IETF Logo Mail Archive

Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> Thu, 21 October 2021 12:57 UTC

Return-Path: <rifaat.s.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B44CC3A164E for <oauth@ietfa.amsl.com>; Thu, 21 Oct 2021 05:57:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZjpmQEF_zmWJ for <oauth@ietfa.amsl.com>; Thu, 21 Oct 2021 05:57:00 -0700 (PDT)
Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 633563A161B for <oauth@ietf.org>; Thu, 21 Oct 2021 05:57:00 -0700 (PDT)
Received: by mail-wm1-x333.google.com with SMTP id g39so587361wmp.3 for <oauth@ietf.org>; Thu, 21 Oct 2021 05:57:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Mi9Clzp/39uM5xgs354EzF1lfHxQ+HYxyDxcmq49FpQ=; b=hPXeuzz/s7UJw1IRTZYb0HAtQpJRI9TLuFa4+OWVgJwmXm4pN1eCWjMzdJxpkBvIEx j4NdV16fIJ/NIIKGjYZQcy3BWyRW0NCUI6TAseevZj0nmNMHsa6FGoHZ6/VOWZV4+vsY fjNFOSaU81wVq292WHmuRijD87UBBxsnSyHDbgdNZzLH8resD3tUGCU1yi3QcpQIqreD g39ski6Qc9NYaeXeqUwt1IvZ736lHGsPP04GKF33U4Jv8wTWlZNDCM2PJzarEQEbuHP1 8u3Bz66NoVtaycEdPbnVhFrKHl5gtyEM6Lu9DMK2e+fYcLVCBuuO2Y//sbqi6r1qrL4S lOGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Mi9Clzp/39uM5xgs354EzF1lfHxQ+HYxyDxcmq49FpQ=; b=yjWmRv9Bxt+XqBj2f2xhqfbNFnYFiEK3VpUrB/U1O7jBZMR4nkStVxdc4mAji5Y6ca fm5hbn3j6x2Fja+UtEcRSCQ78wlsvqa21UWF4J5Wh/sDa0IhYTOUJwbU3eLw5iH3lAJv HitpY00A59vNr6xI8GTxakQtO9tUquP8Es9H02KCGHvq15I2/i+w53+cvy+ma5NrmPLz l87+4ZqkSQ/vHnPgjDijEbsY8ds6uj84OG7QzvqRwIjJjuaeKuOo0vdL6QvzCbVSmRAG +pIrOmwVtZ3bVVIVx3Y0OgLzWc4WUTwYY9A2VPaP5hF7URevAlIGqr+gR7N0LvPFQ9lP 6fAA==
X-Gm-Message-State: AOAM5338/fwmOKLviPr0IiCydYcbHZwshgx0WIxen8j3bRhKPqH/XZ0n r6XmSD7awEpKrHw9QAuk83KfKKE4yTzoZzStVpg=
X-Google-Smtp-Source: ABdhPJzX6U7HHTh/+bEE05OrAVR4V84sGhEhACwyJ3ebxzfDVpyYoLeF3gS5jyJTXiJRCjcs31b0h5rFyXTVSafUBmA=
X-Received: by 2002:a05:600c:a05:: with SMTP id z5mr6322064wmp.73.1634821013637; Thu, 21 Oct 2021 05:56:53 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9QXCEjJmkhBvTHn68kDcJ2Mfg-tSQx1-hvfPoOTXCKzA@mail.gmail.com> <1BCD53C7-4802-42A1-97EE-81C93F54588E@mit.edu> <CAJot-L2K1MYp46bJcrXzj7b67aL8R+wT9qJXRwcq2vQ56TXmQA@mail.gmail.com>
In-Reply-To: <CAJot-L2K1MYp46bJcrXzj7b67aL8R+wT9qJXRwcq2vQ56TXmQA@mail.gmail.com>
From: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Date: Thu, 21 Oct 2021 08:56:42 -0400
Message-ID: <CADNypP9g-jTYU1hu=eFAHJRFRBEc5Lo71Dtr=DrSwK0EsfTz4A@mail.gmail.com>
To: Warren Parad <wparad@rhosys.ch>
Cc: Justin Richer <jricher@mit.edu>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ca0cec05cedc6d29"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Q1YamyuzJGNWUp4y1J_RGPr8agc>
Subject: Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Oct 2021 12:57:06 -0000

All,

Based on the feedback on this call for adoption request, it seems that this
document does *not* have enough support to adopt it as a WG document at
this stage.

