Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt
Dick Hardt <dick.hardt@gmail.com> Fri, 22 November 2019 09:23 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1233120807 for <oauth@ietfa.amsl.com>; Fri, 22 Nov 2019 01:23:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VdBYlAqebBjh for <oauth@ietfa.amsl.com>; Fri, 22 Nov 2019 01:23:04 -0800 (PST)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8249120810 for <oauth@ietf.org>; Fri, 22 Nov 2019 01:23:03 -0800 (PST)
Received: by mail-lj1-x229.google.com with SMTP id q2so6548832ljg.7 for <oauth@ietf.org>; Fri, 22 Nov 2019 01:23:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dZdPRfbT8ZcVV5RkpohPICsV++yPFBNanU1HfRuvais=; b=SEFjjZVSt5Bcx/6dUG9x+EYiuNOKzfFKLofG9T9W3aKTnPQML1rnfvHgXaFIqJEtYD hvmJHR/3g3VEyjcKZjvKmKNevvR+docSOk+qoepEyNLvPK8M1jwW/MTgRe2ACo0+iMcK 5r6z52gRqPtUah+INP9nbkI5Lwy4wd+V5mX2I3XjIXjpfKDXdM6QU4pVJmFxQvoZmW38 cHxk9xsw3zpbLyP5NtlDO8FBcAXNA0rPgBMBveX4HN2h/c5RJWUXdKyGKcDYYF6alwVl WBk3I5hHU+OdXSNbcMQO1T9bX0i1XH7R6l2uW7flCuKCbuHn/zmMMIhkIArw7W3XcBMc RCuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dZdPRfbT8ZcVV5RkpohPICsV++yPFBNanU1HfRuvais=; b=Q0isHvJ+2XNcwmL7Vn+fnSz5B+bNnSi3ohnMlsRe32ArZ1pwH7BREH8patji3KTRjG KJl7TXgeD6/noO6RCoPRZjsbqa23+hOiJjPYJXo4+piuHv9eeqfq5YF94XH7V+6hL8OD Z4i3cAjhpgkr8zp1VvVwVRnkM2PgkXBMNgdinljpwqBL0xZpb2q+prsu9jnvFX6p3Fjj AHfAyDeQo7/b711hgvHVezUPoldt+BtYNRmC48mEgVZIWocUcup4A5/Oe0fpkPjeM7qt t47JOPRmiDO6S9ihWcokE75qI0wcSNYqKRQK5lw8pA8v2rx1eKmbIItBP9IpEsHbO3E8 5bug==
X-Gm-Message-State: APjAAAXUwR9cQrR3JYqunrEzuwlgDDKFNKYVZ/HUcFG26/9N3Gp23X8D H3Slh2QndicdYe7dmhqhxlmhRvtkJGvS+WaGP0k2OBdC6KM=
X-Google-Smtp-Source: APXvYqzsnUdkiNQ7YJahpOWoYRlhNJpwXQPsXTlQiFoasrdeJ+V0WNqnw0FPXLr0CRaU5yPtkHBaMdtxftwtnrfapsg=
X-Received: by 2002:a2e:85d0:: with SMTP id h16mr11834630ljj.75.1574414581891; Fri, 22 Nov 2019 01:23:01 -0800 (PST)
MIME-Version: 1.0
References: <2EF412B8-AF8C-4642-9BE0-1B528B0C63D5@amazon.com> <288343F2-ACF0-43E0-8577-26AF45330E5C@forgerock.com> <CAD9ie-u_SM+1hRuBWR7zBGSi4Ex59Ht0SzoVTeFuWTRc3cFJXw@mail.gmail.com> <6DECA422-AACC-4DAA-8CD2-FF57CE02DE3E@mit.edu> <CABh6VRHoBqbQAe4U8UxXodCc8oOpOb=GRb_82gT6X9H5rp0n8Q@mail.gmail.com> <1119B3F6-01A0-4885-A352-5C719A7CDE2C@lodderstedt.net> <CABh6VRG7nZ0JhX8u8OM6cxR_2m6ZebbkCDPd_OzRHvBv2EQtkA@mail.gmail.com> <7590824B-18B6-4896-AD30-1903A86F5F0A@lodderstedt.net> <BYAPR00MB05674C455BCBA825BA6C906DF5490@BYAPR00MB0567.namprd00.prod.outlook.com>
In-Reply-To: <BYAPR00MB05674C455BCBA825BA6C906DF5490@BYAPR00MB0567.namprd00.prod.outlook.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Fri, 22 Nov 2019 17:22:50 +0800
Message-ID: <CAD9ie-tSYjq3UkTajGg8RfBYxeimFycnxWX4ruvp-AykfHw=GA@mail.gmail.com>
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
Cc: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>, Rob Otto <robotto=40pingidentity.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e207f40597ebf579"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/RETMXueQb4HMuKZ7Fanv3zBqpXI>
Subject: Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Nov 2019 09:23:08 -0000
Another dimension on SPA is that lots of 1P deployments use only SPA. For them, there is only one type of deployment. On Fri, Nov 22, 2019 at 4:50 PM Mike Jones <Michael.Jones= 40microsoft.com@dmarc.ietf.org> wrote: > I hear you about the difference between Web apps and native apps, > Torsten. But using different mechanisms for different application types is > a cost in and of itself. > > It's good to understand the tradeoffs. > > -- Mike > > > ------------------------------ > *From:* OAuth <oauth-bounces@ietf.org> on behalf of Torsten Lodderstedt > <torsten=40lodderstedt.net@dmarc.ietf.org> > *Sent:* Friday, November 22, 2019 4:20:58 PM > *To:* Rob Otto <robotto=40pingidentity.com@dmarc.ietf.org> > *Cc:* oauth <oauth@ietf.org> > *Subject:* [EXTERNAL] Re: [OAUTH-WG] New Version Notification for > draft-fett-oauth-dpop-03.txt > > Hi Rob, > > > On 22. Nov 2019, at 16:10, Rob Otto <robotto= > 40pingidentity.com@dmarc.ietf.org> wrote: > > > > Hi Torsten - thanks for the reply.. > > > > Responses in line. > > > > Grüsse > > Rob > > > > On Fri, 22 Nov 2019 at 07:59, Torsten Lodderstedt <torsten= > 40lodderstedt.net@dmarc.ietf.org> wrote: > > Hi Rob, > > > > > On 22. Nov 2019, at 15:52, Rob Otto <robotto=40pingidentity.com@dmarc. > .ietf.org> wrote: > > > > > > Hi everyone > > > > > > I'd agree with this. I'm looking at DPOP as an alternative and > ultimately simpler way to accomplish what we can already do with MTLS-bound > Access Tokens, for use