[OAUTH-WG] Omit "jwk" (or use "kid" instead) in DPoP Proof?

toshio9.ito@toshiba.co.jp Tue, 08 September 2020 09:28 UTC

Return-Path: <toshio9.ito@toshiba.co.jp>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A8AB3A08FB for <oauth@ietfa.amsl.com>; Tue, 8 Sep 2020 02:28:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 06S5kqLh3wSs for <oauth@ietfa.amsl.com>; Tue, 8 Sep 2020 02:28:52 -0700 (PDT)
Received: from mo-csw.securemx.jp (mo-csw1514.securemx.jp [210.130.202.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0DA93A08B9 for <oauth@ietf.org>; Tue, 8 Sep 2020 02:28:52 -0700 (PDT)
Received: by mo-csw.securemx.jp (mx-mo-csw1514) id 0889Sosr030603; Tue, 8 Sep 2020 18:28:50 +0900
X-Iguazu-Qid: 34tMJPQpi7NxX14hYJ
X-Iguazu-QSIG: v=2; s=0; t=1599557329; q=34tMJPQpi7NxX14hYJ; m=dlYxiLr+uI/OHAMXNBqAbAvv2VU6xYLy42Ztyfd5Js4=
Received: from imx2.toshiba.co.jp (imx2.toshiba.co.jp [106.186.93.51]) by relay.securemx.jp (mx-mr1513) id 0889Sn1A009763; Tue, 8 Sep 2020 18:28:49 +0900
Received: from enc03.toshiba.co.jp ([106.186.93.13]) by imx2.toshiba.co.jp with ESMTP id 0889Snhi020194 for <oauth@ietf.org>; Tue, 8 Sep 2020 18:28:49 +0900 (JST)
Received: from hop001.toshiba.co.jp ([133.199.164.63]) by enc03.toshiba.co.jp with ESMTP id 0889Sngu015216 for <oauth@ietf.org>; Tue, 8 Sep 2020 18:28:49 +0900
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ScaJrPHCCxNuMj/S8lrH8otIvwsb+lQRJg5kXFitkyIsku9FZj/Q9TDZGjiqrwLVK+PJWm5iA5/qpXrlIewetEE8eFBceqfb8iw+ozOGjyoKh58Q74t3DWeKG8wrYFZkmzuoBeeh3EFUQZmXl+ubHdMyvFI88LSObAjTG/3bULzl467sxDXwviwWfc8SHoxj1iP9n3ybW83VhEOBzmZa6KBhUeBeCDGepC74kwyfS3/HJCNLcWxRIRDW+egMi5O5K3ZbP8nmAjR/S3LT0X8mQkeoseprjrBTnXsTricm8D9ObWzQ5X7PPEAXNsQ2MB3/Y+V68jhZ6dYe2dGb/Uf/XQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=O7EYz6Hoksextj2/3eUfpCrA16vJoDcnFWF9r8G2BKc=; b=d+zEfY7Ubp72Kl2J6jD0xQr6KABIgYE8WxNvvPS47T+V1liKz1Wlaqoj/wJFCOGd+duNk+7OYWUve+DqXoe97FnXfMJa4r2u8tohNoCvgK/fpfqSlxFn+bKnXo80u0D6uCol426dwKsT9rNWblE1f5znO9N6laUB9aVCPsRQVe0HvssUJ39edFopbtolgiOW/0B6ptkjS5WJJbyu4BJG0iUeNXg0oTzUN6Ok+8kKulguPc25krvlX9cKz4ACL9BJD9QFD6kh611iWiHK8adv4a7JxwLUqmtxdj3j5XW80ScheciQHkD/C7nc2JKvLMuNPAikYXEnlCjlJBRq1szsQw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=toshiba.co.jp; dmarc=pass action=none header.from=toshiba.co.jp; dkim=pass header.d=toshiba.co.jp; arc=none
From: <toshio9.ito@toshiba.co.jp>
To: <oauth@ietf.org>
Thread-Topic: Omit "jwk" (or use "kid" instead) in DPoP Proof?
Thread-Index: AdaFwiWCFexiV/DnR8eDAlJqPzgDig==
Date: Tue, 8 Sep 2020 09:28:44 +0000
X-TSB-HOP: ON
Message-ID: <TY1PR01MB1466E7D4AF21EA5C56467E6AE5290@TY1PR01MB1466.jpnprd01.prod.outlook.com>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=toshiba.co.jp;
x-originating-ip: [103.91.184.5]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bc93dc20-6bd6-4ef9-3c3a-08d853d9950e
x-ms-traffictypediagnostic: TY2PR01MB5081:
x-microsoft-antispam-prvs: <TY2PR01MB508172DD05E2384EBE41EBB4E5290@TY2PR01MB5081.jpnprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: JhoPuci9a9WPbjyZsxi83RRilC0VcqzzIoVxvmuAXHCt4hLgs9aC5GJzaSAR+Q4wWcGTWDU5W/fCZrF5IOSBgHtVx98iS9UyZUFopBdJiEpYlni4czKc7D3eoI9JXpDN1dVqqmX8VeSazfApVTI61qWP0uqF+ni+I5ouUMGXd3wXs4o84bGztUhcSwkPKgcoUsd4dc3BFmtSoh2FUQNf9mPKDXeibaODPn2Sy5ZJO5rKOhNhIKd3Q3cU4ppoHjDLK4UkKPqmvh+tS0fJC/9nSAeiUJhzZXA2x6dLxpH8ab8tL9seVufIUDpRVEI8vQI7hjFErt0a/fOWA+7a4NNX1mIF617akXGpxIclvisyhZtuVWlVrJf9hYQ97fCiQabtUxdZnMCLFrHw2GXmPz5WCg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:TY1PR01MB1466.jpnprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(396003)(346002)(39860400002)(136003)(366004)(6916009)(26005)(966005)(186003)(316002)(9686003)(7696005)(83380400001)(33656002)(8676002)(8936002)(2906002)(55016002)(6506007)(66476007)(64756008)(66556008)(86362001)(66946007)(66446008)(478600001)(71200400001)(76116006)(5660300002)(52536014); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: tVIl/vxGYq7tk12koKksBaeK6+PalQVMaIPTybFELpDSEY0Q3CEeoaUU+dJk3NPLBrz/SICp/XMDlkrrLTi/jYFU2z53tPSflQ/CpPTrM2tVKPUIjMRbNFAQynbLdgbZffnJJscrh/oKyf6tGkB3hF3dwGfaO5Y/7JL8Bxq+smAm7hAArn+8eAbTZk8yniErZ17Ja+JtSNsbPm9CWoGYfih3AmGS487A34molSpK5ScPUBvhRpNyp3/rZr0Wj1xeRFry5JyKChfuVIfJP2W7TaItwzxP14dyX85SzX5nR9YJdZnnqspeSjBtC4cnJFKgpjDWPqO6pTTMLYVVW8aIBdRpDNP+B3P/sR48CK8gu6ESE/WluQN4hQbDcd9hqIYZAEe+gsfXwoci3bM7GBNZ0XzSVPDKuuPX1u84DhHhXlv1nfdKPNTCHd/Yqc7mxpdo7vo6Ni5TIy8MAIxIk+WWRs/o7SHWfKXGwQbDM2OWTkixPIwOWGbXKYvR+aBC2WeMk0xwJt+meKQKxIAiBr+pW95h8PTV0FQ3UaEtk1D7o5/UisNZT4HVXx6R9PUf2o+D7AwK0IYDFFdyPV9uASv3RS/aADg2q0A75NoVvmnCtI3qg/T2JKAY3VwUU1de//n4YhliT/3dS3vpuR5wmf4/2Q==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-2022-jp"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: TY1PR01MB1466.jpnprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bc93dc20-6bd6-4ef9-3c3a-08d853d9950e
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Sep 2020 09:28:44.6342 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f109924e-fb71-4ba0-b2cc-65dcdf6fbe4f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: einf2cIv0CK1F3ueM3mUBwKsK9IaLNMeTQ/iSXvQ7c9ROgTNlG4c2r2veCiDTFDDmGBRu1rTS+I0SGMLSSc+zl4qEQGJuYIePXbB59+XMSc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TY2PR01MB5081
X-OriginatorOrg: toshiba.co.jp
MSSCP.TransferMailToMossAgent: 103
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/URtvfmpNLCbjUw5QOrSRdaUe-fY>
Subject: [OAUTH-WG] Omit "jwk" (or use "kid" instead) in DPoP Proof?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Sep 2020 09:28:54 -0000

