IETF Logo Mail Archive

Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

Warren Parad <wparad@rhosys.ch> Wed, 13 October 2021 09:51 UTC

Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F16863A152D for <oauth@ietfa.amsl.com>; Wed, 13 Oct 2021 02:51:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WZ8M1BHTOd8C for <oauth@ietfa.amsl.com>; Wed, 13 Oct 2021 02:51:46 -0700 (PDT)
Received: from mail-yb1-xb34.google.com (mail-yb1-xb34.google.com [IPv6:2607:f8b0:4864:20::b34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50DBD3A1547 for <oauth@ietf.org>; Wed, 13 Oct 2021 02:51:46 -0700 (PDT)
Received: by mail-yb1-xb34.google.com with SMTP id h2so4879848ybi.13 for <oauth@ietf.org>; Wed, 13 Oct 2021 02:51:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TvRznGM7ePm0DQNZpLKV6lylKUqUurQgMUwyIYDLhxU=; b=ID1nmyG9nqWMvZ9zquw26zqNBeyLYBYZxwxBTjeAJmfowV2TRyUSSxOeQrjyLmh8/8 q+Ke6D+X9SfjNZ9Z4ZcJnV4UNVFvdW5pgIhBItRSMw/U2aF6mb75LbvqxbrUz97rTRwq y5OCHJ3XEeo6NcMr3oY0CbUTKbMhpEppklzKHoHCRuldToR6Tj9C5LUdMtLrGdjisrvO aEexs9/qJoPVKM9jwczxsEGMn6e6CngXUrx8Bd2xftMzTdQEI9LJy3SA5Cs4UZZE5nvH DHnsa4azl9HLsorGPvobbS/vZgZIggUGA02PbMeTnJehapuYf+CieoMXBC47JjQqR0Pe MZlw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TvRznGM7ePm0DQNZpLKV6lylKUqUurQgMUwyIYDLhxU=; b=nTPC19lXJLJTPX2cwUyDg1retX4ejuaiFeivnW5K4+GjrxoZUUMt69QAbmlMLPFj3c ZIkqeDUgydYOETFjZn5W16vQ+3D0iz5brtQC0dIjzU4IfcekbmQYkrSx6BaO3ObMRLRj UVgJG65HZcy1NjUfUR2ymoDUyGNaldM3T1cCoMfgH/NhUBznnzFDAtTDdexkcCwsGekx tDe2Bt+D0QLmiYxJQmsQ3UkSHQB6hU0Psyku/re3ye18ADOeqKKifzfgUse8PjDJJ6rv 3Ql07/bOKdXTp4R+ARM0AtktyJG6ZixCvMVcFMXyNUBWfmTg106hO9X+aJA4we/6wfwl JhvQ==
X-Gm-Message-State: AOAM530tl1QIgP/5r9ngDeiMMLWs7vTaf7rj/Qwg/JDR4186jGlRQDzW 8aTv1i+f5HgRwWhg2KXJhaLkvpiPLdsNgAAofRqLW17uUT+A/Bc=
X-Google-Smtp-Source: ABdhPJyJUjqo4HQsn0rfU7WCnPuMIxVPrtWasUkwgRafuP2AOGFuqOFDkJwikUoEZ549LUA3UWsWS9rrnyKm5sJJNe8=
X-Received: by 2002:a25:5f46:: with SMTP id h6mr7382355ybm.209.1634118704186; Wed, 13 Oct 2021 02:51:44 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9QXCEjJmkhBvTHn68kDcJ2Mfg-tSQx1-hvfPoOTXCKzA@mail.gmail.com> <CAGBSGjqasD=eYnsMm7gZB2g+=C4abZoVi7FH4e7EFfgwKdjS8w@mail.gmail.com> <CAD9ie-uH9xGL9orTFxEd=tfhO6Q-S3sDHrQDtU7h0_dr6YeLOg@mail.gmail.com> <EE56CE99-5592-40AF-9BA5-7F3886ED315A@mit.edu> <CAD9ie-t9i1sVLhVhJp-mWSchV_x0b3no7i4qNXvcaQS+8OqCVA@mail.gmail.com> <CAGBSGjrgVbGWwFq6LDX_2Vhv7yQkwtEEjy36GpLj-bN+MtcX-w@mail.gmail.com> <CAD9ie-vJiwBSV71z4_2TJJO7A52mV763XvXmEPsEFgOMFVOwyQ@mail.gmail.com> <D445073E-D495-4250-9773-9AEEB09C01E0@amazon.com> <CAD9ie-t5EBZLtHmmbDQu9iq-d87gf07X5Fes_ZqFts5hDCOOuw@mail.gmail.com> <A312C403-3341-4B29-AEB3-B547E9A802E7@amazon.com> <CAD9ie-sW537PEzavzv1v6JSOFSfLa7iRVPAXD-miuEY8GMmDeQ@mail.gmail.com> <CAJot-L1fio+-1sSn6Z88ianq04RoHJ3M5yxe0Bzu2Cs-CWCPkg@mail.gmail.com> <54A59064-B40B-4F6C-9E7C-A5618C2C4D3E@alkaline-solutions.com> <3CAB48B9-B517-4693-8CBB-3377122A6077@amazon.com>
In-Reply-To: <3CAB48B9-B517-4693-8CBB-3377122A6077@amazon.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Wed, 13 Oct 2021 11:51:33 +0200
Message-ID: <CAJot-L3CiPf0XbTRHPgs71cxfhr2626+vt4XELDSf5nhkj8wdg@mail.gmail.com>
To: "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>
Cc: David Waite <david@alkaline-solutions.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e26a6905ce38e8ec"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/QFzA5p2JHYUKW7yK_LZO3hoiLlg>
Subject: Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2021 09:51:54 -0000

