Re: [OAUTH-WG] client certs and TLS Terminating Reverse Proxies (was Re: I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt)

"Salz, Rich" <rsalz@akamai.com> Tue, 29 October 2019 12:07 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0336212029C for <oauth@ietfa.amsl.com>; Tue, 29 Oct 2019 05:07:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MB3OpWABvBZO for <oauth@ietfa.amsl.com>; Tue, 29 Oct 2019 05:07:37 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2ED9120041 for <oauth@ietf.org>; Tue, 29 Oct 2019 05:07:37 -0700 (PDT)
Received: from pps.filterd (m0050096.ppops.net [127.0.0.1]) by m0050096.ppops.net-00190b01. (8.16.0.42/8.16.0.42) with SMTP id x9TC7QKv026147; Tue, 29 Oct 2019 12:07:33 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=JCm4lgWorb+LjEMbWAQLkVYQhYx/+utp22X8uZCWZ6g=; b=QKRk5GxCh+EYck3v0J6FH1NO5N+L4A8Di78tEmSitPVEkLSpJhAyR51tYjJvSL8Fyaup 1kfmMeQwI9jp12hX4hhQnNILw/haMq6ObUHDlKnza93azuz+IcgTqTGYJ3eOgJ+3o6cq nTiCLDaEzu4IMfWeU0ze5q5Y47z6ZRyKRgYwYrxguaAK/TNsk+d08jugRgRERxcV0Pjd gXy/dp1Sf7ijrrpXOk1JRjXUceNfZxx0qR71gpUJOtYdgIRGTeST2DRmJawK8xjn/+KX qsSaaaDZCWzYmvJdinrKFvroj1/D6KZOBwvpP1Gk09sDi+xaONppyZR/kjonWjgDgDLn Og==
Received: from prod-mail-ppoint2 (prod-mail-ppoint2.akamai.com [184.51.33.19] (may be forged)) by m0050096.ppops.net-00190b01. with ESMTP id 2vvej8pxru-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 29 Oct 2019 12:07:33 +0000
Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.27/8.16.0.27) with SMTP id x9TC2k8K006907; Tue, 29 Oct 2019 08:07:32 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.33]) by prod-mail-ppoint2.akamai.com with ESMTP id 2vvhfwvvx0-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 29 Oct 2019 08:07:01 -0400
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com (172.27.123.105) by usma1ex-dag1mb2.msg.corp.akamai.com (172.27.123.102) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 29 Oct 2019 08:05:57 -0400
Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com (172.27.123.103) by usma1ex-dag1mb5.msg.corp.akamai.com (172.27.123.105) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 29 Oct 2019 08:05:57 -0400
Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com ([172.27.123.103]) by usma1ex-dag1mb3.msg.corp.akamai.com ([172.27.123.103]) with mapi id 15.00.1473.005; Tue, 29 Oct 2019 08:05:57 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
CC: Neil Madden <neil.madden@forgerock.com>, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] client certs and TLS Terminating Reverse Proxies (was Re: I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt)
Thread-Index: AQHVi20DwSDixrsmwUqaChyBzydqk6dtvDgAgAKKHACAACgPAIAAB5+AgAAQz4D//8FmgIAAZUaA//++JYCAAWCggP//v1WA
Date: Tue, 29 Oct 2019 12:05:57 +0000
Message-ID: <4FB4BBA3-5553-4AA7-AF33-5CF1F64B1A8F@akamai.com>
References: <85D42AA1-FF57-4383-BACB-57C5AA32CFAC@lodderstedt.net> <CAEKOcs2gkM3Henz5nS04_EuBQXWWbJU5K02ErP0rnVZXmjxXJQ@mail.gmail.com> <20191021020546.GZ43312@kduck.mit.edu> <CA+k3eCS7pf3wXBkpbXE0AXKUGogo0YcHd8oWfiBfkPB5axGQQw@mail.gmail.com> <8A8B8892-9D16-4210-BC13-47B5D7859976@mit.edu> <20191024170326.GO69013@kduck.mit.edu> <CAGL6epJZtTXKSGFj0BfhF3kd_Z-z2xzOWXOPEKXc5m18Z4L1uA@mail.gmail.com> <CA+k3eCS8VuCfy4XeqYmLuuLK=rLvHsonSZj4i9O11U-mcua9Pg@mail.gmail.com> <CAGL6epKTV5hXqm2-qgUyG-iA90eLu49GjOKeyLcfsn2naTSV5w@mail.gmail.com> <CA+k3eCQ87n4m--nBc+PX7qE727fqA6vM=meEJZxwfnbpJ2dOsw@mail.gmail.com> <CAGL6epJQbVDrAKB+zNAPuaG0+uLxF3HijEE6=vgYaeXxB_2PXQ@mail.gmail.com> <CA+k3eCQbku0V6z2wCM084FW342dY6=_H7mEv6U3sHCDgefkxXA@mail.gmail.com> <E03CD445-39E8-4262-97BE-E0EE11231A63@forgerock.com> <BE6B1D4A-26CB-42B0-89F9-88588E47E773@akamai.com> <CAGL6epKaFkOw=GaMxjSK90KxRmMsxrHe3og5704-2Ykq-aM5cg@mail.gmail.com> <045A61A9-A5E3-4700-8669-A74931D4E7FB@akamai.com> <CAGL6epJuA7+em3ODCcrCr02BRo92_yXaaDJuFwg2Yesq=iBfOg@mail.gmail.com>
In-Reply-To: <CAGL6epJuA7+em3ODCcrCr02BRo92_yXaaDJuFwg2Yesq=iBfOg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.34.45]
Content-Type: multipart/alternative; boundary="_000_4FB4BBA355534AA7AF335CF1F64B1A8Fakamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-10-29_04:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-1910290121
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,1.0.8 definitions=2019-10-29_04:2019-10-28,2019-10-29 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 lowpriorityscore=0 bulkscore=0 mlxlogscore=999 clxscore=1015 suspectscore=0 spamscore=0 malwarescore=0 priorityscore=1501 phishscore=0 adultscore=0 mlxscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1908290000 definitions=main-1910290122
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/X6CuDUCVnyl7Gj5yJe0Hx6diZKI>
Subject: Re: [OAUTH-WG] client certs and TLS Terminating Reverse Proxies (was Re: I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Oct 2019 12:07:45 -0000

