Re: [OAUTH-WG] draft-ietf-tls-oob-pubkey: My summary
Phil Hunt <phil.hunt@oracle.com> Fri, 13 July 2012 14:39 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB7C921F87C1 for <oauth@ietfa.amsl.com>; Fri, 13 Jul 2012 07:39:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.623
X-Spam-Level:
X-Spam-Status: No, score=-9.623 tagged_above=-999 required=5 tests=[AWL=-0.420, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nglEmCh5ulTr for <oauth@ietfa.amsl.com>; Fri, 13 Jul 2012 07:39:37 -0700 (PDT)
Received: from rcsinet15.oracle.com (rcsinet15.oracle.com [148.87.113.117]) by ietfa.amsl.com (Postfix) with ESMTP id E4D4321F87B2 for <oauth@ietf.org>; Fri, 13 Jul 2012 07:39:36 -0700 (PDT)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by rcsinet15.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id q6DEe8Nu027990 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 13 Jul 2012 14:40:09 GMT
Received: from acsmt356.oracle.com (acsmt356.oracle.com [141.146.40.156]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id q6DEe71w021719 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 13 Jul 2012 14:40:08 GMT
Received: from abhmt101.oracle.com (abhmt101.oracle.com [141.146.116.53]) by acsmt356.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id q6DEe714019721; Fri, 13 Jul 2012 09:40:07 -0500
Received: from [192.168.1.125] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 13 Jul 2012 07:40:07 -0700
References: <213AE838-274D-4809-B841-CCCC51C7B3CD@gmx.net> <255B9BB34FB7D647A506DC292726F6E114F7AB4406@WSMSG3153V.srv.dir.telstra.com> <6A196EDE-3AF5-4B17-8F8D-2DA8FD9036AC@ve7jtb.com> <D5D5341E-BEFB-4CA0-9AE9-0F6160BE37DB@gmx.net> <70FA7F7B-0ED2-4CE6-986B-673CC7410937@ve7jtb.com>
In-Reply-To: <70FA7F7B-0ED2-4CE6-986B-673CC7410937@ve7jtb.com>
Mime-Version: 1.0 (1.0)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="us-ascii"
Message-Id: <FCC4AEAC-DC22-490C-83A1-8336ACF770EE@oracle.com>
X-Mailer: iPhone Mail (9B206)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Fri, 13 Jul 2012 07:40:04 -0700
To: John Bradley <ve7jtb@ve7jtb.com>
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-tls-oob-pubkey: My summary
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jul 2012 14:39:38 -0000
At the moment there is no hok proof in the token itself. It seems to be bound in tls. The spec isn't clear yet that a token is passed in 3.2. But I assumed that is what Hannes intended. Still since there is no comment about passing the token I guessed it would essentially be a bearer token backed by a client authenticated tls. Phil On 2012-07-13, at 6:32, John Bradley <ve7jtb@ve7jtb.com> wrote: > I am not saying it is unusual in a bad way. > > Some people think of TLS client auth happening at the TLS layer. That is common in server to server connections. > > Decisions based on the client cert can happen at the app layer, as they do in SAML HoK. > > I think people have less experience with doing that though. > > John B. > On 2012-07-13, at 8:35 AM, Hannes Tschofenig wrote: > >> Hi John, >> >> authorization decisions are not made by the TLS library - they are made by the application. >> >> For example, in the HTTPS case the authorization decision that is made by the client is to compare the content of the cert with the domain part of the HTTP URI. Similar authorization decisions are being made by many applications using HTTP, see http://tools.ietf.org/html/rfc6125. >> >> So, there is nothing unusual here. >> >> >> Ciao >> Hannes >> >> >> On Jul 13, 2012, at 3:13 PM, John Bradley wrote: >> >>> It sucks for TLS hinting:) >>> >>> In principal the client needs to know what keypair to use for the TLS session before it is initiated. >>> >>> The protected resource establishes the session with client auth accepting any client key. >>> >>> The protected resource compares the client key passed in from TLS with the one in the token as part of token validation, and accepts or rejects the token. >>> >>> It is different from "normal" TLS client auth in that it is not the TLS layer making the access decision. >>> >>> John B. >>> On 2012-07-12, at 11:40 AM, Manger, James H wrote: >>> >>>>> III) Hybrid Scenario (the OAuth Holder-of-the-Key Use case) >>>>> >>>>> client_hello, >>>>> cert-receive=(X.509, Raw) // (1) >>>>> cert-send=(Raw) -> // (2) >>>>> >>>>> <- server_hello, >>>>> cert-info=(X.509),// (3) >>>>> certificate, // (4) >>>>> certificate_request, // (5) >>>>> cert-receive=(Raw) // (6) >>>>> server_key_exchange, >>>>> server_hello_done >>>>> >>>>> cert-info=(Raw), // (7) >>>>> certificate, // (8) >>>>> client_key_exchange, >>>>> change_cipher_spec, >>>>> finished -> >>>>> >>>>> <- change_cipher_spec, >>>>> finished >>>>> >>>>> Application Data <-------> Application Data >>>>> >>>>> Legend: >>>>> >>>>> (1) Client accepts to receive X.509 certs and raw public keys, in this >>>>> order of preference. (Could also be X.509 only in this example) >>>>> (2) The client does have a raw public key for client authentication. >>>>> (3) The server decides to sends his X.509 cert and indicates this in >>>>> the cert-info field. >>>>> (4) The certificate payload contains the X.509 cert. >>>>> (5) The server wants to use client authentication and sends a cert- >>>>> request. >>>>> (6) The certificate request asks for a certificate of type 'raw' >>>>> (knowing that the client supports it from (2)). >>>>> (7) The client indicates that the certificate payload contains a raw >>>>> public key. >>>>> (8) Here is the payload of the certificate itself. >>>> >>>> >>>> So the OAuth client completes a TLS handshake with a protected resource using a raw key, but the protected resource doesn't get any authorization for that raw key until it sees an access_token which appear where? In an HTTP header somewhere in the App Data some time after the TLS handshake finishes? >>>> >>>> -- >>>> James Manger >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] draft-ietf-tls-oob-pubkey: My summ… Hannes Tschofenig
- [OAUTH-WG] draft-ietf-tls-oob-pubkey: My summary Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-tls-oob-pubkey: My summ… Manger, James H
- Re: [OAUTH-WG] draft-ietf-tls-oob-pubkey: My summ… John Bradley
- Re: [OAUTH-WG] draft-ietf-tls-oob-pubkey: My summ… Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-tls-oob-pubkey: My summ… John Bradley
- Re: [OAUTH-WG] draft-ietf-tls-oob-pubkey: My summ… Phil Hunt
- Re: [OAUTH-WG] draft-ietf-tls-oob-pubkey: My summ… John Bradley