IETF Logo Mail Archive

Re: [OAUTH-WG] MTLS and SAN

Justin Richer <jricher@mit.edu> Mon, 08 April 2019 23:49 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1107712013D for <oauth@ietfa.amsl.com>; Mon, 8 Apr 2019 16:49:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DBpGomcCRaEZ for <oauth@ietfa.amsl.com>; Mon, 8 Apr 2019 16:49:39 -0700 (PDT)
Received: from outgoing-exchange-7.mit.edu (outgoing-exchange-7.mit.edu [18.9.28.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8086E12015E for <oauth@ietf.org>; Mon, 8 Apr 2019 16:49:39 -0700 (PDT)
Received: from w92exedge4.exchange.mit.edu (W92EXEDGE4.EXCHANGE.MIT.EDU [18.7.73.16]) by outgoing-exchange-7.mit.edu (8.14.7/8.12.4) with ESMTP id x38NncpL011442; Mon, 8 Apr 2019 19:49:39 -0400
Received: from w92expo18.exchange.mit.edu (18.7.74.72) by w92exedge4.exchange.mit.edu (18.7.73.16) with Microsoft SMTP Server (TLS) id 15.0.1293.2; Mon, 8 Apr 2019 19:49:34 -0400
Received: from oc11expo18.exchange.mit.edu (18.9.4.49) by w92expo18.exchange.mit.edu (18.7.74.72) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Mon, 8 Apr 2019 19:49:36 -0400
Received: from oc11expo18.exchange.mit.edu ([18.9.4.49]) by oc11expo18.exchange.mit.edu ([18.9.4.49]) with mapi id 15.00.1365.000; Mon, 8 Apr 2019 19:49:36 -0400
From: Justin Richer <jricher@mit.edu>
To: Brian Campbell <bcampbell@pingidentity.com>
CC: Filip Skokan <panva.ip@gmail.com>, oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] MTLS and SAN
Thread-Index: AQHU6yPYm24VQsQf0UuOqTG8+b1fiqYstUSAgAADkACAAAUyAIAGFuKAgABjUAA=
Date: Mon, 08 Apr 2019 23:49:36 +0000
Message-ID: <7435DB60-3DD1-443A-89E0-9F524B0B2548@mit.edu>
References: <220488FB-C7EB-42A3-85D6-BD3756786550@mit.edu> <CALAqi_-0wXCurgqQq5=YfD0XhjeeoqPE=TX2XkDpgM2ci8E7qw@mail.gmail.com> <42790363-5D79-411C-BE4E-D99A90E36951@mit.edu> <CALAqi__--y7PZvt4N4oSukJ6PB4BMGDDGS0HN7mwMpHDCDAADA@mail.gmail.com> <CA+k3eCT39nY-4r36qbbGeW_2io5WrCpzdYSz875cbqJ7BX3ehQ@mail.gmail.com>
In-Reply-To: <CA+k3eCT39nY-4r36qbbGeW_2io5WrCpzdYSz875cbqJ7BX3ehQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [71.174.62.56]
Content-Type: multipart/alternative; boundary="_000_7435DB603DD1443A89E09F524B0B2548mitedu_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/SmrvPzo5yBiDgBHpqusCBuoWylY>
Subject: Re: [OAUTH-WG] MTLS and SAN
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2019 23:49:50 -0000

Thanks for the clarifications everyone. Since I didn’t catch the one-and-only-one sentiment when reading the updates, I would recommend altering the text as follows in §2.1:


   The PKI (public key infrastructure) method of mutual TLS OAuth client
   authentication adheres to the way in which X.509 certificates are
   traditionally used for authentication.  It relies on a single subject
   distinguished name (DN) or a single subject alternative name (SAN) <deleted text> to authenticate the client. The client’s certificate chain is validated [RFC5280] and only one name value of any type is used for each client.
   The TLS handshake is utilized to validate the client's possession of
   the private key corresponding to the public key in the certificate
   and to validate the corresponding certificate chain.  The client is
   successfully authenticated if the subject information in the
   certificate matches the single expected subject configured or registered for
   that particular client (note that a predictable treatment of DN
   values, such as the distinguishedNameMatch rule from [RFC4517<https://tools.ietf.org/html/rfc4517>], is
   needed in comparing the certificate's subject DN to the client's
   registered DN).  Revocation checking is possible with the PKI method
   but if and how to check a certificate's revocation status is a
   deployment decision at the discretion of the authorization server.
   Clients can rotate their X.509 certificates without the need to
   modify the respective authentication data at the authorization server
   by obtaining a new certificate with the same subject from a trusted
   certificate authority (CA).


