Re: [OAUTH-WG] PoP Key Distribution
Benjamin Kaduk <kaduk@mit.edu> Wed, 04 July 2018 21:47 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7ADC5130E13 for <oauth@ietfa.amsl.com>; Wed, 4 Jul 2018 14:47:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YrQejCfj93vc for <oauth@ietfa.amsl.com>; Wed, 4 Jul 2018 14:47:03 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EC51131048 for <oauth@ietf.org>; Wed, 4 Jul 2018 14:47:03 -0700 (PDT)
X-AuditID: 1209190e-4e1ff70000006518-b4-5b3d40565253
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 99.1B.25880.6504D3B5; Wed, 4 Jul 2018 17:47:02 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id w64Ll0QZ022698; Wed, 4 Jul 2018 17:47:01 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w64LkvkE005963 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 4 Jul 2018 17:46:59 -0400
Date: Wed, 04 Jul 2018 16:46:57 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <20180704214654.GK60996@kduck.kaduk.org>
References: <VI1PR0801MB211213D11E7820FD31218663FA420@VI1PR0801MB2112.eurprd08.prod.outlook.com> <DM5PR00MB029359EBBE81D3899BEA34FBF5420@DM5PR00MB0293.namprd00.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <DM5PR00MB029359EBBE81D3899BEA34FBF5420@DM5PR00MB0293.namprd00.prod.outlook.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrGIsWRmVeSWpSXmKPExsUixCmqrRvmYBttcOq2lEXDl9VMFiffvmJz YPI4sewKq8eSJT+ZApiiuGxSUnMyy1KL9O0SuDJ6dl9gK1jJWbFn4k22BsZz7F2MHBwSAiYS h87ldjFycQgJLGaSmN7YxgjhbGCU6Fy0iQnCucIkcXzRTpYuRk4OFgEViebt79lBbDYgu6H7 MjOILSJgK/H70F6wGmYBVYkvC94zgdjCAjoSjzbeB4vzAm17d2MbG4gtJLCZUeLmDWuIuKDE yZlPoHq1JG78e8kEch2zgLTE8n8cIGFOgViJ7i37wFpFBZQl9vYdYp/AKDALSfcsJN2zELoX MDKvYpRNya3SzU3MzClOTdYtTk7My0st0jXWy80s0UtNKd3ECA5SSb4djJMavA8xCnAwKvHw 3jhtEy3EmlhWXJl7iFGSg0lJlFd+o3W0EF9SfkplRmJxRnxRaU5q8SFGCQ5mJRFeVXHbaCHe lMTKqtSifJiUNAeLkjhv9iLGaCGB9MSS1OzU1ILUIpisDAeHkgSvkz1Qo2BRanpqRVpmTglC momDE2Q4D9Dw+3Ygw4sLEnOLM9Mh8qcYdTn+vJ86iVmIJS8/L1VKnJcDZJAASFFGaR7cHFBy kcjeX/OKURzoLWHeQJAqHmBigpv0CmgJE9CSnm2WIEtKEhFSUg2MhzO+7Ulj3sutV5n9Jotv Z9Oy074TNnc9O9F36r/S8nnCMyeKhzWcVbkfMuNKe2MUW863gDityL2/5LziPHLtOKd+mCGg blz275/iZFFWEYGmVSJK70Iu2rw+psH04IbbP4dL09+lHQhetHwPv2/YLJkrH1t2aGh5hntV nfeYc2CXot8i6V1HlFiKMxINtZiLihMBMymktQkDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/aa5EBflci-EMvPh-JLD8CJXUeyA>
Subject: Re: [OAUTH-WG] PoP Key Distribution
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jul 2018 21:47:07 -0000
On Tue, Jul 03, 2018 at 08:10:52PM +0000, Mike Jones wrote: > > I believe that the ACE "profile" parameter is typically unnecessary and > not in the spirit of normal OAuth. Configuration information between > OAuth participants is typically configured out of band and/or retrieved > from the AS Discovery document (per the newly minted RFC > 8414<https://tools.ietf.org/html/rfc8414>). There's no need to > dynamically exchange a profile identifier when this is essentially always > known in advance. We should not include "profile". For that matter, ACE For what it's worth, this part of "the spirit of normal OAuth" is something that leaves me with lingering unease. While I do not dispute that this sort of configuration information is usually known out of band or via discovery, we ought to be considering the potential consequences when the parties do not actually agree on what configuration should be in use. An explicit indicator makes for an easy-to-analyze "fail quickly" scenario, whereas leaving things implicit is much harder to reason about. And yes, this case of easier analysis is at the cost of complexity elsewhere, so there is a tradeoff. -Ben
- Re: [OAUTH-WG] PoP Key Distribution Mike Jones
- Re: [OAUTH-WG] PoP Key Distribution Mike Jones
- Re: [OAUTH-WG] PoP Key Distribution Mike Jones
- Re: [OAUTH-WG] PoP Key Distribution Mike Jones
- [OAUTH-WG] PoP Key Distribution Hannes Tschofenig
- Re: [OAUTH-WG] PoP Key Distribution Ludwig Seitz
- Re: [OAUTH-WG] PoP Key Distribution Ludwig Seitz
- Re: [OAUTH-WG] PoP Key Distribution Benjamin Kaduk
- Re: [OAUTH-WG] PoP Key Distribution Justin Richer