A5618C2C4D3E@alkaline-solutions.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.120.23.2.7)
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.160.215]
Content-Type: multipart/alternative; boundary="_000_3CAB48B9B51746938CBB3377122A6077amazoncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/M8X6tf6sdobQqf6keZR8uTZPyXQ>
Subject: Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2021 00:54:32 -0000

David, Warren, Hannes and others:

The limitations of DPoP and mTLS have been discussed numerous times within the Working Group. Here is a summary of those that I am aware of; others may have additional concerns.

(Though please note first that none of this is to say that DPoP and mTLS are bad or useless – they each are targeted at certain use cases, and they serve those well. They just don't serve every use case well.)

DPoP Limitations:

  1.  Does not support symmetric keys.
  2.  Requires the same key to be used with AS and RSes.
  3.  Does not support multiple valid signing keys.
  4.  Signed content is copied into the JWT and therefore duplicated within the message. This allows for bugs where the verifier fails to check that these values match, or performs that check incorrectly. (e.g., assuming case insensitivity)
  5.  Only covers the method, scheme, host, and path. Allows for additional arbitrary content to be signed, but does not provide any guidance or support for defining interoperable extensions.
  6.  Depends on JWT, which may be a new dependency, particularly for clients that are doing OAuth 2.0 but not OIDC.

mTLS Limitations:

  1.  Requires a single end-to-end TLS connection between client and AS/RS. This often is not the case in modern distributed systems, e.g., TLS may be terminated at a load balancer, or by the hosting platform in the case of a "serverless" application. On the client side, enterprises may have TLS inspection appliances that break the TLS connection.
  2.  Abysmal user experience in the browser. (though that is what DPoP was intended to address, at least initially)

In contrast, Justin's HTTP Message Signatures-based approach:

  1.  Allows for flexibility regarding key selection.
  2.  Allows signing of as much or as little of the HTTP message as is appropriate for the request.
  3.  Does not duplicate signed content.
  4.  Does not depend on JWT, unless you want it to.
  5.  Does not depend on an end-to-end TLS connection, or any other specifics below the HTTP layer.
  6.  Allows servers to use the same signature mechanism for other HTTP signing use cases. (e.g., browser signing authorization cookies, LBs adding a signature over the `X-Forwarded-For` header field)

Note that these concerns regarding use cases not addressed by DPoP and mTLS are not new. Below are excerpts taken from WG meeting notes going back to 2019:


  *   IETF 105<https://datatracker.ietf.org/doc/minutes-105-oauth-201907261000/>:
     *   MTLS is good but not great for browser. TOKBIND has no current browser support. Need solution for browser apps.

     *   [Daniel Fett]: DPOP is hopefully a simple and concise mechanism.

     *   [Brian Campbell]: DPOP came out of a desire for a simplified concise public key mechanism at both the authz and resource server….there isn’t the overhead for symmetric keys.

     *   [Annabelle Backman]: We too find [DPoP] limiting without symmetric as asymmetric can be just too slow.

     *   [John Bradley]: The origin of [DPoP] came from the security workshop specifically focused on applications to do PoP should token binding not come to fruition. We could use web-crypto and create a non-exportable key in the browser. This is why there is no support for symmetric key.

     *   [Mike Jones]: Want to use different POP keys for AT and RT.

     *   [Justin Richer]: I really like this approach. But I agree with Hannes that having a server provided symmetric key is useful.

     *   Roman [Danyliw]: Strongly urge the equities of other groups and surface them.

  *   IETF 106<https://datatracker.ietf.org/meeting/106/materials/minutes-106-oauth-03.pdf>:
     *   Annabelle [Backman]: Would you consider using a HTTP signing solution and not do this
John [Bradley]: ...[DPoP] has limited aspirations than the http signing.

     *   Some discussions on symmetric vs asymmetric encryption and Annabelle is concerned about the scaling and crypto costs. So some folks want both types, this would increase the scope of the effort [for DPoP].

The scope [of DPoP] was to be able to use something with sender constraint for SPA, this is not for broader usage, so this is limited scope not doing what HTTP Signing would be used for. So this needs to be presented as a very focused effort.

     *   Mike [Jones]: The usage of TLS for sender constraint is not deployable

  *   OAuth WG Interim Meeting – 2021-03-15<https://datatracker.ietf.org/doc/minutes-interim-2021-oauth-01-202103151200/>:
     *   Francis [Pouatcha]: DPoP should be by no way a replacement for HTTP signing.

—
Annabelle Backman (she/her)
richanna@amazon.com<mailto:richanna@amazon.com>




On Oct 8, 2021, at 5:38 PM, David Waite <david=40alkaline-solutions.com@dmarc.ietf.org<mailto:david=40alkaline-solutions.com@dmarc.ietf.org>> wrote:

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.



I do not support adopting this work as proposed, with the caveat that I am a co-editor of the DPoP work.

We unfortunately do not have a single approach for PoP which works for all scenarios and deployments, why we have had several proposals and standards such as Token Binding, mutual TLS, and DPoP. There have been other less generalized approaches as well, such as forming signed request and response objects on the channel when one needs end-to-end message integrity or confidentiality.

Each of these has their own capabilities and trade-offs, and their applicability to scenarios where the others falter is why multiple approaches is justified.

The preferred solution for HTTPS resource server access is to leverage MTLS. However, browsers have both poor/nonexistent API to manage ephemeral client keys and poor UX around mutual TLS in general.

DPoP was proposed to attempt a “lightest lift” to provide cryptographic evidence of the sender being involved, so that browsers could protect their tokens from exfiltration by non-exportable, ephemeral keys. In that way, we keep from having to define a completely separate security posture for resource-constraining browser apps.

The motivations for the HTTPSig specification don’t clearly state why it is essential to have another promoted PoP approach. I would expect more prescriptive text about the use case that this is proposed for. In particular, I would love to see an additional use case, outside of DPoP, not solved by MTLS but solved by this proposal.

If it turns out the target between a HTTP Message Signatures and DPoP overlap completely, I suspect we would have the issue of two competing adopted drafts in the working group. I personally do not know the ramifications of such an event. I do not believe there would be consensus on eliminating one, nor would there be a significant reduction in complexity by combining them.

Deferring until HTTPSig is interoperably implemented in the industry gives us concrete motivation in the future to support both.

-DW
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email