IETF Logo Mail Archive

Re: [OAUTH-WG] New OAuth DPoP and Security BCP drafts

Filip Skokan <panva.ip@gmail.com> Fri, 12 July 2019 14:51 UTC

Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8F8E1201D0 for <oauth@ietfa.amsl.com>; Fri, 12 Jul 2019 07:51:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.702
X-Spam-Level:
X-Spam-Status: No, score=-0.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6hkIdUf7a-GO for <oauth@ietfa.amsl.com>; Fri, 12 Jul 2019 07:51:22 -0700 (PDT)
Received: from mail-oi1-x22d.google.com (mail-oi1-x22d.google.com [IPv6:2607:f8b0:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F10DA12012D for <oauth@ietf.org>; Fri, 12 Jul 2019 07:51:21 -0700 (PDT)
Received: by mail-oi1-x22d.google.com with SMTP id t76so7492015oih.4 for <oauth@ietf.org>; Fri, 12 Jul 2019 07:51:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fZ+334CUd4cemVqBRtU8WjxO+CqaaZgYK1WzEAVvRz0=; b=gqCNAVFJkHVYzZ7WTG1LugRQyroYZhRICj53ZUwNJqpocMci/luLTnZaviLCZCHhet CKJCClmKi9vgJkKS/imbDCsyduU0J44VFirys+PfuyiucPiWDzRSVXrI73ytoAF6Qpdt SWFc+VQ7lk6Ds44pZ2B/7ZleazRzRPzhNEWsDg8FgIVQqurupK7tGq1hcLgDKRENP4il 8oUh3lrDNXmomx+kwx12uOEq+OaPKiBQGygPaziNcRYC8htXSmHzOGLMNhvOglFOVErJ 7vDFpI1V2f80sM3C/yNHU4n+6Qfw8Rivoh8byyA9mwPiZKlOKuXmmE5k5flfcnXzlfLr Zslw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fZ+334CUd4cemVqBRtU8WjxO+CqaaZgYK1WzEAVvRz0=; b=Zaec137wF2LqGtr1qedry/YXlXsme/J9jKaD2hjDWxADM7PNsH412FlSZofSxc6Dqs 0MVBm5y+7UPm6h1CkR30TIwDMPF9385VQnt19rDKdZ4wHjj7I1x3VbfCm2Tn//OhA6oB 8J3n+HQxEt1O5wY78GiUPwaANYM0jCz68SQCIlixvqL0M1puQfoa9AjcAQLmhBSJ4Ibq sRwYFmCiSNW/m3pItEznLiN/oLgA+fVrIX9Qc7E/fKVl+6MoyhqpbvSmBW/ovBhhOUKQ qxpIAo0XZkxAhfGY/73OHbwlWMHWIDHnUrDtXqHdi8rnfcKOAt4PdY1C2iSwUboiOcmm gZpQ==
X-Gm-Message-State: APjAAAWCNVZZHxOVMqNRr553IC//tIeCIoHhQ+KQCdXGQz0apK0SOKWR igg4GMTh+j5IuRYKxIF6MVFpsN+4Qk5KXKJCyw==
X-Google-Smtp-Source: APXvYqx+AzVIxz/8NluTBd/1r64dumpuNy6yQtMnbypEq/GGdfoys1Ge3OSHnYmA+A5siVE/EcNOx1504/scf7WDG54=
X-Received: by 2002:aca:f1c4:: with SMTP id p187mr5963744oih.149.1562943081227; Fri, 12 Jul 2019 07:51:21 -0700 (PDT)
MIME-Version: 1.0
References: <CAHB17EwniJw9R3Cr9d_AZjaepha+UO+eBBLHYdOZNUEyt+c2Xw@mail.gmail.com>
In-Reply-To: <CAHB17EwniJw9R3Cr9d_AZjaepha+UO+eBBLHYdOZNUEyt+c2Xw@mail.gmail.com>
From: Filip Skokan <panva.ip@gmail.com>
Date: Fri, 12 Jul 2019 16:51:10 +0200
Message-ID: <CALAqi_9A-jAbMJLo2FWwz9mnebJd6t6c=cM383syFwARnGtkzg@mail.gmail.com>
To: Daniel Fett <danielf+oauth@yes.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000292a0c058d7d0bb8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/X9ri78a9M7Tezo7Kl7Nq4_cyBsk>
Subject: Re: [OAUTH-WG] New OAuth DPoP and Security BCP drafts
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jul 2019 14:51:24 -0000

Hello Daniel, everyone,

I don't know if this belongs to the DPoP document itself or each respective
BCP (especially Browser-Based Apps), but one of the documents should give
recommendation to implementers on how to

   1. generate the unique private keys per installation / browser session
   2. platform specific storage for them (e.g. in between browser
   navigation / app launches)

I come asking for this guidance especially for the Browser-Based App use
case. I think the clear recommendation is to use the Web Cryptography API
<https://www.w3.org/TR/WebCryptoAPI/#SubtleCrypto-method-generateKey> (with
extractable: false) for (1) and IndexedDB API
<https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API> for (2),
but the more important question is how to deal with lack of those APIs in
browsers that are known to not support them or be buggy (see data in
https://caniuse.com), so

   - is it ok to use other means of generating the key when webcrypto is
   not available?
   - is it ok to generate keys through webcrypto (or other means) that are
   extractable and store them via other means than IndexedDB when indexed DB
   is not available, such as cookie or localstorage.

Best,
*Filip*


On Mon, 8 Jul 2019 at 15:30, Daniel Fett <danielf+oauth@yes.com> wrote:

> All,
>
> In preparation for the meeting in Montreal, I just uploaded a new version
> of the DPoP draft:
> https://tools.ietf.org/html/draft-fett-oauth-dpop-02
>
> Please have a look and let me know what you think. We should make this a
> working group item soon.
>
> As you might have noticed, there is also a new version of the Security
> Best Current Practice draft:
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13
>
> -Daniel
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email