Re: [OAUTH-WG] draft-ietf-oauth-dpop-00 comments
Brian Campbell <bcampbell@pingidentity.com> Tue, 07 April 2020 21:31 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 517343A00D3 for <oauth@ietfa.amsl.com>; Tue, 7 Apr 2020 14:31:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G4qnfsTomMhK for <oauth@ietfa.amsl.com>; Tue, 7 Apr 2020 14:31:38 -0700 (PDT)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBEC73A00D2 for <oauth@ietf.org>; Tue, 7 Apr 2020 14:31:37 -0700 (PDT)
Received: by mail-lf1-x12f.google.com with SMTP id x23so3560267lfq.1 for <oauth@ietf.org>; Tue, 07 Apr 2020 14:31:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/njkQzYEMhjEivADldNPIkvLgf5nSxYnyPFlLllxrhk=; b=XlLoGxjLPfY/IyDYhnE7MX/RO2CN6s2T31UaZX5B3kF+pTyFeNRP1O2we/6GzmsGm8 vqFC0F8MNiCBmCcUjCXQvkHXEqmAk/HPMzZxzcm9bMewe994O0YMnWqx3hB3h3jSI6Md m8C42Hm5ntQ12Loc4IpAeWVpWP5VbZq4aicx9pbtCQYv8baiuwoUqLkKZGLEPZHzST9H 1nt8kGIOqlh4ltfOINKCcYo8ev6QzizsihDISiFvaev8cSMRKblWAWpfIU/6lZx7GLzw lR82/GA8e2/N3oUr36GOc29WumMIOwPPt689WOYo8gZBUyZevUxqK7LKKbbffqfa1omV HQyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/njkQzYEMhjEivADldNPIkvLgf5nSxYnyPFlLllxrhk=; b=RPEZ6jUOnLsgCVjvftCQvU4yDGwr5+qd7Tsx7tVyRmWfk4uaDNYXw3vTMYcyB+I/ab rp5oAIM5QUxYhntdXNTWbxWGG2w8wm3hH9HSSosXs+OY89HBGM+FaIlvRD0phlIQbIRs 9bBFRMXYivdMbKo+S5NZb+rPm26y7HuJE1nIV8jRXQYLpe1bDYJZ5Xm50RUSYU/ADGbt ceo5gjVAs32w4edkQvBT0Xj2jz0N7DTxeovLb4vLaUcE5dpnjZrL4N5AAmCmoOqNjqb6 hwxziKDTlPk5QBWuqVjIqPoYDAoTXHxmPz2AxyLYRZb1wOcU6zeb9LLEo4k5GN9N0oHY B9Jg==
X-Gm-Message-State: AGi0PubVvPMAAEEwT37cp+vwikOijCM7jb7nmbTJLn1j9b1iaGnzprNL 9jmkjNaODjtr4YSkT0/Vx0FZ79He6SXbIklaWVhrVSYicTakR3xaDtnwn7gjZn2qIoKUFfjjxA5 Z0ZDB+vSHHWFguQ==
X-Google-Smtp-Source: APiQypIB95R2Ua7sylTcT4ZMoI7Gm3zot1aioLobMEfgLvZw1TfmK4/M2t7zG6fbkisKfWH/OLgVaS3Nouw3BIM+rwc=
X-Received: by 2002:a05:6512:d1:: with SMTP id c17mr2639838lfp.167.1586295095789; Tue, 07 Apr 2020 14:31:35 -0700 (PDT)
MIME-Version: 1.0
References: <0995BBB3-73E2-4831-B07E-BB5CB5F17AE9@mitre.org> <CA+k3eCTpoOwwTWBqfWHpqeKDo4jGcgU9ockFq17-0W92q-08yg@mail.gmail.com> <20200407035422.GG88064@kduck.mit.edu>
In-Reply-To: <20200407035422.GG88064@kduck.mit.edu>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 07 Apr 2020 15:31:09 -0600
Message-ID: <CA+k3eCQCfX8VLt23uxK1hBDPhiA-08R9APvbifv4QQXOvb2atg@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: "Peck, Michael A" <mpeck@mitre.org>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b1a27c05a2ba1b49"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/NMhAojEgILMev-ZFpajPir8Zpac>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-dpop-00 comments
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Apr 2020 21:31:40 -0000
One of the primary motivations for the proof-of-possession mechanism of DPoP being at the application layer was to hopefully enable implementation and deployment by regular application developers. A lesson learned from the difficulties and lack of adoption around Token Binding was that access to TLS exporters is non-existent or prohibitively cumbersome in many development environments. Browsers, for example, don't expose any such API to javascript. And that's a non-starter here. Are there other practical ways to include a server contribution that have been overlooked? On Mon, Apr 6, 2020 at 9:54 PM Benjamin Kaduk <kaduk@mit.edu> wrote: > > There should be plenty of ways to include a server contribution into the > DPoP proof (e.g., a TLS exporter value). > > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] draft-ietf-oauth-dpop-00 comments Peck, Michael A
- Re: [OAUTH-WG] draft-ietf-oauth-dpop-00 comments Brian Campbell
- Re: [OAUTH-WG] draft-ietf-oauth-dpop-00 comments Justin Richer
- Re: [OAUTH-WG] draft-ietf-oauth-dpop-00 comments Benjamin Kaduk
- Re: [OAUTH-WG] draft-ietf-oauth-dpop-00 comments Brian Campbell
- Re: [OAUTH-WG] draft-ietf-oauth-dpop-00 comments Benjamin Kaduk