Re: [OAUTH-WG] client certs and TLS Terminating Reverse Proxies (was Re: I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt)

Brian Campbell <bcampbell@pingidentity.com> Mon, 28 October 2019 15:32 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAB7912091C for <oauth@ietfa.amsl.com>; Mon, 28 Oct 2019 08:32:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sAeKqaURvfoS for <oauth@ietfa.amsl.com>; Mon, 28 Oct 2019 08:32:56 -0700 (PDT)
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD8D61208D4 for <oauth@ietf.org>; Mon, 28 Oct 2019 08:32:55 -0700 (PDT)
Received: by mail-lf1-x131.google.com with SMTP id f5so8154101lfp.1 for <oauth@ietf.org>; Mon, 28 Oct 2019 08:32:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GR0bXEeJUl15OSIA3MTmDl86iBJDKFM1XmPqzMFFE0g=; b=bIEdiYuwFeN6oGeaa2GKpeX0ZeFcKlEY5lTrGiscimfGCi+BBz8osCwdOrAl+N42s6 Eh5Yzy+EOmVhqW+Vzq/ejFabYWfda+qtqejd+CjvSX/9sVm+Ng5RdxRqjsmbfBM4iWLw IkPD+6S6VACg5LjS8MCOKAaWUFIMA7GrCuUH4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GR0bXEeJUl15OSIA3MTmDl86iBJDKFM1XmPqzMFFE0g=; b=sS8MNTvxUJtP9OX2XOIOwNRBor4XiJzD87dfQRiJnGSSvk0DEMcCRJbcwzNm9XHUFd s/mUE9FSJA8hTV9VQUQakOmUvk8Frvy0J5//L1CnOYjvFL3ywIWBmxwG1eo0wrSNHYoV dp6CsMj451ujfdnUpq4/oF0oRuG55oaOlHX9CrLv/tKGuDYKgRinybek6meeocylNdLH 8Kj/DwSucFYdICnVDyVLCrep9IaJFo6LPqkalh4q4cVmS2ENjPeSGKgtq01ARmkz6RtQ 582A4bQ8kHrybYKiY62922+8t6j6O0rq6OKo/VuyRB+ENudOhbfJcHDVMl/NmVObyX0f K9BQ==
X-Gm-Message-State: APjAAAWT+iA+DrM1Yt6hUY+3C2s+KeFTBqDByoz8L0nfiNrEGXKGqLWP bZ1zXlcAAMGUfLFEsVLnJNoUjLHBwTXVZHhFmb4Vz1tWByZ4+/tsAOVX2Jl+4yDU+X10WpP9NK4 wk/3U4Zv00bnVTw==
X-Google-Smtp-Source: APXvYqyIzm01ot5Z9f//S7Gj+orrS+6IwWHfPQ48c7Tl12clkQoUufvU/PduEl9Sb3S6C1xZHdY0PmKXAqscN9tHIWA=
X-Received: by 2002:a19:c6d6:: with SMTP id w205mr10895560lff.17.1572276773970; Mon, 28 Oct 2019 08:32:53 -0700 (PDT)
MIME-Version: 1.0
References: <85D42AA1-FF57-4383-BACB-57C5AA32CFAC@lodderstedt.net> <CAEKOcs2gkM3Henz5nS04_EuBQXWWbJU5K02ErP0rnVZXmjxXJQ@mail.gmail.com> <20191021020546.GZ43312@kduck.mit.edu> <CA+k3eCS7pf3wXBkpbXE0AXKUGogo0YcHd8oWfiBfkPB5axGQQw@mail.gmail.com> <8A8B8892-9D16-4210-BC13-47B5D7859976@mit.edu> <20191024170326.GO69013@kduck.mit.edu> <CAGL6epJZtTXKSGFj0BfhF3kd_Z-z2xzOWXOPEKXc5m18Z4L1uA@mail.gmail.com> <CA+k3eCS8VuCfy4XeqYmLuuLK=rLvHsonSZj4i9O11U-mcua9Pg@mail.gmail.com> <CAGL6epKTV5hXqm2-qgUyG-iA90eLu49GjOKeyLcfsn2naTSV5w@mail.gmail.com> <CA+k3eCQ87n4m--nBc+PX7qE727fqA6vM=meEJZxwfnbpJ2dOsw@mail.gmail.com> <CAGL6epJQbVDrAKB+zNAPuaG0+uLxF3HijEE6=vgYaeXxB_2PXQ@mail.gmail.com>
In-Reply-To: <CAGL6epJQbVDrAKB+zNAPuaG0+uLxF3HijEE6=vgYaeXxB_2PXQ@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 28 Oct 2019 09:32:27 -0600
Message-ID: <CA+k3eCQbku0V6z2wCM084FW342dY6=_H7mEv6U3sHCDgefkxXA@mail.gmail.com>
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, Justin Richer <jricher@mit.edu>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009a03490595fa3616"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/VlTkbSeAPCnQw1x4K4rhTF8SeLc>
Subject: Re: [OAUTH-WG] client certs and TLS Terminating Reverse Proxies (was Re: I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Oct 2019 15:33:02 -0000

I don't think there's anything beyond defining something to carry the
client certificate information (including the format and encoding). And it
could well be a new RFC7239 parameter. Or it might just be a new HTTP
header on its own.

On Mon, Oct 28, 2019 at 9:05 AM Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>;
wrote:

> Thanks Brian,
>
> I guess my question is: given RFC7239 and the fact that it is
> straightforward to secure the channel between the terminating reverse proxy
> and the backend service in a cluster, is there anything, from a standard
> perspective, that we need to do beyond defining a new parameter to carry
> the client certificate information?
> You seem suggest that the answer is yes. If so, can you please elaborate
> on why is that?
>
> Regards,
>  Rifaat
>
>
>
> On Mon, Oct 28, 2019 at 8:42 AM Brian Campbell <bcampbell@pingidentity.com>;
> wrote:
>
>>
>>
>> On Sat, Oct 26, 2019 at 3:55 PM Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>;
>> wrote:
>>
>>>
>>> On Fri, Oct 25, 2019 at 3:47 PM Brian Campbell <
>>> bcampbell@pingidentity.com>; wrote:
>>>
>>>>
>>>> I did look at RFC7239 when doing that and it could have been made to
>>>> work but felt the fit wasn't quite right and would have been more
>>>> cumbersome to use than not.
>>>>
>>>>
>>> Can you elaborate on this?
>>> These days, with the zero trust model in mind, there are orchestration
>>> tools, e.g. Istio, that easily allows you to establish an MTLS channel
>>> between the reverse proxy/load balancer/API GW and the backend servers.
>>> Why is that not sufficient?
>>> Which part is cumbersome?
>>>
>>
>> What I meant was only that in the course of writing
>> https://tools.ietf.org/html/draft-ietf-tokbind-ttrp-09, which aims to
>> define HTTP header fields that enable a TLS terminating reverse proxy to
>> convey information to a backend server about the validated Token Binding
>> Message received from a client, it seemed more straightforward and
>> sufficient for the use-case to use new HTTP headers to carry the
>> information rather than to use new fields in the Forwarded header framework
>> from RFC7239.
>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._