Regards,
 Rifaat & Hannes


On Thu, Oct 14, 2021 at 11:19 AM Warren Parad <wparad@rhosys.ch> wrote:

> I'm glad you brought this up, since Signatures can already be used with
> OAuth, the question is exactly that. What are the ways using these together
> without an explicit RFC would cause a problem? I'm not totally sure that
> makes sense, so let me give an example. If the draft says "we need to
> exchange keys, but it isn't part of the draft" and we have that for every
> section, what's the benefit of the RFC in the first place. Sure PoP needs a
> solution, is it solved without an RFC for anyone using OAuth and the
> Signature draft as is, or is there something meaningful that needs to be
> documented?
>
> Without providing author recommendations in the form of filling in at
> least part of the draft, instead of the question being *is this the right
> way to solve this part of the problem* it becomes *should we even have a
> draft.*
>
> The one part of the draft that does exist is "Introduction of a new token
> type", which if we say:
>
>> The RS can get that through introspection, through something in the token
>> itself (like the JWT “cnf” claim)
>
>
> Then the obvious conclusion should be: we don't need a new token type. So
> if we remove that from that draft, it brings me back to the original point,
> what problem does this particular draft solve as part of PoP, other than
> saying we should have PoP via message signatures because message signatures
> can provide PoP.
>
> We could say things like "Key exchange needs to be defined so that..." or
> "a new claim needs to be added so that...", but I fear we haven't done that
> with the draft so far.
>
> Obviously this is only my perspective, which isn't saying let's not do
> this, it is "sure let's do this as long as we can answer these questions".
> Right now I'm not convinced of this actually solving the PoP situation for
> me, while it is a valid argument, it isn't a sound one, due to its
> implementation relying on Signatures and how Signatures is constructed at
> this moment.
>
> So rather than "this is PoP", let's focus on the problems needed to solve
> for PoP Signatures to work.
>
> Warren Parad
>
> Founder, CTO
> Secure your user data with IAM authorization as a service. Implement
> Authress <https://authress.io/>.
>
>
> On Thu, Oct 14, 2021 at 4:51 PM Justin Richer <jricher@mit.edu> wrote:
>
>> I wanted to jump back to the top of the thread to point out something
>> that seems to be getting missed:
>>
>>
>> This is not a call for adoption of HTTP Message Signatures. That document
>> already exists in the HTTP WG and will be published as an RFC from that
>> group. If you want to have discussions  about  how the HTTP Message
>> Signatures specification works, come  to the HTTP working group for those
>>  discussions.
>>
>> This is a call for adoption of an OAuth application of the HTTP Message
>> Signatures spec. Signatures will exist with or without the OAuth WG’s use
>> of it, and I would argue that people are going to attach OAuth access
>>  tokens to requests  using HTTP Message Signatures whether or not  the
>> OAuth WG picks up the work. The question is whether those  applications are
>> going to be isolated profiles and silos, like they are today, or whether
>> there can be one way to use them together across different systems.
>>
>> My recommendation is that  the OAuth WG define how exactly HTTP Message
>> Signatures should be  used  with OAuth, which is what  this proposal is
>>  for.
>>
>>  — Justin
>>
>>
>> On Oct 6, 2021, at 5:01 PM, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
>> wrote:
>>
>> All,
>>
>> As a followup on the interim meeting today, this is a *call for adoption
>> *for the *OAuth Proof of Possession Tokens with HTTP Message Signature* draft
>> as a WG document:
>> https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/
>>
>> Please, provide your feedback on the mailing list by* October 20th*.
>>
>> Regards,
>>  Rifaat & Hannes
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>

v2.23.0 | Report a Bug | By Email