IETF Logo Mail Archive

Re: [OAUTH-WG] Proposed changes to RFC 8705 (oauth-mtls)

Warren Parad <wparad@rhosys.ch> Thu, 09 December 2021 13:38 UTC

Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A18E53A0C94 for <oauth@ietfa.amsl.com>; Thu, 9 Dec 2021 05:38:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sHNlDK3oCje9 for <oauth@ietfa.amsl.com>; Thu, 9 Dec 2021 05:38:30 -0800 (PST)
Received: from mail-yb1-xb29.google.com (mail-yb1-xb29.google.com [IPv6:2607:f8b0:4864:20::b29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 021303A0C52 for <oauth@ietf.org>; Thu, 9 Dec 2021 05:38:29 -0800 (PST)
Received: by mail-yb1-xb29.google.com with SMTP id f9so13691679ybq.10 for <oauth@ietf.org>; Thu, 09 Dec 2021 05:38:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GDX64+QyZYuWnwZeSoS3aa/IuC49cCZipIn+4QWz1fg=; b=h5mUkGI9gzBcRAk9LyHeoPasd7sPpzEJOdo3ivTuo/ph+bncmltQhLwPH22kCzOLjR Hfh2ETjGAWZxsNxPaCmnfpLcN9Pwq8Y3BjIIWRuZLAM3Hy6J/sohIzkrY9NBfLXRSD4u MCvOjGGHU/AXpLK/QrDaGfgvQpiUFI2bWeQzi/PttgO0Xfx1/bknvVAA85ZADS/Au8ie ypQQqYpGL5WmmUc2lXkS2Q+eOmNlh46ORcN0uoHDrFfvoeOrPs72X/XaC7B3vVuYTzIT m2naDkcVrROJgQCIZdbwoGAqfa0FYqr/ov/quaNY8P74RZL/wFnJo64UDYrqjdYiNdWQ a4dA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GDX64+QyZYuWnwZeSoS3aa/IuC49cCZipIn+4QWz1fg=; b=kwYT/1jiL5z5GvGZJWBCqMR//XULQbbJZJURxF8HDtN8xis0DL9dOq1xu+2xEoG9Dv HzPFj938qdiz2bOLPaG09r76UHQpfuTZ1frSCYRachC+Z1P9Pr4gMIWMM5osJXpeaVYE nApnp9DxVz7ikcmVQ+JzktwCrAsxgObiznUfxoewVc9lmVaMGrasm2C0JsG4QQkC/fLC Km1f3BG8kWXMyeXatYlbk3c4lmyyQfH6TgtO+O4yw2hez+Ue+uMLh9HAoS4SecRmMnzB 1XFpqAY48S2YmHXcMAyZYUYsom5Bu2fuklgLu9Ql5KIg20n4Mq/PaYQfegLB9zekRiKn VgTQ==
X-Gm-Message-State: AOAM530pFg6CaAFggVVNmfQHcXvloHpWo4R2DIXIcNQPJbYzKgvaOQMp lKB1zUpVR653qrGpeR5fnjbopwHNgRlDiYXP964A4XTn+oF1
X-Google-Smtp-Source: ABdhPJxEPNJE7NcEoC2y7l5MhJ9sLL8vc/qZ+pEsXcaMSoORIATRSChruU4cdSktEfzTBWiA1+COujSCla2kYkr9OR8=
X-Received: by 2002:a25:6744:: with SMTP id b65mr6290748ybc.57.1639057108379; Thu, 09 Dec 2021 05:38:28 -0800 (PST)
MIME-Version: 1.0
References: <CAOtx8Dm_zbG-cosMELOkoDoCrJP=XGsazATSv7mLmpztj+qcvw@mail.gmail.com>
In-Reply-To: <CAOtx8Dm_zbG-cosMELOkoDoCrJP=XGsazATSv7mLmpztj+qcvw@mail.gmail.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Thu, 09 Dec 2021 14:38:17 +0100
Message-ID: <CAJot-L3WZOd+X=p495cEmOKfArChyAAZbRu+5gFkbENVD-kKcA@mail.gmail.com>
To: Dmitry Telegin <dmitryt=40backbase.com@dmarc.ietf.org>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b6424a05d2b6b8c1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/bxPpg2M1colAh9ZAzR0Y-F3wi7w>
Subject: Re: [OAUTH-WG] Proposed changes to RFC 8705 (oauth-mtls)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Dec 2021 13:38:35 -0000

Could you share a bit about the security implications that precipitates
needing to change the token type. I.e. what's the attack vector that is
closed by adding this?

Warren Parad

Founder, CTO
Secure your user data with IAM authorization as a service. Implement
Authress <https://authress.io/>.


On Thu, Dec 9, 2021 at 2:24 PM Dmitry Telegin <dmitryt=
40backbase.com@dmarc.ietf.org> wrote:

> There following changes to RFC 8705 have been proposed:
> - introduce a new error code (e.g. "invalid_mtls_certificate") to be used
> when the certificate is required by the AS/RS, but the underlying stack has
> been misconfigured and the client didn't send one;
> - for bound token use, change Authorization scheme from Bearer to MTLS;
> - for token response returning a bound token, change token_type from
> Bearer to MTLS
>
> See discussion:
> https://mailarchive.ietf.org/arch/msg/oauth/XfeH2q0Rwa2YocsR484xk-8LMqc/
>
> Accepting the changes would imply a new RFC and the obsolescence of the
> current one. Two questions so far:
> - what's the group's general stance on this, would that be a welcome
> change?
> - if so, could we also hear from the implementors if there any other
> issues / suggested changes.
>
> Dmitry
> Backbase / Keycloak
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email