IETF Logo Mail Archive

Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt

Samuel Erdtman <samuel@erdtman.se> Thu, 27 October 2016 06:00 UTC

Return-Path: <samuel@erdtman.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3915E129958 for <oauth@ietfa.amsl.com>; Wed, 26 Oct 2016 23:00:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M5YGvoJgfBaa for <oauth@ietfa.amsl.com>; Wed, 26 Oct 2016 23:00:41 -0700 (PDT)
Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47C991293EC for <oauth@ietf.org>; Wed, 26 Oct 2016 23:00:41 -0700 (PDT)
Received: by mail-wm0-x22f.google.com with SMTP id e69so11317670wmg.0 for <oauth@ietf.org>; Wed, 26 Oct 2016 23:00:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=q94kpotfGR7TOMJ8edginDAFOSz6PmRHKlSKfnSaPNU=; b=si08VuX2XVWXgX+cJU43WIEyAlvCIZux2pFP6s6K4qDsXCtjj853ZKfZymzVF17OxF boZhFgLREk7N3hsyeoCfNmHX8gWGR+SiDIexpJ3Y8kySO6P4G48yRdnUzAMfICo7Nsrk gc6uz5QwbZ7FUmWmaOkx4ACnPa5QnK4EfdzjfOCU7/VYpqJnh5IKKNeHqD3eWbFfhCEp U8QjmlDzuudM7idG9HTcHgU/1Mv1xHUt0N/bwVUOXPoPcNl73dJrxt+qbwqyf3wY86c+ hRQdBYehE2yuVhNUK4eLosNLvUjyfkALOcv9dK7e69bQ/776YFNjK0wVVW1YkN2783hy 9jLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=q94kpotfGR7TOMJ8edginDAFOSz6PmRHKlSKfnSaPNU=; b=OTWV0Pc/9Tw3q5BbzHYMrN5+77my2vZwLp/xHiXrfUUpgFXkC+iytwlvy2bqAG9ZSZ 4cFtdXRs+LuCX4agv1jaCi+paI5nIg+Ppx8x3wQLrxBzQOplNxFjNoUOae1L2Tf5wQBP mht3RCkIUxBgSvqTnamingePKDSFeUk7hJrJw9euKUWJxeGyGxFx8cYgWkFhsaS5FT5C PMt0se8jQpzU6rcvNIE0kSSeRAAqfEiWisYB7+wZbw7Y1+UwaRNaR88rl3pFZgbfKdy9 wvafO1biuepo3yvg383TqAgagb66yo6gDNP5sSFVCPMOPjQrXI/PjQ4kN5h3sE1Rn8ob 0MwQ==
X-Gm-Message-State: ABUngvcJxKtG0Z3v6K3XjLMr0LI/f7Hl6JHj8L3PmwvtMbckOlkujENwR+WD4s10zp04n9TUx+ADfJjxVm/96g==
X-Received: by 10.28.2.68 with SMTP id 65mr5642885wmc.5.1477548039645; Wed, 26 Oct 2016 23:00:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.194.172.232 with HTTP; Wed, 26 Oct 2016 23:00:38 -0700 (PDT)
In-Reply-To: <853d5445-72e4-a1fb-b89c-919864f051f6@connect2id.com>
References: <147613227959.31428.2920748721017165266.idtracker@ietfa.amsl.com> <9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com> <26838e0e-1aee-04ca-4f7e-f6cff8dcfacf@connect2id.com> <CA+k3eCQaWm+O8VMNGGJG41j=dW2vqa4n6QZgKmVM9=d0HxgnCA@mail.gmail.com> <853d5445-72e4-a1fb-b89c-919864f051f6@connect2id.com>
From: Samuel Erdtman <samuel@erdtman.se>
Date: Thu, 27 Oct 2016 08:00:38 +0200
Message-ID: <CAF2hCbYn5_qBTmYkeJVCtJ-0=zWdRcFfu+0cHHb4ygo6as_V6w@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a113c80200ac105053fd276c3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/bLmDyFA3vG8T_mG1u4pfzesh1jA>
Cc: Nat Sakimura via Openid-specs-fapi <openid-specs-fapi@lists.openid.net>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Oct 2016 06:00:45 -0000

I think it is awesome that this document has been written since this is one
of the solutions that exists in the wild.

However I think that the connection to client (client_id) and certificate
could be more clearly specified, at the moment it is exemplified under
security considerations. I think there should be text saying that there
MUST be a binding and provide the default solution e.g. client_id as
subject common name.

Further I would prefer if it was not a MUST to include the client_id in the
HTTP request since I think there MUST exist a client binding in the
certificate. I think there is no need to have it explicitly in the HTTP
request. This might not be a problem for Classic OAuth but when adopted for
ACE framework (https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-03)
we would like to lessen the duplicated information as much as possible.