cases such as the ones we address in Open Banking; > these are API transactions that demand a high level of assurance and as > such we absolutely must have a mechanism to constrain those tokens to the > intended bearer. Requiring MTLS across the ecosystem, however, adds > significant overhead in terms of infrastructural complexity and is always > going to limit the extent to which such a model can scale. > > > > I would like to unterstand why mTLS adds “significant overhead in terms > of infrastructural complexity”. Can you please dig into details? > > > > I guess it's mostly that every RS-endpoint (or what sits in front of it) > has to have a mechanism for accepting/terminating mTLS, managing roots of > trust, validating/OCSP, etc > > You use a PKI then. We use mTLS with self-signed certs. That requires the > RS to not check the X.509 trust chain, which requires a special setting > (optionalNoCA). > > > and then passing the certificates downstream as headers. None of it is > necessarily difficult or impossible to do in isolation, but I meet many > many people every week who simply don't know how to do any of this stuff. > And these are typically "network people", for want of a better word. There > are quite a few SaaS API management and edge solutions out there that don't > even support mTLS at all. You also have the difficulty in handling a > combination of MTLS and non-MTLS traffic to the same endpoints. > > yep. You better split them, especially if that’s a user facing endpoint. > > > Again, it's possible to do, but far from straightforward. > > > > > > > > Our experience so far: It can be a headache to set up in a microservice > architecture with TLS terminating proxies but once it runs it’s ok. On the > other side, it’s easy to use for client developers and it combines client > authentication and sender constraining nicely. > > > > I do think its an elegant solution, don't get me wrong. It's just that > there are plenty of moving parts that you need to get right and that can be > a challenge, particularly in large, complex environments. > > I agree. I also tend there is a tendency to think Client TLS > authentication is bad. I understand that from historical and recent > experience with PKI. > > But anybody considering to use a application level signing solution based > on _raw_ public keys should directly move towards self-signed certificates. > That brings you all the benefits of TLS without the (PKI) headache. > > > > > > > > > > > > > DPOP, to me, appears to be a rather more elegant way of solving the > same problem, with the benefit of significantly reducing the complexity of > (and dependency on) the transport layer. I would not argue, however, that > it is meant to be a solution intended for ubiquitous adoption across all > OAuth-protected API traffic. Clients still need to manage private keys > under this model and my experience is that there is typically a steep > learning curve for developers to negotiate any time you introduce a > requirement to hold and use keys within an application. > > > > My experience is most developer don’t even get the URL right (in the > signature and the value used on the receiving end). So the total cost of > ownership is increased by numerous support inquiries. > > I'll not comment, at the risk of offending developers :) > > Alright. Ultimately, I just want to get in touch with those who respond :-) > > best regards, > Torsten. > > > > > best regards, > > Torsten. > > > > > > > > I guess I'm with Justin - let's look at DPOP as an alternative to > MTLS-bound tokens for high-assurance use cases, at least initially, without > trying to make it solve every problem. > > > > > > Best regards > > > Rob > > > > > > > > > On Fri, 22 Nov 2019 at 07:24, Justin Richer <jricher@mit.edu> wrote: > > > I’m going to +1 Dick and Annabelle’s question about the scope here. > That was the one major thing that struck me during the DPoP discussions in > Singapore yesterday: we don’t seem to agree on what DPoP is for. Some > (including the authors, it seems) see it as a quick point-solution to a > specific use case. Others see it as a general PoP mechanism. > > > > > > If it’s the former, then it should be explicitly tied to one specific > set of things. If it’s the latter, then it needs to be expanded. > > > > > > I’ll repeat what I said at the mic line: My take is that we should > explicitly narrow down DPoP so that it does exactly one thing and solves > one narrow use case. And for a general solution? Let’s move that discussion > into