IETF Logo Mail Archive

Re: [OAUTH-WG] [IANA #1264432] expert review for draft-ietf-oauth-dpop (http-fields)

Mark Nottingham <mnot@mnot.net> Mon, 23 January 2023 03:13 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E486CC151701 for <oauth@ietfa.amsl.com>; Sun, 22 Jan 2023 19:13:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b="CA5BGcNu"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="ZtC0vilv"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mEfmXgxdV9-Q for <oauth@ietfa.amsl.com>; Sun, 22 Jan 2023 19:13:43 -0800 (PST)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 429C8C14F72D for <oauth@ietf.org>; Sun, 22 Jan 2023 19:13:43 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 1429A320055E; Sun, 22 Jan 2023 22:13:42 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute1.internal (MEProxy); Sun, 22 Jan 2023 22:13:42 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h=cc :cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm1; t=1674443621; x= 1674530021; bh=qPWYLoALWlFq/mAI4pvi7pRCtKYOvsF2iCIGTmzM2Ao=; b=C A5BGcNuwT4c2Lq/oTUkog/fkUxI6grPcAuwRiaKe1z3qH/NGuvjuFeRv1Xu/ipH2 ue7arK+9ebSBtT7Jm44dCAL6OQF7DpAagJz+m6bPHsrkGwjMGIoERq2BI0gE5y0x 8fxdHyVOT/3dfuv8mKEZNH203/AV7u7sbgCZJ4uXAptEoYW3G7KF1IvC0wyp53Gy u/d2nFuJWsvDB0xZnEci3AN/BqvNJgeOD3BN7j1xmzKg6j8RWl0ilM4uTm7mLKe6 e3c+UfN+V3CNqeOaeXt5QJj2908SIV/ulmRRPyGU8CHKfk3CNsyuuakukHgjGvnL kufDA2wkaXti4G06Sljug==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1674443621; x= 1674530021; bh=qPWYLoALWlFq/mAI4pvi7pRCtKYOvsF2iCIGTmzM2Ao=; b=Z tC0vilv319PMdBoU5aOjUnEvykchhHcFCE3foXd2RYAa5/kZXdsyLf/YEywkJutw GiHQY63YwfNP+G80oZQwEBRyA0chpaFABwXWtuACPk5lJdEe97vybgAFkzbQ88Bk lGx/jwp41zAk0fY3eirPaHBdC8LIFKZof18EQ7X1CNTbLl8Et+hbpB/ozaVLOoj8 bBARcUbWRKlMF2mKctb39ShWXLoMwToE0kyqniSQnJQS5SwIVKjXNS4Ouqxl4+wv SD6fUo2FhithjM5vETtdXFBvOuTpD5hpZpZFqC//3Q60/DC6TmVv4Za98+/pdZO/ gcoRcBOv1QH8SjuSpj0qw==
X-ME-Sender: <xms:ZfvNY1BTWYWT0RQY31cu23vqFzd8ujl97ergkBC-KkIj2o9B1HU40Q> <xme:ZfvNYzh1mH21jnleM4M7nOGLQjVNAgVkNHTsdAgKGlHFbD2uIHt0KKefTcs0vHi1Q 0ivM25jcxhUMsw8zQ>
X-ME-Received: <xmr:ZfvNYwmROgrNGsqoPNoInYaxW-MZ2HNc8G-uXZiO_j6nXpa4t7KbfdLG0ceVSCUNc5HihS_PYrGp1Z5pzO4Cdf0n-RA1cJ5khWFS1SvgvV_YZHaPLsSlI2sZ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedruddujedgheejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurheptggguffhjgffvefgkfhfvffosehtqhhmtdhhtddvnecuhfhrohhmpeforghr khcupfhothhtihhnghhhrghmuceomhhnohhtsehmnhhothdrnhgvtheqnecuggftrfgrth htvghrnhepvedtudeluefgheeiffetieffleffheettdfhkeekiedtfeelteehheeghefg teevnecuffhomhgrihhnpehivghtfhdrohhrghdphhhtthhpfihgrdhorhhgpdhirghnrg drohhrghdpmhhnohhtrdhnvghtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghm pehmrghilhhfrhhomhepmhhnohhtsehmnhhothdrnhgvth
X-ME-Proxy: <xmx:ZfvNY_xCbcDEMJYThi6gc2EeQvX9oeguKkUxTExPy7qjBPFdEUApmQ> <xmx:ZfvNY6SxR50MJqIbu7CYL1QFNR-rmJfsoLjpl7oHViIp92e7MhtIqA> <xmx:ZfvNYyaXNt2bJgdAsvrdcfgSPc8KFtEsKkFQEracYHKCTI2xSFysRQ> <xmx:ZfvNY1fPEROPqkdYKfxQN9Mo9DUVV-oE6W3oZZbIRWjh5nuy_SN4Kw>
Feedback-ID: ie6694242:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sun, 22 Jan 2023 22:13:38 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.300.101.1.3\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <CA+k3eCT0HN+LFkQCnfP2BhhPV=NaXaReRuV-ktA1Y=LNOsZ_qw@mail.gmail.com>
Date: Mon, 23 Jan 2023 14:13:15 +1100
Cc: Amanda Baber via RT <drafts-expert-review-comment@iana.org>, oauth@ietf.org, Roy Fielding <fielding@gbiv.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2D7F6171-D53F-4F3A-B46C-CF587B2AEDCF@mnot.net>
References: <RT-Ticket-1264432@icann.org> <rt-5.0.3-41757-1674065064-1576.1264432-9-0@icann.org> <rt-5.0.3-46491-1674066633-577.1264432-9-0@icann.org> <CC85682F-99E6-4D1D-8877-A81426526429@mnot.net> <CA+k3eCT0HN+LFkQCnfP2BhhPV=NaXaReRuV-ktA1Y=LNOsZ_qw@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3731.300.101.1.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ReOsiK434eiV4cLCM9VQf9mokNg>
Subject: Re: [OAUTH-WG] [IANA #1264432] expert review for draft-ietf-oauth-dpop (http-fields)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jan 2023 03:13:48 -0000