Are there things about the OAuth DPoP that are possibly problematic,
definitely, but it is still in draft. Wouldn't this be the best opportunity
to expose these problems to the authors and work through possible
solutions? This conversation has already brought some things to mind which
I'd be interested in improving, for instance *cnf *being an array, and
attempting to utilize the Authorization header more effectively, but this
isn't the thread to discuss those. Is there a reason we can't just improve
the existing DPoP draft to remove the limitations you listed above?

Warren Parad

Founder, CTO
Secure your user data with IAM authorization as a service. Implement
Authress <https://authress.io/>.


On Wed, Oct 13, 2021 at 2:54 AM Richard Backman, Annabelle <richanna=
40amazon.com@dmarc.ietf.org> wrote:

> David, Warren, Hannes and others:
>
> The limitations of DPoP and mTLS have been discussed numerous times within
> the Working Group. Here is a summary of those that I am aware of; others
> may have additional concerns.
>
> (Though please note first that none of this is to say that DPoP and mTLS
> are bad or useless – they each are targeted at certain use cases, and they
> serve those well. They just don't serve *every* use case well.)
>
> DPoP Limitations:
>
>    1. Does not support symmetric keys.
>    2. Requires the same key to be used with AS and RSes.
>    3. Does not support multiple valid signing keys.
>    4. Signed content is copied into the JWT and therefore duplicated
>    within the message. This allows for bugs where the verifier fails to check
>    that these values match, or performs that check incorrectly. (e.g.,
>    assuming case insensitivity)
>    5. Only covers the method, scheme, host, and path. Allows for
>    additional arbitrary content to be signed, but does not provide any
>    guidance or support for defining interoperable extensions.
>    6. Depends on JWT, which may be a new dependency, particularly for
>    clients that are doing OAuth 2.0 but not OIDC.
>
>
> mTLS Limitations:
>
>    1. Requires a single end-to-end TLS connection between client and
>    AS/RS. This often is not the case in modern distributed systems, e.g., TLS
>    may be terminated at a load balancer, or by the hosting platform in the
>    case of a "serverless" application. On the client side, enterprises may
>    have TLS inspection appliances that break the TLS connection.
>    2. Abysmal user experience in the browser. (though that is what DPoP
>    was intended to address, at least initially)
>
>
> In contrast, Justin's HTTP Message Signatures-based approach:
>
>    1. Allows for flexibility regarding key selection.
>    2. Allows signing of as much or as little of the HTTP message as is
>    appropriate for the request.
>    3. Does not duplicate signed content.
>    4. Does not depend on JWT, unless you want it to.
>    5. Does not depend on an end-to-end TLS connection, or any other
>    specifics below the HTTP layer.
>    6. Allows servers to use the same signature mechanism for other HTTP
>    signing use cases. (e.g., browser signing authorization cookies, LBs adding
>    a signature over the `X-Forwarded-For` header field)
>
>
> Note that these concerns regarding use cases not addressed by DPoP and
> mTLS are not new. Below are excerpts taken from WG meeting notes going back
> to 2019:
>
>
>    - IETF 105
>    <https://datatracker.ietf.org/doc/minutes-105-oauth-201907261000/>:
>       - MTLS is good but not great for browser. TOKBIND has no current
>       browser support. Need solution for browser apps.
>
>       - [Daniel Fett]: DPOP is hopefully a simple and concise mechanism.
>
>       - [Brian Campbell]: DPOP came out of a desire for a simplified
>       concise public key mechanism at both the authz and resource server….there
>       isn’t the overhead for symmetric keys.
>
>       - [Annabelle Backman]: We too find [DPoP] limiting without
>       symmetric as asymmetric can be just too slow.
>
>       - [John Bradley]: The origin of [DPoP] came from the security
>       workshop specifically focused on applications to do PoP should token