the next major revision of the protocol where we’ll have a bit more > running room to figure things out.. > > > > > > — Justin > > > > > >> On Nov 22, 2019, at 3:13 PM, Dick Hardt <dick.hardt@gmail.com> wrote: > > >> > > >> > > >> > > >> On Fri, Nov 22, 2019 at 3:08 PM Neil Madden < > neil.madden@forgerock.com> wrote: > > >> On 22 Nov 2019, at 01:42, Richard Backman, Annabelle < > richanna@amazon.com> wrote: > > >>> There are key distribution challenges with that if you are doing > validation at the RS, but validation at the RS using either approach means > you’ve lost protection against replay by the RS. This brings us back to a > core question: what threats are in scope for DPoP, and in what contexts? > > >> > > >> Agreed, but validation at the RS is premature optimisation in many > cases. And if you do need protection against that the client can even > append a confirmation key as a caveat and retrospectively upgrade a bearer > token to a pop token. They can even do transfer of ownership by creating > copies of the original token bound to other certificates/public keys. > > >> > > >> While validation at the RS may be an optimization in many cases, it > is still a requirement for deployments. > > >> > > >> I echo Annabelle's last question: what threats are in scope (and out > of scope) for DPoP? > > >> > > >> > > >> _______________________________________________ > > >> OAuth mailing list > > >> OAuth@ietf.org > > >> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=02%7C01%7CMichael.Jones%40microsoft.com%7C2ddae7c4050348d9405a08d76f24f315%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637100076834776598&sdata=6x%2Fjtuo2qkObT8bAdMUmkHbvOYr8wZX7pngViwA4e0Q%3D&reserved=0 > > > > > > _______________________________________________ > > > OAuth mailing list > > > OAuth@ietf.org > > > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=02%7C01%7CMichael.Jones%40microsoft.com%7C2ddae7c4050348d9405a08d76f24f315%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637100076834776598&sdata=6x%2Fjtuo2qkObT8bAdMUmkHbvOYr8wZX7pngViwA4e0Q%3D&reserved=0 > > > > > > > > > -- > > > > > > Rob Otto > > > EMEA Field CTO/Solutions Architect > > > robertotto@pingidentity.com > > > > > > c: +44 (0) 777 135 6092 > > > Connect with > us: > > > > > > > > > > CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited.. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you._______________________________________________ > > > OAuth mailing list > > > OAuth@ietf.org > > > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=02%7C01%7CMichael.Jones%40microsoft.com%7C2ddae7c4050348d9405a08d76f24f315%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637100076834776598&sdata=6x%2Fjtuo2qkObT8bAdMUmkHbvOYr8wZX7pngViwA4e0Q%3D&reserved=0 > > > > > > > > -- > > > > Rob Otto > > EMEA Field CTO/Solutions Architect > > robertotto@pingidentity.com > > > > c: +44 (0) 777 135 6092 > > Connect with > us: > > > > > > > CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited.. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you. > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- [OAUTH-WG] Fwd: New Version Notification for draf… Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Denis
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Paul Querna
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… David Waite
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Dick Hardt
- Re: [OAUTH-WG] New Version Notification for draft… Justin Richer
- Re: [OAUTH-WG] New Version Notification for draft… Rob Otto
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Mike Jones
- Re: [OAUTH-WG] New Version Notification for draft… Filip Skokan
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Rob Otto
- Re: [OAUTH-WG] New Version Notification for draft… Filip Skokan
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Mike Jones
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Dick Hardt
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Aaron Parecki
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Petteri Stenius
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Jim Manico
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Dave Tonge
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Jared Jennings
- Re: [OAUTH-WG] New Version Notification for draft… Aaron Parecki
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: New Versio… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: New Versio… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Rifaat Shekh-Yusef