Hi Brian,

> On 21 Jan 2023, at 5:46 am, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> wrote:
> 
> 
> Hi Mark,
> 
> Thanks for the review and feedback. I am aware of HTTP Structured Fields and certainly see value in it - even using it in some other work in which I'm involved. However, I'm unsure of its fit or utility for this draft. With that said, I've tried to reply more specifically to your comments inline below. 
> 
> 
> On Wed, Jan 18, 2023 at 3:32 PM Mark Nottingham <mnot=40mnot.net@dmarc.ietf.org> wrote:
> A few things caught my eye in this document:
> 
> - Section 4.1 defines the DPoP header field as a JWT, which (as I understand it) is a base64-encoded string. If that's the case, I'd recommend making it a Structured Field Item (see RFC8941 s 3.3) with a fixed type of Byte Sequence (s 3.3.5). That will require changing the syntax to add a prefix and suffix of ":".
> 
> As Justin pointed out, a JWT is three Base64url encoded segments delimited by the `.` period character, which means it can't be a SF Byte Sequence.  As DW pointed out, a JWT just happens to always start with a letter because the first segment is always encoded JSON, so will always start with 'ey'. So the DPoP header field value does just happen to fit the SF Token syntax, But the SF Token syntax does very little regarding the validity of the JWT. 

Keep in mind that HTTP header fields are basically sets of constrained octets with weird combination rules; if you don't use SF, you should be specifying (for example) what happens when two header values (and/or fields) are present (as per below). SF does a lot of the legwork here, even if from a type system standpoint it's not a perfect fit.

That said, personally I'd deconstruct the JWT and convey it as separate binary values, so that if binary structured headers ever does catch on, it can get the perf/compactness advantages of that.


