Re: [OAUTH-WG] New OAuth DPoP and Security BCP drafts

Paul Querna <pquerna@apache.org> Tue, 13 August 2019 03:24 UTC

Return-Path: <pquerna@apache.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A336712006A for <oauth@ietfa.amsl.com>; Mon, 12 Aug 2019 20:24:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.9
X-Spam-Level:
X-Spam-Status: No, score=-14.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N3bXpG95UxBI for <oauth@ietfa.amsl.com>; Mon, 12 Aug 2019 20:24:16 -0700 (PDT)
Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by ietfa.amsl.com (Postfix) with SMTP id 96F9C12004A for <oauth@ietf.org>; Mon, 12 Aug 2019 20:24:16 -0700 (PDT)
Received: (qmail 20001 invoked by uid 99); 13 Aug 2019 03:24:15 -0000
Received: from Unknown (HELO mailrelay1-lw-us.apache.org) (10.10.3.159) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 13 Aug 2019 03:24:15 +0000
Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) by mailrelay1-lw-us.apache.org (ASF Mail Server at mailrelay1-lw-us.apache.org) with ESMTPSA id 6501F84B4 for <oauth@ietf.org>; Tue, 13 Aug 2019 03:24:15 +0000 (UTC)
Received: by mail-wr1-f52.google.com with SMTP id k2so20530054wrq.2 for <oauth@ietf.org>; Mon, 12 Aug 2019 20:24:15 -0700 (PDT)
X-Gm-Message-State: APjAAAXe4fUkTbdcmzhV4hKjNuiVGbdPxBecSAgpAOWmZPt94PpJKtvK gm9YuukmLcBV1EAgWl9eQthUW6zdF3Sc2VXNCaglWA==
X-Google-Smtp-Source: APXvYqw2Wq8PaSmeNKVuKrILeEgXi+hBYM0pjPla6WuI9cmjCNd2Ze0QgxrRBuNz1Go9Bp753w7TXFwZ5ZBlqiHIrkc=
X-Received: by 2002:adf:fa01:: with SMTP id m1mr14175206wrr.254.1565666654737; Mon, 12 Aug 2019 20:24:14 -0700 (PDT)
MIME-Version: 1.0
References: <CAHB17EwniJw9R3Cr9d_AZjaepha+UO+eBBLHYdOZNUEyt+c2Xw@mail.gmail.com>
In-Reply-To: <CAHB17EwniJw9R3Cr9d_AZjaepha+UO+eBBLHYdOZNUEyt+c2Xw@mail.gmail.com>
From: Paul Querna <pquerna@apache.org>
Date: Mon, 12 Aug 2019 20:24:04 -0700
X-Gmail-Original-Message-ID: <CAMDeyhzW=HWwQzadm3d1Xp1OiXZk=yaivwgtXFA5rn3hsV1-bw@mail.gmail.com>
Message-ID: <CAMDeyhzW=HWwQzadm3d1Xp1OiXZk=yaivwgtXFA5rn3hsV1-bw@mail.gmail.com>
To: Daniel Fett <danielf+oauth@yes.com>
Cc: oauth@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/SYiXQGzUE-dsQcSL7wOLtfBF21Y>
Subject: Re: [OAUTH-WG] New OAuth DPoP and Security BCP drafts
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2019 03:24:19 -0000

I've updated the dpop in go implementation to -02:
https://github.com/pquerna/dpop

Compared to implementing -01, because the same proof is used against
the token requests and resource server access, it did generally
simplify the implementation risk and complexity.

Getting the private key fingerprint into the Access Token or
introspect response seems like the highest barrier to wide adoption,
and not something that a dpop library can directly tackle making
easier -- but I don't have any magical ideas to make it better.

On Mon, Jul 8, 2019 at 6:30 AM Daniel Fett <danielf+oauth@yes.com>; wrote:
>
> All,
>
> In preparation for the meeting in Montreal, I just uploaded a new version of the DPoP draft:
> https://tools.ietf.org/html/draft-fett-oauth-dpop-02
>
> Please have a look and let me know what you think. We should make this a working group item soon.
>
> As you might have noticed, there is also a new version of the Security Best Current Practice draft:
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13
>
> -Daniel
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth