Re: [OAUTH-WG] [EXT] Re: DPoP followup III: client auth
Brian Campbell <bcampbell@pingidentity.com> Fri, 04 December 2020 18:58 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4938E3A0EBA for <oauth@ietfa.amsl.com>; Fri, 4 Dec 2020 10:58:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QJ2egKqvsCva for <oauth@ietfa.amsl.com>; Fri, 4 Dec 2020 10:58:35 -0800 (PST)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 487A93A0EB4 for <oauth@ietf.org>; Fri, 4 Dec 2020 10:58:34 -0800 (PST)
Received: by mail-lf1-x12c.google.com with SMTP id s30so9078643lfc.4 for <oauth@ietf.org>; Fri, 04 Dec 2020 10:58:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dFkDupzyISsgxwJWSVr7zqgvU92ZluYpk59BideyJTM=; b=MUcxbKNljzR3sDgekv+fa4R7VtlaWth90Fw4nmIdvKFreLig7e6yWuXZ4a30apnbxt 851d5rYZ9A6fflhRtet1NbdiXOTzYjdN+aR+ZQqV5ERkPyG6whMAb9B/GBzCQdTUEbiC mEO5u8YqeQSChD3zDbHRB4I/F5AovLUfvzkRwmL+bja7rKzjy2Mm+uBTux00ULadXxli wkE8yj1CBULUNiL3V4B037WEPTffkhJH/cH2j/ECY/+O2ekMO2SB9i/63V2DRXBO5b1A DkWRNyqA5AcuMqrFyCaRFZc1J/H6nwqus6IW+sn8u2OrEUG3HI050E7ehcMmLvaLK8DB bUUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dFkDupzyISsgxwJWSVr7zqgvU92ZluYpk59BideyJTM=; b=Frym7AeOmWxZpvedcjv46kU0TEJklUSDX55Q6l85JqBqjx0wBmneioNm41KE+YYCJf vvcHUFQ2RZ85d6o35RWNfbw/Sx7nbHPfejeRMy7KyoHLyymeZgWfyTsEWX25x9o8/2Wl uqj2OcOfXrKnsWEBA0X5bdb8AewZXo+QZc+fg2oyUK8v/ChR9wySF73u1UfySRljDsXA D0L/Zx8MfbdB5rsQj2XaS/BXZZzk4BbJRV1CO3Kxq1x8CvSCCzXHEQnByVCVUkGlQ0Pl Kihjj54Kg3S9d6LXjwCY7QUaHqjbuIsP19+mWpWGKMhMXfGscNslv/KvB8UXVGmmGL/a K88w==
X-Gm-Message-State: AOAM531oyJItb95b66uRtSats+NM6MaxhF0dl8kBAYvcPgbPHreFYZl0 W0671bw1C/5xUXvIQWNq5S1RDvQCoS7Ee3qc+u/IEdgUTa8EOz2WxkZhMrwyhiq/Bpm5I99N0o6 8UCf8AUTCflw6pA==
X-Google-Smtp-Source: ABdhPJzBcSeViqj4Art/rz6fF0HJj4lLxxKzKswGE0D8qzBPhIFc7tm903N9D07O8nP3bYE+oWwyNqucbSFQ352OzCc=
X-Received: by 2002:a19:5215:: with SMTP id m21mr3882992lfb.407.1607108311524; Fri, 04 Dec 2020 10:58:31 -0800 (PST)
MIME-Version: 1.0
References: <CA+k3eCQjCjbcHxmTFn_Ce1aQ-gn31mAXNp9PGp7d6mXkfyDWPA@mail.gmail.com> <3134_1606988830_5FC8B41D_3134_178_1_CALAqi_-6ovK4otw9JW+c5H3qjnFrUqbwn-AoyGnA_EHfCSgQNw@mail.gmail.com> <5F2D6022-CA13-4255-ADC2-78CCC1AED766@mitre.org>
In-Reply-To: <5F2D6022-CA13-4255-ADC2-78CCC1AED766@mitre.org>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 04 Dec 2020 11:58:05 -0700
Message-ID: <CA+k3eCQ7ksY3OiFJ9HZvmOjmpfF6i=axh1_REUi5F02u73Tp8w@mail.gmail.com>
To: Michael A Peck <mpeck@mitre.org>
Cc: Filip Skokan <panva.ip@gmail.com>, oauth <oauth@ietf.org>
Content-Type: multipart/related; boundary="00000000000006612d05b5a810de"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/PfzMhh2sJYpM-5M7HX004AMMVmI>
Subject: Re: [OAUTH-WG] [EXT] Re: DPoP followup III: client auth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 18:58:37 -0000
On Fri, Dec 4, 2020 at 8:21 AM Michael A Peck <mpeck@mitre.org> wrote: > Hi Brian, > > > > I think I lean towards “Shut up and never speak of this again”, but could > you clarify some things? > That seems to be where rough consensus is heading. So the clarifications are likely moot. But I'll try anyway. > > > I missed the interim meeting discussion on this slide – it looks like DPoP > for client authentication would have very similar properties as > private_key_jwt, but using DPoP instead? i.e. both use a private key to > sign a JWT that authenticates the client. > Time was running out in the meeting at the same time I somehow lost the ability to advance slides. So there wasn't any real discussion