> - The DPoP-Nonce header field's syntax isn't obviously specified. It should be. I'd suggest a Structured Field Item with a fixed type of String (RFC 8941 s 3.3.3), which would surrounding the value with quotes.
> 
> ABNF syntax for the nonce value is provided at https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-12.html#section-8-9 along with the description of its use in the DPoP exchange.

I see. It'd be better if it were explicitly called out as the syntax for the field (ideally with a section title that makes this clear), rather than making the reader do that work.


> I believe that the SF String type would accommodate the content we intended to allow servers to use for the nonce (it's basically a server chosen value that the client treats as opaque and sends back in subsequent DPoP proof JWTs). However, that would be a breaking change, which shouldn't be undertaken lightly.

Right. It really depends on how advanced deployment of this is; if there's only modest production use, it may still be reasonable to make such a change (especially keeping in mind that people who adopt drafts need to bear the consequences of doing so).


> - Neither header has interoperable parsing or serialisation specified; divergent error handling may cause interoperability problems. Adopting Structured Fields would address this.
> 
> Both are composed of a narrow set of printable ASCII with parsing, validation, usage, and error handling specified at the application layer. I'm not going to claim that it's perfect by any means. But those interoperability problems seem conjectural and it's not obvious that adopting Structured Fields would add value in the context of this draft. 

To be concrete -- what should an implementation do when it receives two DPoP header fields, both with valid values? When it receives one with two comma-separated values?


> - See RFC9110 s 16.3.2 for things that should be considered when defining new HTTP fields. I suspect that the document needs to be more explicit about at least some of these items. Adopting Structured Fields would address some (but not all) of these questions.
> 
> The authors (on-behalf-of and with the help of the WG) have endeavored to touch on all the considerations needed to ensure interoperability of the protocol overall as well as HTTP related (e.g. caching, applicability to request/response, prohibiting multiple occurrences, scope of applicability). However, the group clearly does not have your depth of HTTP expertise so may well have missed something. If that's the case, it would be very helpful for specifics to be raised. 
> 
> - See also <https://httpwg.org/admin/editors/style-guide#header-and-trailer-fields> for the preferred editorial style when defining new HTTP fields.
> 
> - The long line-wrapped example in Section 4.1 would benefit from RFC8792 encoding. In HTTP, a line-wrapped field like the one shown has whitespace inserted between each line, which is problematic here.
> 
> This is a bit of a stylistic preference thing. That example and others in the draft are intentionally similar (with a note about line breaks and extra space being for display purposes) to closely related and referenced documents like RFC7515, RFC7519, and RFC6749. The examples from these RFCs seem to have worked well for readers/implementers in practice, and so we'd prefer to keep the formatting conventions in this draft the same as in those.

Consistency between documents that specify HTTP protocol elements is important, so I'd ask you to reconsider; while the community that has been developing and implementing the specification may already be familiar with it, aligning with other documents makes it easier for a broader audience. See, for example, the Signatures specification:
 https://httpwg.org/http-extensions/draft-ietf-httpbis-message-signatures.html#name-request-response-signature-

Cheers,


> 
> Cheers,
> 
> 
> 
> 
>> On 19 Jan 2023, at 5:30 am, David Dong via RT <drafts-expert-review-comment@iana.org> wrote:
>> 
>> Dear Mark Nottingham and Roy Fielding (cc: oauth WG),
>> 
>> As the designated experts for the http-fields registry, can you review the proposed registration in draft-ietf-oauth-dpop for us? Please see:
>> 
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/
>> 
>> The due date is February 1st, 2023.
>> 
>> If this is OK, when the IESG approves the document for publication, we'll make the registration at
>> 
>> https://www.iana.org/assignments/http-fields/http-fields.xhtml
>> 
>> We'll wait for both reviewers to respond unless you tell us otherwise.
>> 
>> With thanks,
>> 
>> David Dong
>> IANA Services Specialist
> 
> --
> Mark Nottingham   https://www.mnot.net/
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.


--
Mark Nottingham   https://www.mnot.net/

v2.23.0 | Report a Bug | By Email