Re: [OAUTH-WG] Digest for DPoP
Brian Campbell <bcampbell@pingidentity.com> Fri, 19 February 2021 21:51 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CEFF3A0AE8 for <oauth@ietfa.amsl.com>; Fri, 19 Feb 2021 13:51:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rWmDpZHfuvcy for <oauth@ietfa.amsl.com>; Fri, 19 Feb 2021 13:51:17 -0800 (PST)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D8FC3A0A41 for <oauth@ietf.org>; Fri, 19 Feb 2021 13:51:17 -0800 (PST)
Received: by mail-lj1-x22e.google.com with SMTP id c17so29184292ljn.0 for <oauth@ietf.org>; Fri, 19 Feb 2021 13:51:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JR2nqyy1Hfk/2gmouvjsO6Kw0EgTfpL4s7vwuG4mp/8=; b=ZDGjNZ/KbH6irQkRsk3ZtLXJjgvyOwYn16ewsDXe4FCYpMYJyCpVRb35rY4t+VQqls ejX46jDhFeMsRhHVhGSRrmWbYPI1tyAaqxiL1XzWQhTXrf0yfoitx8/YmFyV03Adpv9X vv4VJKND+Xyb9UmeDls0et2WJfnHTw9uxItKxPoprPbIs4twne47EaNkFpU+g3FHMT2J wA62H3ytPCNKFFnFAxzGN17A9DJeMZ78veja2q703YvFLlLe2iWZ38MR/oyldiYiqdPx SlNX9YU5PvI4nayCU03WbysNHpoSLDNemXt3QjvuFM5JQ9Kj5ju177glKkaQIth5c0BL sOdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JR2nqyy1Hfk/2gmouvjsO6Kw0EgTfpL4s7vwuG4mp/8=; b=DsydJjFs9cgUkwodU69PAsJWAYkfdv5L2MvLXvtA3R1OeYXImB1t/AerlIuhftoXVD kQZlpGAA9lLrKh6RFUgcMJnFvVfiXouyWYyTMVRooFUOe8htfALEUwnnlm4RMiF3auWx wtrGNWX9O1ELJ6ah8xxr1E8qFn9pt+L/CquzNBkt/yEYwYX8xRbxL9GMGfzv3Nsb4Vj0 gY2wcaBk0RaYzCC+MiEJAQNIwam1zpXDIUan0OcwK6snf4BJG3NVnab23zp91ZyA/9oS VSFTgaFO4NmVfGtToqd4NHAJnaQbcZJGGUnxhIu7fMoJKL5uhW1Xvpc+P54/ITLXmo1z WYVw==
X-Gm-Message-State: AOAM531bqb6P1zji4BLOSUc9lW4ESplN8s4ie7Gc61wlmTSRHynLTtJt I9viAC7WmbeAx1dCldDbJtHCFf/bx8vsz0XxkVRpbWxQR9Eg44U1BLXteOAl+cn1lER8bC9+2d1 CIx2PaBlKSS2OLriGFQaxlA==
X-Google-Smtp-Source: ABdhPJyjJDNsU+cBSu0lGjbEth+qH19eDdDilpMVV9HRmBbvhQqX2Edo/2An6z6XRS7AjI0rBYG+N3lnMaxpt372W24=
X-Received: by 2002:a19:8111:: with SMTP id c17mr6546616lfd.574.1613771475768; Fri, 19 Feb 2021 13:51:15 -0800 (PST)
MIME-Version: 1.0
References: <5A5EEBCB-0075-4F9E-B943-E6F142A6E84C@mit.edu>
In-Reply-To: <5A5EEBCB-0075-4F9E-B943-E6F142A6E84C@mit.edu>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 19 Feb 2021 14:50:49 -0700
Message-ID: <CA+k3eCSZgn_8DrUbZvDpPSsvEy1U_whWGMf-YDoUTXc8e9bMVg@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008ff3b305bbb77303"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/YYPhnonQb1VqH4eR_F-lf7Ny3e8>
Subject: Re: [OAUTH-WG] Digest for DPoP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2021 21:51:25 -0000
My inclination is to keep digest[1] out of the base DPoP document. I do believe that including it would add unneeded complexity to regular old DPoP (there are some subtleties around digest that make it more complicated than one might expect) and, from a design philosophy perspective, DPoP has always aspired to be only a proof-of-possession mechanism in and of itself and not venture into the realm of HTTP message integrity or general signatures. [1] Note that the digest header is defined in RFC3230 but there's work underway to obsolete that RFC with draft-ietf-httpbis-digest-headers-04 On Wed, Feb 17, 2021 at 2:54 PM Justin Richer <jricher@mit.edu> wrote: > Two different specifications (GNAP and FAPI signatures) have recently > profiled DPoP to use its signature method to protect a different kind of > protocol entirely. One thing these methods have in common is that they both > define an additional field for holding a digest of the HTTP Message Body: > > > https://bitbucket.org/openid/fapi/src/master/Financial_API_Simple_HTTP_Message_Integrity_Protocol.md#markdown-header-521-htd-the-digest-of-the-http-request-or-response-body > > > https://www.ietf.org/archive/id/draft-ietf-gnap-core-protocol-03.html#name-demonstration-of-proof-of-p > > Both of these have the same semantics, and we’re changing the name in GNAP > to align with the FAPI one. This begs the question: do we want to just > define this field as an optional component in DPoP instead of having these > profiles do it separately? It would save them from needing to align with > each other, and anyone else from inventing it again. > > Is it worth defining this in DPoP directly, or does that complicate the > spec too much? I’ve previously raised a similar question on including a > hash of the access token in the DPoP request to the RS. > > — Justin > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] Digest for DPoP Justin Richer
- Re: [OAUTH-WG] Digest for DPoP Brian Campbell
- Re: [OAUTH-WG] Digest for DPoP Roberto Polli
- Re: [OAUTH-WG] Digest for DPoP Brian Campbell