on this one. But yes they would have very similar properties AFAICT. > > Could you expand a bit on the advantage of using DPoP for both client > authentication and sender-constraining the token vs. using private_key_jwt > (for client authentication) + DPoP (for sender-constraining the token)? > The only advantage would be avoiding sending two different JWTs in a one request that are doing very similar things. DPoP + private_key_jwt seemed awkward in that respect when I thought about it. That was really my only motivation for bringing it up. > > > Adding to Filip’s comment, is there just one DPoP proof sent in the token > request to cover both client authentication and sender-constraining the > token, meaning the same keypair would be used for both DPoP usages? > That was the idea, yes. > That would go against DPoP’s key rotation guidance, but maybe would be > okay if freshness guarantees of the DPoP proof get added? > Yes kinda but the kind of client's that could use DPoP for client auth are likely the kind that could rotate those keys via JWKS_URI and also be less prone to the vectors (like XSS) which most benefit from rotation. Improved (guarantee seems too strong a word) freshness probably makes it more okay too. > > > Thanks, > > Mike > > > > > > *From: *OAuth <oauth-bounces@ietf.org> on behalf of Filip Skokan < > panva.ip@gmail.com> > *Date: *Thursday, December 3, 2020 at 4:49 AM > *To: *Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> > *Cc: *"oauth@ietf.org" <oauth@ietf.org> > *Subject: *[EXT] Re: [OAUTH-WG] DPoP followup III: client auth > > > > 🤫, better not open up the possibility of thinking of DPoP Proof keys as > pre-registered (i.e. not "ephemeral"). > > > > Best, > *Filip* > > > > > > On Wed, 2 Dec 2020 at 23:30, Brian Campbell <bcampbell= > 40pingidentity.com@dmarc.ietf.org> wrote: > > There were a few items discussed somewhat during the recent interim > <https://datatracker.ietf.org/meeting/interim-2020-oauth-16/session/oauth> > that I committed to bringing back to the list. The slide below (also > available with a few extra spelling errors as slide #19 from the interim > presentation > <https://datatracker.ietf.org/meeting/interim-2020-oauth-16/materials/slides-interim-2020-oauth-16-sessa-dpop-01.pdf>) > is the last of them. > > > > To summarize, I'm wondering if there's WG interest in working to formalize > a client-to-AS authentication mechanism based on DPoP. I think it > potentially would be problematic to put into the current document (for a > number of reasons) so am preemptively ruling out that option. Thus, > basically, I'm asking the WG if there is some/much interest in the idea? In > which case I'll find some time (at some point) to write up an I-D for it > and bring that back to the group for consideration. Or if I should, as the > slide says, "shut up and never speak of this again"? > > > > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*_______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] DPoP followup III: client auth Brian Campbell
- Re: [OAUTH-WG] DPoP followup III: client auth Filip Skokan
- Re: [OAUTH-WG] DPoP followup III: client auth Neil Madden
- Re: [OAUTH-WG] DPoP followup III: client auth toshio9.ito
- Re: [OAUTH-WG] [EXT] Re: DPoP followup III: clien… Michael A Peck
- Re: [OAUTH-WG] [EXT] Re: DPoP followup III: clien… Denis
- Re: [OAUTH-WG] [EXT] Re: DPoP followup III: clien… Brian Campbell
- Re: [OAUTH-WG] DPoP followup III: client auth Brian Campbell