Hi all,

In section 4.1 of draft-ietf-oauth-dpop-01, the "jwk" header parameter is
REQUIRED. However, there are some cases where "jwk" is not necessary in theory.

For example, consider a case where the client is registered with the
Authorization Server, and its one and only public key is also registered with
the AS. In that case, when the AS receives a request on Token endpoint, it can
just use the public key registered for the client to verify the DPoP Proof.
There is no need to send the public key in DPoP Proof.

The same goes for requests to the Resource Server, if the AS and RS share the
storage for clients' public keys. Things are a little difficult if the AS and RS
are separate. Probably the Access Token or its introspection result have to
include the public key (instead of its thumbprint as described in section 7).

If the client registers multiple keys with the AS, it needs to specify which key
it uses to sign the DPoP Proof. However, there is still no absolute need to send
the whole key in DPoP Proof. Instead, the client could use "kid" header
parameter to specify the key.

Daniel Fett once mentioned the above case in the GitHub issue #26 [*1], but I'm
not sure what happened to the discussion. There was also a comment on the latest
draft about the "jwk" header parameter [*2]. I agree with using the same DPoP
Proof structure for requests to AS and RS, but I think there are some cases
where we can omit "jwk" in BOTH requests. Making "jwk" OPTIONAL would allow
those cases to reduce some messaging overhead.

I'd like to hear your opinions about it.


[*1]: https://github.com/danielfett/draft-dpop/issues/26#issuecomment-480701746
[*2]: https://mailarchive.ietf.org/arch/msg/oauth/smwsONA6c4H2UICcZMzb8Yv2QRc/


Best regards,
Toshio Ito

-------------
Toshio Ito
Research and Development Center
Toshiba Corporation