I mean the cert that the ORIGINAL client presented to the proxy.

From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>;
Date: Tuesday, October 29, 2019 at 7:57 AM
To: Rich Salz <rsalz@akamai.com>;
Cc: Neil Madden <neil.madden@forgerock.com>;, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>;, oauth <oauth@ietf.org>;
Subject: Re: [OAUTH-WG] client certs and TLS Terminating Reverse Proxies (was Re: I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt)

Maybe I misunderstood what you meant by "client-cert". If you meant the proxy client certificate, then that is obviously not enough. You seem to suggest that you meant the remote client certificate to be installed on the proxy to be used with the backend system; if this is the case, then this would work and you would not need the signature, but the issue I see with this approach is that you need to reconfigure the proxy every time you change the client certificate, which is not practical if the certificate is short lived.

Regards,
 Rifaat


On Mon, Oct 28, 2019 at 2:55 PM Salz, Rich <rsalz@akamai.com<mailto:rsalz@akamai.com>> wrote:

  *   To avoid the misconfiguration issue Neil raised, you probably need both: a client-cert and a signature over the certificate being forwarded,

I am not so sure.  One can argue that transport-level identity should be secured by transport-level.  But installing a client certificate on a reverse proxy can be difficult.  (Not if the reverse proxy is a CDN, of course :) And I don’t see how having both prevents misconfiguration, but that might be my fault.


  *   This could still be achieve by extending RFC7239 with new parameter(s).

I have no opinion on this part of it.