IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Brian Campbell <bcampbell@pingidentity.com> Wed, 25 March 2020 15:10 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA91A3A0C7F for <oauth@ietfa.amsl.com>; Wed, 25 Mar 2020 08:10:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TNxkYZUm7LEz for <oauth@ietfa.amsl.com>; Wed, 25 Mar 2020 08:10:12 -0700 (PDT)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F015C3A0C1A for <oauth@ietf.org>; Wed, 25 Mar 2020 08:10:11 -0700 (PDT)
Received: by mail-lj1-x22c.google.com with SMTP id q19so2803440ljp.9 for <oauth@ietf.org>; Wed, 25 Mar 2020 08:10:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=STPbFH9Vk2e3UGBeznU98Y+w+U0kaO9qwAu6+fn9GZM=; b=GqePh4KL9pBbzZhKu/8y0AlkVERCkFdSAcEbfkudc4gIZ/lxzY0leG0G8OaG6P9nev 6PwyUCNKmaZ0jS3B1dhmYZ7CkbKyObnqGnt9HQ+YKs2suXe5l3VE5HDTFL0d1JEvSfMT NxkWNd74fOwh4uTPFkJ1x2AJEV/6zWp+00ypXP4nfws+MJTmPD8HU1NymRMVpV7N7sTu iV34c2QszL17cQhDI52iUQPdD954kWbRk9GugLLzeoa4Pa1EYtHi/mlp164iXBb51YJ9 tLS6X789cLHsEQDYYvwXpgfGG0mfsLy7As0EBUZyJdxlFt4s9kwCv/Cr7mZTxzDXlGQS 2BaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=STPbFH9Vk2e3UGBeznU98Y+w+U0kaO9qwAu6+fn9GZM=; b=t/+jfeeZ+XvGnW0l5KEKXnah4Ufml2dMHxE2b1b/aTgrFkPlD8EcC7ON9rrhxI7yZW VJr4lpGTdQRpYUrUqr4OVnVRfgzJC8c06s4Currz1+TmFqA4nCqFsi0xvwCqzhO/YcXn 2BaqLHKMvA1pQEyhj6ebL8/zNBjf0lgDnaAJ3aqoOfE/XWRlDrqoWDSE8ctgbob0flg4 adkzPaHD3d0EpJIVD3qbyBNZGrGkUfBGS8QDtLqF2DhYKv4g7rRsN2vW7HizJgXZdy6M 74Jyl6mXkAMbldTqYB6IkbmflAML9pxKoaRfdR4jomA+w8QNTuRoXZkxL6ZZlg3p3RzA yBcA==
X-Gm-Message-State: AGi0PubzcLdxDkn0eiAjs+11QnBnlLMXEOeJLKwPFd8LxUfKKtj8HnrZ ZsYjQqvwnLqlJs59O6Q93ylCm4M6jhH+332ZWkd5Pp3ExkJvMI91+Stoe6q+Nac+GjCOQ6D7mlg 3x5Ly/kkaLccda/Sfh2Q=
X-Google-Smtp-Source: APiQypKGYNsT6C2cUJYKDqblTlw7wZeorxKUH9lG9wvWt6fCh8cfnm8HKF8hD+qj9gCIhuWJuIiY+HyloCoscVBePKg=
X-Received: by 2002:a2e:8644:: with SMTP id i4mr2410549ljj.20.1585149009981; Wed, 25 Mar 2020 08:10:09 -0700 (PDT)
MIME-Version: 1.0
References: <AM0PR08MB37160B8A021052198699CD17FAF00@AM0PR08MB3716.eurprd08.prod.outlook.com> <01ec01d6017c$162eb2e0$428c18a0$@aueb.gr> <CAHdPCmMzRn8iYG025Vq0sQNzgZTOkQJuMJwttDgjMDLESpjptw@mail.gmail.com> <CAO_FVe5UXY4Jxd3LdG6zyXJ8B8nFKYevcHQTVJEAFSdW0ku9tg@mail.gmail.com> <52f18114-4f8e-da86-5735-4c4e8f8d2db5@aol.com> <BL0PR08MB5394CA3CB524E95EA87CD6B6AEF10@BL0PR08MB5394.namprd08.prod.outlook.com> <74da4cc3-359c-c08a-0ae5-54c8ca309f32@aol.com> <D080BE8B-BD0D-4F63-9F33-BA23C2FB42DD@amazon.com> <DM6PR08MB5402639817677AD59898CD65AECE0@DM6PR08MB5402.namprd08.prod.outlook.com>
In-Reply-To: <DM6PR08MB5402639817677AD59898CD65AECE0@DM6PR08MB5402.namprd08.prod.outlook.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 25 Mar 2020 09:09:43 -0600
Message-ID: <CA+k3eCQn4GtBpD+MOgRs1FK_aJVf3X2X2UZV4Ge7+hO1CyATZg@mail.gmail.com>
To: Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org>
Cc: "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a8160005a1af43bd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/SvEvmDT4gGl4MclmEz4TBHVAlw0>
Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2020 15:10:28 -0000

On Wed, Mar 25, 2020 at 3:53 AM Vittorio Bertocci <vittorio.bertocci=
40auth0.com@dmarc.ietf.org> wrote:

> *>4 p1: Saying asymmetric signatures are RECOMMENDED presupposes that key
> distribution is the implementer’s primary concern. MAC-based
> implementations shouldn’t be seen as some weird edge case scenario (though
> it’d be worth including some Security Considerations text calling out the
> key distribution challenges when dealing with loosely coupled ASes and
> RSes).*
>
> In the spirit of achieving the simplest, most actionable core interop
> profile, with as little left as exercise to the reader as possible, I would
> prefer to keep symmetric keys out of scope.
>
> Although you are right that MAC-based implementations have a role to play
> in the OAuth2 ecosystem, key distribution is a problem left to the
> developer to solve; and all* the sample JWTs ATs I got from the providers
> I worked with were signed with discoverable keys.*
>
> Again, that doesn’t mean that MAC-based implementations shoulnd’t be used:
> only that this profile focuses on a solution that is as close to turnkey as
> possible for developers, and that requests as little delta as possible to
> providers already using JWT for their ATs.
>

I'm not trying to re-litigate the decision or question consensus but I will
ask that you don't use the justification that "all the sample JWTs ATs I
got from the providers I worked with were signed with discoverable keys"
because I explicitly included several example JWT ATs in the samples that I
provided that were using AEAD symmetric encryption, which is similar to
MAC-based but with the added benefit of confidentiality of the claims
payload.

See also
https://mailarchive.ietf.org/arch/msg/oauth/DAFccKDPJRhA5Z-vLIrx7u5XU4Q/

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email