IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC on draft-ietf-oauth-mtls-07

Brian Campbell <bcampbell@pingidentity.com> Thu, 12 April 2018 19:33 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 867E2128959 for <oauth@ietfa.amsl.com>; Thu, 12 Apr 2018 12:33:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9LT2dxHiyAYs for <oauth@ietfa.amsl.com>; Thu, 12 Apr 2018 12:33:22 -0700 (PDT)
Received: from mail-io0-x22a.google.com (mail-io0-x22a.google.com [IPv6:2607:f8b0:4001:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88B351250B8 for <oauth@ietf.org>; Thu, 12 Apr 2018 12:33:22 -0700 (PDT)
Received: by mail-io0-x22a.google.com with SMTP id t123so440486iof.7 for <oauth@ietf.org>; Thu, 12 Apr 2018 12:33:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/g0GDOvFVwNm4rXSa2TbkpaOyL2KcJ1H1hnp7eZ6+cQ=; b=UFFoRDvRmQCfxKVQV2Hj5Bsle2UFfEaUdAZXL9OceOEzZfPZzRezZU2hM5tjBwMFgc 7boy2JSdpEjBHXb1xrewcOwX7InL26RJ6H+lRGK/Z67i4ESMWvDd56mR5Hg8X8dGLZe0 1IMGJjfR/TptWM4PXGxyTfckeZ7GEYzUUz/SI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/g0GDOvFVwNm4rXSa2TbkpaOyL2KcJ1H1hnp7eZ6+cQ=; b=tmsGnuqK6aAdwcAfQtiFXKbEES87gm9jEFoGyHLQahyuVX55ONU4EsGKF3GA5AUFqs O/ZxI2zZcNd/2FJWzIrwwpmZDQY/WRZc9RbqXhPCRyZgC/Arsvm49iakNQnoZwo7Tv5g tvYOnOfl0biFE32MHEIqlt/ZwGVxeYJ2cKLR7l+ZLVvLWnMPhWpRLJGPbvbjHdFF6qzq xdGJCbIVTTCOvNOLkqVVAaLcCV9yYzrq3V2JB8dtQzNI3xca5dra1zAxcYgEWZs/bh8e GU1dKh9WnUHN9STl+FJwTh68UOUspYMJajsXV16J4/ugb+AmXMTpXunkTAd0+eqlfkNk Uwlg==
X-Gm-Message-State: ALQs6tC7Pf7qjetTouBXD6d+v4NX0othFCjnt1MEHsz+OYI4YRFNOlub 0BYHB17KMHpnvd2lZFNbD3ZqYnzHrthyMIlFXh70lnUNisQFhbTfI7YpPpf6SrtHf2xxKmGH8bQ cAocoEDBo/4zFnA==
X-Google-Smtp-Source: AIpwx4+/ynSsMPYzW3oNGdQlIWzETy8glmFEwJvvMcgV3EbRF8MRdkKFrNiRh1jpCFUe+R/KlBhZ52uAtPSsK+gFfiA=
X-Received: by 10.107.131.16 with SMTP id f16mr952392iod.17.1523561601846; Thu, 12 Apr 2018 12:33:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.2.126.149 with HTTP; Thu, 12 Apr 2018 12:32:51 -0700 (PDT)
In-Reply-To: <20180412132607.GF97291@kduck.kaduk.org>
References: <CAGL6epK7X-jbO0c8GTxm2cAesYwU19R5_GsFY4tpUYxjW-MF_w@mail.gmail.com> <4D385B9E-AA8F-45B3-8C1D-C7B346FFA649@forgerock.com> <CA+k3eCRRUN0_+dVrRabjCrseV0C15wvKmY3jJQ4-eQqhZ2NUQQ@mail.gmail.com> <5758ae34-1d2d-4946-9190-7a2e2bc184d2@Canary> <20180412132607.GF97291@kduck.kaduk.org>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 12 Apr 2018 13:32:51 -0600
Message-ID: <CA+k3eCQHZJ_rhzb3bU1_2QtXkqmE4cEwg0WSqTXJzTXXjZQDow@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Neil Madden <neil.madden@forgerock.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a113e6938126a890569abd4ca"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/P16DwYsq93Imf30W3I35lP3qFq4>
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-mtls-07
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Apr 2018 19:33:25 -0000

Thanks for the schooling, Ben.

On Thu, Apr 12, 2018 at 7:26 AM, Benjamin Kaduk <kaduk@mit.edu> wrote:

> Just replying on one thing...
>
> On Thu, Apr 12, 2018 at 10:03:11AM +0100, Neil Madden wrote:
> > Hi Brian,
> >
> > Thanks for the detailed responses. Comments in line below (marked with
> ***).
> >
> > Neil
> >
> > > On Wednesday, Apr 11, 2018 at 9:47 pm, Brian Campbell <
> bcampbell@pingidentity.com (mailto:bcampbell@pingidentity.com)> wrote:
> > > On Thu, Mar 29, 2018 at 9:18 AM, Neil Madden <
> neil.madden@forgerock.com (mailto:neil.madden@forgerock.com)> wrote:
> > > > 10. The PKI client authentication method (
> https://tools.ietf.org/html/draft-ietf-oauth-mtls-07#section-2.1) makes
> no mention at all of certificate revocation and how to handle checking for
> that (CRLs, OCSP - with stapling?). Neither does the Security
> Considerations. If this is a detail to be agreed between then AS and the CA
> (or just left up to the AS TLS stack) then that should perhaps be made
> explicit. Again, there are privacy considerations with some of these
> mechanisms, as OCSP requests are typically sent in the clear (plain HTTP)
> and so allow an observer to see which clients are connecting to which AS.
> > >
> > > I didn't think that a TLS client could do OCSP stapling?
> > >
> > > *** I think you are right about this. I always assumed it was
> symmetric (and I think it technically could work), but the spec only talks
> about stapling in the server-side of the handshake.
>
> This changed between TLS 1.2 and TLS 1.3 -- in 1.3, the server can
> include "status_request" in its CertificateRequest, and the
> extensions block in the client's Certificate message can include the
> OCSP staple.
>
> -Ben
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email