//Samuel


On Thu, Oct 27, 2016 at 4:42 AM, Vladimir Dzhuvinov <vladimir@connect2id.com
> wrote:

> I see. Do you reckon the AS could simply probe the likely cert places
> for containing the client_id? My reasoning is that there aren't that
> many places where you could stick the client_id (let me know if I'm
> wrong). If the AS is in doubt it will respond with invalid_client. I'm
> starting to think this can work quite well. No extra meta param will be
> needed (of which we have enough already).
>
> On 22/10/16 01:51, Brian Campbell wrote:
> > I did consider something like that but stopped short of putting it in the
> > -00 document. I'm not convinced that some metadata around it would really
> > contribute to interop one way or the other. I also wanted to get the
> basic
> > concept written down before going too far into the weeds. But I'd be open
> > to adding something along those lines in future revisions, if there's
> some
> > consensus that it'd be useful.
> >
> > On Mon, Oct 17, 2016 at 2:47 AM, Vladimir Dzhuvinov <
> vladimir@connect2id.com
> >> wrote:
> >> Superb, I welcome that!
> >>
> >> Regarding https://tools.ietf.org/html/draft-campbell-oauth-tls-
> >> client-auth-00#section-5.2 :
> >>
> >> My concern is that the choice of how to bind the client identity is left
> >> to implementers, and that may eventually become an interop problem.
> >> Have you considered some kind of an open ended enumeration of the
> possible
> >> binding methods, and giving them some identifiers or names, so that AS /
> >> OPs can advertise them in their metadata, and clients register
> accordingly?
> >>
> >> For example:
> >>
> >> "tls_client_auth_bind_methods_supported" : [ "subject_alt_name_match",
> >> "subject_public_key_info_match" ]
> >>
> >>
> >> Cheers,
> >>
> >> Vladimir
> >>
> >> On 10/10/16 23:59, John Bradley wrote:
> >>
> >> At the request of the OpenID Foundation Financial Services API Working
> group, Brian Campbell and I have documented
> >> mutual TLS client authentication.   This is something that lots of
> people do in practice though we have never had a spec for it.
> >>
> >> The Banks want to use it for some server to server API use cases being
> driven by new open banking regulation.
> >>
> >> The largest thing in the draft is the IANA registration of
> “tls_client_auth” Token Endpoint authentication method for use in
> Registration and discovery.
> >>
> >> The trust model is intentionally left open so that you could use a
> “common name” and a restricted list of CA or a direct lookup of the subject
> public key against a reregistered value,  or something in between.
> >>
> >> I hope that this is non controversial and the WG can adopt it quickly.
> >>
> >> Regards
> >> John B.
> >>
> >>
> >>
> >>
> >>
> >> Begin forwarded message:
> >>
> >> From: internet-drafts@ietf.org
> >> Subject: New Version Notification for draft-campbell-oauth-tls-
> client-auth-00.txt
> >> Date: October 10, 2016 at 5:44:39 PM GMT-3
> >> To: "Brian Campbell" <brian.d.campbell@gmail.com> <
> brian.d.campbell@gmail.com>, "John Bradley" <ve7jtb@ve7jtb.com> <
> ve7jtb@ve7jtb.com>
> >>
> >>
> >> A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
> >> has been successfully submitted by John Bradley and posted to the
> >> IETF repository.
> >>
> >> Name:                draft-campbell-oauth-tls-client-auth
> >> Revision:    00
> >> Title:               Mutual X.509 Transport Layer Security (TLS)
> Authentication for OAuth Clients
> >> Document date:       2016-10-10
> >> Group:               Individual Submission
> >> Pages:               5
> >> URL:            https://www.ietf.org/internet-
> drafts/draft-campbell-oauth-tls-client-auth-00.txt
> >> Status:         https://datatracker.ietf.org/
> doc/draft-campbell-oauth-tls-client-auth/
> >> Htmlized:       https://tools.ietf.org/html/draft-campbell-oauth-tls-
> client-auth-00
> >>
> >>
> >> Abstract:
> >>   This document describes X.509 certificates as OAuth client
> >>   credentials using Transport Layer Security (TLS) mutual
> >>   authentication as a mechanism for client authentication to the
> >>   authorization server's token endpoint.
> >>
> >>
> >>
> >>
> >> Please note that it may take a couple of minutes from the time of
> submission
> >> until the htmlized version and diff are available at tools.ietf.org.
> >>
> >> The IETF Secretariat
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/
> oauth
> >>
> >>
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >>
> >>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.15.0 | Report a Bug | By Email