Re: [OAUTH-WG] Second AD Review: draft-ietf-oauth-mtls
Brian Campbell <bcampbell@pingidentity.com> Mon, 24 June 2019 17:17 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 042AF1201CE for <oauth@ietfa.amsl.com>; Mon, 24 Jun 2019 10:17:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DvsjtWaRfnHC for <oauth@ietfa.amsl.com>; Mon, 24 Jun 2019 10:17:39 -0700 (PDT)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5073412016A for <oauth@ietf.org>; Mon, 24 Jun 2019 10:17:39 -0700 (PDT)
Received: by mail-io1-xd2f.google.com with SMTP id w25so3264217ioc.8 for <oauth@ietf.org>; Mon, 24 Jun 2019 10:17:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ieY7lDqFLVyynWBfI2p6fIVan6ze6ikYTObQ8RkMVt0=; b=SDKkJX4y5ctitG8E+l4eF3aNTE6jbn0/1wq0cDJYU+YGpvFHR0tKWt7SJktz1OBlgy +vtPCudOD5v+eK3DHWEtsTIrY5uSRRvqSdLsNmcXf4cdlBKvrXVZP1MDIcWeG15jKYNy OwBXcNfICwC1ANjnblj4VCyta4YrjEZAyEvA8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ieY7lDqFLVyynWBfI2p6fIVan6ze6ikYTObQ8RkMVt0=; b=UJnnD3UGQOwrGmhJHgjSJQDpJ1GQRV+v3JQUEgW9V8LNZqDRdgZ4SHaKdF5O7ZFA2p KWPZRAN9eHqLagPXCdiImCbX7mjvTLGyhyJ1Rx+3N2oWzhJBz3iM4iL1VUwQTX+dxBpd BL1JkHMvrj6M5xUqZ7PLWgGa2OBAVSEq5zj+Dr+UorQid+BPoq6hC33QwL4uVZUsIcr3 WXqFFyskVklpgf2UXrxPPiQUK3l3TRSxuPsdIiderpsXbhGl6yHcXcmyggP4NDsD/tji efNUrdC4iyXeTHcYKUyKrrD329BG0UP1fIVA3Kf7eF91Qw4uOaO7AuwQBgrysAJZpEq2 z8Pw==
X-Gm-Message-State: APjAAAUnTD2pMHbC3RJSuY42hCtBzuB+q0RYBW/ecVHyr0n5kKqb9HUN uo8wUVlnLNSdmxu9xGnTCvGAkpbZiphS+7d8dz8n6hxwRDsjf/lzZ2UNn50VtRzUD9QoxQ6W75g qMDNhrUw8r1rAnPVb
X-Google-Smtp-Source: APXvYqxrMbR5WHiT59dei6YJF8OA3PuohllT0IJ2LE0MiZQu5DZK45RPXYVpitaHNWtw7Ox/QoiG12OCyXur/yk486w=
X-Received: by 2002:a02:a90a:: with SMTP id n10mr114583414jam.61.1561396658435; Mon, 24 Jun 2019 10:17:38 -0700 (PDT)
MIME-Version: 1.0
References: <359EC4B99E040048A7131E0F4E113AFC01B33A25D2@marathon>
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFC01B33A25D2@marathon>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 24 Jun 2019 11:17:25 -0600
Message-ID: <CA+k3eCRmhy+o4eG-=rsuwJPsAwRx=XoqbHWHq-bNDFz_9NgT6w@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002e9d7b058c14fdba"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TWnyn_jfdb5jnwjAWWKjSn3YxxY>
Subject: Re: [OAUTH-WG] Second AD Review: draft-ietf-oauth-mtls
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jun 2019 17:17:42 -0000
Thanks for the additional review, Roman. I feel lucky, it's not often one gets *two* AD reviews :) Please see below for replies inline with a few followup questions. On Sat, Jun 22, 2019 at 12:29 PM Roman Danyliw <rdd@cert.org> wrote: > Hi! > > I conducted as second AD review of draft-ietf-oauth-mtls per the AD > hand-off. I have the following additional feedback: > > ** Per ekr's earlier review at > https://mozphab-ietf.devsvcdev.mozaws.net/D3657, paraphrasing: > -- Section 2.1.2, How is these metadata parameters being obtained? > The authorization server can obtain client metadata via the Dynamic Client Registration Protocol [RFC7591], which is referenced in the top of that section. Also the metadata defined by RFC7591, and registered extensions to it, implies a general data model for clients that is used by most authorization server implementations even when the Dynamic Client Registration Protocol isn't in play. Such implementations typically have some sort of user interface available for managing client configuration. Dose that answer your question? Do you believe more should be said in the document to better explain or clarify that? -- Section 3.2, Figure 3. In this example, what new information is the > auth server providing to the relying party here? > The new info here (and in Section 3.1 too) is the hash of the client certificate to which the access token is bound, which is in the "cnf" confirmation method at the bottom as the "x5t#S256" member. > > ** Section 2.0. What is the expected behavior if the presented > certificate doesn't match expected client_id? How is this signaled? > With a normal OAuth 2.0 error response using the "invalid_client" error code per https://tools.ietf.org/html/rfc6749#section-5.2 Do you think that needs to be stated more explicitly in this document? > > ** Section 2.2. Per the sentence "As pre-requisite, the client registers > its X.509 certificate ... or a trusted source for its X.509 certificates > ... with the authorization server. > -- Editorial: s/As pre-requisite/As a prerequisite/ > done > -- What's a "trusted source" in this case? Is that just a jwks_uri? If > so, maybe s/a trusted source/a reference to a trust source/. If not, can > you please elaborate. > Yes, it's just a jwks_uri. I'll change that. > > A few editorial nits: > ** Section 2.2.2. Typo. s/sec 4.7/Section 4.7/ > fixed > > ** Section 3.1 Cite DER encoding as: > [X690] ITU-T, "Information Technology -- ASN.1 encoding rules: > Specification of Basic Encoding Rules (BER), Canonical > Encoding Rules (CER) and Distinguished Encoding Rules > (DER)", ITU-T Recommendation X.690, 2015. > will do > ** Section 5. Typo. s/metatdata/metadata/ > yup > ** Section 6. Typo. s/The the/The/ > got it > > ** Section 7.2. Typo. s/the the/the/ > done > > ** Appendix. Cite the figures numbers (#5 - 7) in the text describing the > contents of the section. > will do > > The shepherd write-up is in good shape. Thank you. > > Regards, > Roman > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] Second AD Review: draft-ietf-oauth-mtls Roman Danyliw
- Re: [OAUTH-WG] Second AD Review: draft-ietf-oauth… Brian Campbell
- Re: [OAUTH-WG] Second AD Review: draft-ietf-oauth… Roman Danyliw
- Re: [OAUTH-WG] Second AD Review: draft-ietf-oauth… Brian Campbell
- Re: [OAUTH-WG] Second AD Review: draft-ietf-oauth… Brian Campbell