IETF Logo Mail Archive

Re: [OAUTH-WG] MTLS vs. DPOP

David Waite <david@alkaline-solutions.com> Wed, 08 May 2019 05:55 UTC

Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C8D7120134 for <oauth@ietfa.amsl.com>; Tue, 7 May 2019 22:55:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.436
X-Spam-Level: *
X-Spam-Status: No, score=1.436 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_SBL_CSS=3.335, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I7mAj8nkO6cy for <oauth@ietfa.amsl.com>; Tue, 7 May 2019 22:55:56 -0700 (PDT)
Received: from alkaline-solutions.com (lithium5.alkaline-solutions.com [IPv6:2600:3c00::f03c:91ff:fe93:6974]) by ietfa.amsl.com (Postfix) with ESMTP id D10E912008C for <oauth@ietf.org>; Tue, 7 May 2019 22:55:56 -0700 (PDT)
Received: from [IPv6:2601:282:202:b210:1c11:55a1:19fa:b678] (unknown [IPv6:2601:282:202:b210:1c11:55a1:19fa:b678]) by alkaline-solutions.com (Postfix) with ESMTPSA id 2936E31794; Wed, 8 May 2019 05:55:55 +0000 (UTC)
From: David Waite <david@alkaline-solutions.com>
Message-Id: <964BEC93-473E-4D4D-96F0-AB25CCFB2AC5@alkaline-solutions.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_37C68E3C-0509-4A91-B329-D5CC425C977D"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Tue, 07 May 2019 23:55:54 -0600
In-Reply-To: <31bec10c-e245-12b4-c092-2928b8e286d7@aol.com>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "oauth@ietf.org" <oauth@ietf.org>
To: George Fletcher <gffletch=40aol.com@dmarc.ietf.org>
References: <DBBPR08MB4539BA4621AC8029AEF4F8C8FA310@DBBPR08MB4539.eurprd08.prod.outlook.com> <31bec10c-e245-12b4-c092-2928b8e286d7@aol.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/MUyMcZQQWylCkakaeaAKeZPVKEQ>
Subject: Re: [OAUTH-WG] MTLS vs. DPOP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 May 2019 05:55:58 -0000


> On May 7, 2019, at 8:12 AM, George Fletcher <gffletch=40aol.com@dmarc.ietf.org> wrote:
> 
> To compromise an MTLS bound token the attacker has to compromise the private key. To compromise a DPOP bound token, depending on what HTTP request elements are signed, and whether the DPOP is managed as one-time-use etc, there are additional attacks. (Ducks head and waits for all the real security experts to prove me wrong:)

Both should wind up supporting either longer-term, issued keys or ephemeral keys - and either exportable or not.

Off the top of my head, if your application is compromised I can’t think of a difference in the kinds of abuse that could be performed with equivalent policies and key protections.

-DW

v2.23.0 | Report a Bug | By Email