>       binding not come to fruition. We could use web-crypto and create a
>       non-exportable key in the browser. This is why there is no support for
>       symmetric key.
>
>       - [Mike Jones]: Want to use different POP keys for AT and RT.
>
>       - [Justin Richer]: I really like this approach. But I agree with
>       Hannes that having a server provided symmetric key is useful.
>
>       - Roman [Danyliw]: Strongly urge the equities of other groups and
>       surface them.
>
>       - IETF 106
>    <https://datatracker.ietf.org/meeting/106/materials/minutes-106-oauth-03.pdf>:
>
>       - Annabelle [Backman]: Would you consider using a HTTP signing
>       solution and not do this
>       John [Bradley]: ...[DPoP] has limited aspirations than the http
>       signing.
>
>       - Some discussions on symmetric vs asymmetric encryption and
>       Annabelle is concerned about the scaling and crypto costs. So some folks
>       want both types, this would increase the scope of the effort [for DPoP].
>
>       The scope [of DPoP] was to be able to use something with sender
>       constraint for SPA, this is not for broader usage, so this is limited scope
>       not doing what HTTP Signing would be used for. So this needs to be
>       presented as a very focused effort.
>
>       - Mike [Jones]: The usage of TLS for sender constraint is not
>       deployable
>
>       - OAuth WG Interim Meeting – 2021-03-15
>    <https://datatracker.ietf.org/doc/minutes-interim-2021-oauth-01-202103151200/>:
>
>       - Francis [Pouatcha]: DPoP should be by no way a replacement for
>       HTTP signing.
>
>
> —
> Annabelle Backman (she/her)
> richanna@amazon.com
>
>
>
>
> On Oct 8, 2021, at 5:38 PM, David Waite <
> david=40alkaline-solutions.com@dmarc.ietf.org> wrote:
>
> CAUTION: This email originated from outside of the organization. Do not
> click links or open attachments unless you can confirm the sender and know
> the content is safe.
>
>
>
> I do not support adopting this work as proposed, with the caveat that I am
> a co-editor of the DPoP work.
>
> We unfortunately do not have a single approach for PoP which works for all
> scenarios and deployments, why we have had several proposals and standards
> such as Token Binding, mutual TLS, and DPoP. There have been other less
> generalized approaches as well, such as forming signed request and response
> objects on the channel when one needs end-to-end message integrity or
> confidentiality.
>
> Each of these has their own capabilities and trade-offs, and their
> applicability to scenarios where the others falter is why multiple
> approaches is justified.
>
> The preferred solution for HTTPS resource server access is to leverage
> MTLS. However, browsers have both poor/nonexistent API to manage ephemeral
> client keys and poor UX around mutual TLS in general.
>
> DPoP was proposed to attempt a “lightest lift” to provide cryptographic
> evidence of the sender being involved, so that browsers could protect their
> tokens from exfiltration by non-exportable, ephemeral keys. In that way, we
> keep from having to define a completely separate security posture for
> resource-constraining browser apps.
>
> The motivations for the HTTPSig specification don’t clearly state why it
> is essential to have another promoted PoP approach. I would expect more
> prescriptive text about the use case that this is proposed for. In
> particular, I would love to see an additional use case, outside of DPoP,
> not solved by MTLS but solved by this proposal.
>
> If it turns out the target between a HTTP Message Signatures and DPoP
> overlap completely, I suspect we would have the issue of two competing
> adopted drafts in the working group. I personally do not know the
> ramifications of such an event. I do not believe there would be consensus
> on eliminating one, nor would there be a significant reduction in
> complexity by combining them.
>
> Deferring until HTTPSig is interoperably implemented in the industry gives
> us concrete motivation in the future to support both.
>
> -DW
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>

v2.39.1 | Report a Bug | By Email | System Status