I think the listing of methods is clear enough as it is — but my problem was that I read the above paragraph, then jumped right into the list below for the exact fields without reading its own introductory paragraph as well.

— Justin

On Apr 8, 2019, at 1:54 PM, Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>> wrote:

Yes, the intent is that the client be configured (dynamically or statically or however that comes to be) with one and only one expected subject, which also includes the location in the certificate that subject will be. And that is checked against at authentication time.

As the writer of the questionable text in question, it does seem pretty clear to me as it is now. But as the writer, I'm also probably not well positioned to see how it could be made more clearer. So if either of you gentlemen have concrete text suggestions to help there, please send em for consideration.

On Thu, Apr 4, 2019 at 2:55 PM Filip Skokan <panva.ip@gmail.com<mailto:panva.ip@gmail.com>> wrote:
Yes.

S pozdravem,
Filip Skokan


On Thu, 4 Apr 2019 at 22:36, Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>> wrote:
Thank you, I did miss that text. This should be called out more explicitly in §2.1, perhaps by specifying that it is only one field. This still doesn’t set precedence, but it implies that it’s an error for a client to have more than one field set of the available options. Is that your read on this as well?

— Justin

On Apr 4, 2019, at 4:23 PM, Filip Skokan <panva.ip@gmail.com<mailto:panva.ip@gmail.com>> wrote:

Justin, I had the exact same question off list and believe draft 13 clarified this.

https://tools.ietf.org/html/draft-ietf-oauth-mtls-13#section-2.1.2

A client using the "tls_client_auth" authentication method MUST use exactly one of the below metadata parameters to indicate the certificate subject value that the authorization server is to expect when authenticating the respective client.

Then it lists the different dn/san properties.

S pozdravem,
Filip Skokan


On Thu, 4 Apr 2019 at 22:20, Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>> wrote:
We’ve just started implementation of SAN-based certificate authentication, based on the changes in version -13 of the draft. I believe this addition is a bit unclear, due to it being added so late in the document process.

My question is how does an AS determine whether to DN or SAN for certificate checking? Corollary, are these mutually exclusive or can they be used together? Currently, the specification text lists DN and SAN as an “or” with no indication whether this is an inclusive or exclusive “or”, and what to do when there’s overlap.

This has implications both for the implementation of the server processing the request as well as the client metadata model, since the client fields are all in parallel to each other. I can see a few ways of handling this.


1) One of the fields takes precedence over the other. Say for example you choose the DN field: if it’s set, then you do DN matching and ignore the SAN fields entirely, both in the cert and in the client’s registration. Inverse is true if you choose the SAN fields over the DN but the principle is the same. We should be explicit if there’s an intended precedence between these two, and even more explicit if the DN and SAN are at equal level and the AS gets to choose. We also need to be clear if it’s an error condition if both are set simultaneously, like the way that jwks and jwks_uri are mutually exclusive.
2) You set an explicit switch in your client model that says whether to use the DN or the SAN fields in comparison, and your code branches based on that to either DN or SAN processing. This could also be added as an explicit client metadata field, or it could be an internal detail. If an internal detail, we should be explicit about there not being a predefined precedence between the fields.
3) If it’s allowable to use them together, you match everything that’s set in the client, and at least one field MUST be set.


What’s the intended behavior for implementers, and should we be more explicit about this? We are starting our implementation with (1) pending the outcome of this thread, and I’d be curious to know how others are implementing this in their systems.

Thanks,
— Justin

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

v2.23.0 | Report a Bug | By Email